Country List

From n.preusker at gmail.com Fri May 2 09:35:00 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Fri, 2 May 2014 15:35:00 +0200 Subject: [keycloak-user] No refresh-token when requesting access token Message-ID: Hi, I noticed that when I request an access token (curl -v -H "Content-type: application/x-www-form-urlencoded" http://localhost:8080/auth/rest/realms/keycloak-admin/tokens/grants/access--data "client_id=...&client_secret=...&username=...&password=..." -H "Accept: application/json"), the response doesn't contain a refresh token. Is this intentional? And might it change in future versions? According to http://tools.ietf.org/html/rfc6749#section-4.3 (which is the spec the above method implements, right?), the refresh token in the access token response is optional. If I'm not mistaken, adding .generateRefreshToken() here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L201 should do the trick, right? Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140502/6021e0e5/attachment.html From jim.boettcher at hp.com Mon May 5 15:41:57 2014 From: jim.boettcher at hp.com (Boettcher, Jim) Date: Mon, 5 May 2014 19:41:57 +0000 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app Message-ID: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> Hi, I'm trying to get CORS working for a javascript app. The javascript app (gui_app) is making AJAX requests to a different REST app (rest_app). In the Keycloak admin console I created an application for the rest_app application and set a Web Origin of "*" . I then copied the Installation for Jboss Subsystem XML to the standalone.xml of the JBoss 7.1.1 server that the rest_app is running on. I modified the configuration to add true When I try to open the gui_app from Chrome I get errors like: XMLHttpRequest cannot load http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://localhost:7116' is therefore not allowed access. I've tried playing with various settings but can't get anything to work. Is there an example available for how to get this to work? Is there anything else that needs to be done on the Keycloak server side? Or on the Adapter side? Thanks, Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140505/f09b6d14/attachment-0001.html From bburke at redhat.com Mon May 5 18:42:11 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 05 May 2014 18:42:11 -0400 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> Message-ID: <536813C3.2030207@redhat.com> You are using the latest release? I'll take a look. I don't have any unit tests for the CORs stuff in the last alpha release (have some in trunk though) and I don't think I tested it manually either. On 5/5/2014 3:41 PM, Boettcher, Jim wrote: > Hi, > > I?m trying to get CORS working for a javascript app. The javascript app > (gui_app) is making AJAX requests to a different REST app (rest_app). > > In the Keycloak admin console I created an application for the rest_app > application and set a Web Origin of ?*? . I then copied the Installation > for Jboss Subsystem XML to the standalone.xml of the JBoss 7.1.1 server > that the rest_app is running on. I modified the configuration to add > > true > > When I try to open the gui_app from Chrome I get errors like: > > XMLHttpRequest cannot load > http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'https://localhost:7116' is therefore not allowed access. > > I?ve tried playing with various settings but can?t get anything to work. > > Is there an example available for how to get this to work? > > Is there anything else that needs to be done on the Keycloak server > side? Or on the Adapter side? > > Thanks, > > Jim > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Tue May 6 04:54:38 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 6 May 2014 04:54:38 -0400 (EDT) Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <536813C3.2030207@redhat.com> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> Message-ID: <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Monday, 5 May, 2014 11:42:11 PM > Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app > > You are using the latest release? I'll take a look. I don't have any > unit tests for the CORs stuff in the last alpha release (have some in > trunk though) and I don't think I tested it manually either. > > On 5/5/2014 3:41 PM, Boettcher, Jim wrote: > > Hi, > > > > I?m trying to get CORS working for a javascript app. The javascript app > > (gui_app) is making AJAX requests to a different REST app (rest_app). > > > > In the Keycloak admin console I created an application for the rest_app > > application and set a Web Origin of ?*? . I then copied the Installation > > for Jboss Subsystem XML to the standalone.xml of the JBoss 7.1.1 server > > that the rest_app is running on. I modified the configuration to add > > > > true > > > > When I try to open the gui_app from Chrome I get errors like: > > > > XMLHttpRequest cannot load > > http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'https://localhost:7116' is therefore not allowed access. > > > > I?ve tried playing with various settings but can?t get anything to work. > > > > Is there an example available for how to get this to work? > > > > Is there anything else that needs to be done on the Keycloak server > > side? Or on the Adapter side? > > > > Thanks, > > > > Jim > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jim.boettcher at hp.com Tue May 6 08:30:50 2014 From: jim.boettcher at hp.com (Boettcher, Jim) Date: Tue, 6 May 2014 12:30:50 +0000 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> Message-ID: <567C02B1AFF42E499D63011F4C931ABE22CCBD44@G5W2731.americas.hpqcorp.net> I first tried with the Alpa-3 release. I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] Jim -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Tuesday, May 06, 2014 4:55 AM To: Bill Burke Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Monday, 5 May, 2014 11:42:11 PM > Subject: Re: [keycloak-user] How to set up CORS for javascript calling > a REST app > > You are using the latest release? I'll take a look. I don't have any > unit tests for the CORs stuff in the last alpha release (have some in > trunk though) and I don't think I tested it manually either. > > On 5/5/2014 3:41 PM, Boettcher, Jim wrote: > > Hi, > > > > I?m trying to get CORS working for a javascript app. The javascript > > app > > (gui_app) is making AJAX requests to a different REST app (rest_app). > > > > In the Keycloak admin console I created an application for the > > rest_app application and set a Web Origin of ?*? . I then copied the > > Installation for Jboss Subsystem XML to the standalone.xml of the > > JBoss 7.1.1 server that the rest_app is running on. I modified the > > configuration to add > > > > true > > > > When I try to open the gui_app from Chrome I get errors like: > > > > XMLHttpRequest cannot load > > http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'https://localhost:7116' is therefore not allowed access. > > > > I?ve tried playing with various settings but can?t get anything to work. > > > > Is there an example available for how to get this to work? > > > > Is there anything else that needs to be done on the Keycloak server > > side? Or on the Adapter side? > > > > Thanks, > > > > Jim > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bensechrist at gmail.com Wed May 7 17:12:10 2014 From: bensechrist at gmail.com (Ben) Date: Wed, 7 May 2014 17:12:10 -0400 Subject: [keycloak-user] CORS Setup In-Reply-To: References: Message-ID: I am trying to get user information from a keycloak instance running on a separate server. However I am getting an error when I try to retrieve this info. Interestingly I can use a Google chrome app to get the information no problem. Ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140507/dba064cc/attachment.html From bburke at redhat.com Wed May 7 18:54:34 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 07 May 2014 18:54:34 -0400 Subject: [keycloak-user] CORS Setup In-Reply-To: References: Message-ID: <536AB9AA.8080509@redhat.com> I need more information. Setup? Config? Version? Stack traces? Error message? On 5/7/2014 5:12 PM, Ben wrote: > I am trying to get user information from a keycloak instance running on > a separate server. However I am getting an error when I try to retrieve > this info. Interestingly I can use a Google chrome app to get the > information no problem. Ideas? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bensechrist at gmail.com Wed May 7 20:26:44 2014 From: bensechrist at gmail.com (Ben) Date: Wed, 7 May 2014 20:26:44 -0400 Subject: [keycloak-user] CORS Setup In-Reply-To: <536AB9AA.8080509@redhat.com> References: <536AB9AA.8080509@redhat.com> Message-ID: Sorry. I am using alpha 4 with Wildfly 8.0.0 Final. The in browser javascript console output is No 'Access-Control-Allow-Origin' header is present. There appears to be no error on the server side. On Wed, May 7, 2014 at 6:54 PM, Bill Burke wrote: > I need more information. Setup? Config? Version? Stack traces? Error > message? > > On 5/7/2014 5:12 PM, Ben wrote: > > I am trying to get user information from a keycloak instance running on > > a separate server. However I am getting an error when I try to retrieve > > this info. Interestingly I can use a Google chrome app to get the > > information no problem. Ideas? > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140507/d90916f3/attachment.html From stian at redhat.com Thu May 8 03:27:24 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 8 May 2014 03:27:24 -0400 (EDT) Subject: [keycloak-user] CORS Setup In-Reply-To: References: <536AB9AA.8080509@redhat.com> Message-ID: <1270073098.2958142.1399534044727.JavaMail.zimbra@redhat.com> Have you configured web origins for your application/client? Also, have you made sure the application/client has scope mappings for the account view-profile role? ----- Original Message ----- > From: "Ben" > To: "Bill Burke" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 8 May, 2014 1:26:44 AM > Subject: Re: [keycloak-user] CORS Setup > > Sorry. I am using alpha 4 with Wildfly 8.0.0 Final. The in browser javascript > console output is No 'Access-Control-Allow-Origin' header is present. There > appears to be no error on the server side. > > > On Wed, May 7, 2014 at 6:54 PM, Bill Burke < bburke at redhat.com > wrote: > > > I need more information. Setup? Config? Version? Stack traces? Error > message? > > On 5/7/2014 5:12 PM, Ben wrote: > > I am trying to get user information from a keycloak instance running on > > a separate server. However I am getting an error when I try to retrieve > > this info. Interestingly I can use a Google chrome app to get the > > information no problem. Ideas? > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bensechrist at gmail.com Thu May 8 09:10:25 2014 From: bensechrist at gmail.com (Ben) Date: Thu, 8 May 2014 09:10:25 -0400 Subject: [keycloak-user] CORS Setup In-Reply-To: <536AB9AA.8080509@redhat.com> References: <536AB9AA.8080509@redhat.com> Message-ID: On an unrelated note I am making my request to /auth/rest/realms/myRealm/account using jquery's ajax method. This is because I tried using the keycloak.js from /auth/js/keycloak.js but I get a realm missing error even with the keycloak.json being the following: { "realm": "Sechrist Blog", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArqtGy/VqwnQnqrlmX8F3qjIf3/lM4NtytuWOsJqR/gpMqrHMEHK5Yf44rZT7lokO5VIJzW0+Jii11NU2+sQlwviiBHM+Kr2wBzJW3gCkYpAv6DrgkxbBoNExqa2LNiFvuL1fWscrkCbPsCwUSSjgjY1DO02PmIne/gE9dgD+BGbMuOniwSpkLE4CP1dG+0RupR1bxTU/17Xhr5c77VCIKT8ojxCnNCpSC5XrqDnkNqY8Ok175Iz3IOPt99Mxre8ayZosxXVJhatLoDdOGmoNtHScgmaNMP/gMNvon/pkvZYPBzEufB4fhTws2Yvi5fbShgrKumVyG1+Z5VqvqIA4BQIDAQAB", "auth-server-url": "https://dev.sechristfamily.com:9080/auth", "ssl-not-required": true, "resource": "Blog", "credentials": { "secret": "mSecret" } } On Wed, May 7, 2014 at 6:54 PM, Bill Burke wrote: > I need more information. Setup? Config? Version? Stack traces? Error > message? > > On 5/7/2014 5:12 PM, Ben wrote: > > I am trying to get user information from a keycloak instance running on > > a separate server. However I am getting an error when I try to retrieve > > this info. Interestingly I can use a Google chrome app to get the > > information no problem. Ideas? > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140508/f30bb73c/attachment-0001.html From stian at redhat.com Thu May 8 12:16:45 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 8 May 2014 12:16:45 -0400 (EDT) Subject: [keycloak-user] CORS Setup In-Reply-To: References: <536AB9AA.8080509@redhat.com> Message-ID: <1993717337.3413378.1399565805496.JavaMail.zimbra@redhat.com> Can you try building the server from master, and see if that works? The JS adapter has been updated and the documentation for it as well. ----- Original Message ----- > From: "Ben" > To: "Bill Burke" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 8 May, 2014 2:10:25 PM > Subject: Re: [keycloak-user] CORS Setup > > On an unrelated note I am making my request to > /auth/rest/realms/myRealm/account using jquery's ajax method. This is > because I tried using the keycloak.js from /auth/js/keycloak.js but I get a > realm missing error even with the keycloak.json being the following: > > { > "realm": "Sechrist Blog", > "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArqtGy/VqwnQnqrlmX8F3qjIf3/lM4NtytuWOsJqR/gpMqrHMEHK5Yf44rZT7lokO5VIJzW0+Jii11NU2+sQlwviiBHM+Kr2wBzJW3gCkYpAv6DrgkxbBoNExqa2LNiFvuL1fWscrkCbPsCwUSSjgjY1DO02PmIne/gE9dgD+BGbMuOniwSpkLE4CP1dG+0RupR1bxTU/17Xhr5c77VCIKT8ojxCnNCpSC5XrqDnkNqY8Ok175Iz3IOPt99Mxre8ayZosxXVJhatLoDdOGmoNtHScgmaNMP/gMNvon/pkvZYPBzEufB4fhTws2Yvi5fbShgrKumVyG1+Z5VqvqIA4BQIDAQAB", > "auth-server-url": " https://dev.sechristfamily.com:9080/auth ", > "ssl-not-required": true, > "resource": "Blog", > "credentials": { > "secret": "mSecret" > } > } > > > On Wed, May 7, 2014 at 6:54 PM, Bill Burke < bburke at redhat.com > wrote: > > > I need more information. Setup? Config? Version? Stack traces? Error > message? > > On 5/7/2014 5:12 PM, Ben wrote: > > I am trying to get user information from a keycloak instance running on > > a separate server. However I am getting an error when I try to retrieve > > this info. Interestingly I can use a Google chrome app to get the > > information no problem. Ideas? > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bensechrist at gmail.com Thu May 8 14:29:49 2014 From: bensechrist at gmail.com (Ben) Date: Thu, 8 May 2014 14:29:49 -0400 Subject: [keycloak-user] CORS Setup In-Reply-To: <1993717337.3413378.1399565805496.JavaMail.zimbra@redhat.com> References: <536AB9AA.8080509@redhat.com> <1993717337.3413378.1399565805496.JavaMail.zimbra@redhat.com> Message-ID: I tried building from master so I updated from alpha 4 to beta 1. That worked fine but I still get the same error. I tried using the keycloak.js from the server and just a simple ajax using jquery on the page. On Thu, May 8, 2014 at 12:16 PM, Stian Thorgersen wrote: > Can you try building the server from master, and see if that works? The JS > adapter has been updated and the documentation for it as well. > > ----- Original Message ----- > > From: "Ben" > > To: "Bill Burke" > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, 8 May, 2014 2:10:25 PM > > Subject: Re: [keycloak-user] CORS Setup > > > > On an unrelated note I am making my request to > > /auth/rest/realms/myRealm/account using jquery's ajax method. This is > > because I tried using the keycloak.js from /auth/js/keycloak.js but I > get a > > realm missing error even with the keycloak.json being the following: > > > > { > > "realm": "Sechrist Blog", > > "realm-public-key": > > > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArqtGy/VqwnQnqrlmX8F3qjIf3/lM4NtytuWOsJqR/gpMqrHMEHK5Yf44rZT7lokO5VIJzW0+Jii11NU2+sQlwviiBHM+Kr2wBzJW3gCkYpAv6DrgkxbBoNExqa2LNiFvuL1fWscrkCbPsCwUSSjgjY1DO02PmIne/gE9dgD+BGbMuOniwSpkLE4CP1dG+0RupR1bxTU/17Xhr5c77VCIKT8ojxCnNCpSC5XrqDnkNqY8Ok175Iz3IOPt99Mxre8ayZosxXVJhatLoDdOGmoNtHScgmaNMP/gMNvon/pkvZYPBzEufB4fhTws2Yvi5fbShgrKumVyG1+Z5VqvqIA4BQIDAQAB", > > "auth-server-url": " https://dev.sechristfamily.com:9080/auth ", > > "ssl-not-required": true, > > "resource": "Blog", > > "credentials": { > > "secret": "mSecret" > > } > > } > > > > > > On Wed, May 7, 2014 at 6:54 PM, Bill Burke < bburke at redhat.com > wrote: > > > > > > I need more information. Setup? Config? Version? Stack traces? Error > > message? > > > > On 5/7/2014 5:12 PM, Ben wrote: > > > I am trying to get user information from a keycloak instance running on > > > a separate server. However I am getting an error when I try to retrieve > > > this info. Interestingly I can use a Google chrome app to get the > > > information no problem. Ideas? > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140508/4a8db096/attachment.html From rodrigopsasaki at gmail.com Fri May 9 16:35:01 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Fri, 9 May 2014 17:35:01 -0300 Subject: [keycloak-user] Token Grant Message-ID: Hello everyone, Fist of all I apologize if I do anything that isn't normal, this is the 1st time I subscribe to a mailing list, please let me know if I should have done anything differently. Alright then, my question is this: Is there a way for me to get a token providing only user and password? Let me try and clarify it better. We are using a homegrown solution based on SkeletonKey and we have a flow where we use an URL that requires username and password and returns directly an Access Token, with no Access Codes envolved. We use this so that our own mobile apps can get access to our REST services. Is there any way I could get around this with Keycloak? Getting an access token directly to my mobile app? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140509/41b6fec1/attachment.html From bburke at redhat.com Fri May 9 16:46:01 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 09 May 2014 16:46:01 -0400 Subject: [keycloak-user] Token Grant In-Reply-To: References: Message-ID: <536D3E89.4000007@redhat.com> You can do a Basic Auth request POST /content-root/realms/{realm}/tokens/grants/access Authorization: Basic auth with client_id and secret Content-Type: application/x-www-form-urlencoded client_id is the id of your register application. form parameters are: username password BTW, for mobile, IMO, you are better off doing oauth with the mobile client and doing a mobile redirect to your browser and back. That way Keycloak can manage your accounts. On 5/9/2014 4:35 PM, Rodrigo Sasaki wrote: > Hello everyone, > > Fist of all I apologize if I do anything that isn't normal, this is the > 1st time I subscribe to a mailing list, please let me know if I should > have done anything differently. > > Alright then, my question is this: Is there a way for me to get a token > providing only user and password? Let me try and clarify it better. > > We are using a homegrown solution based on SkeletonKey and we have a > flow where we use an URL that requires username and password and returns > directly an Access Token, with no Access Codes envolved. We use this so > that our own mobile apps can get access to our REST services. > > Is there any way I could get around this with Keycloak? Getting an > access token directly to my mobile app? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From rodrigopsasaki at gmail.com Fri May 9 16:50:50 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Fri, 9 May 2014 17:50:50 -0300 Subject: [keycloak-user] Token Grant In-Reply-To: <536D3E89.4000007@redhat.com> References: <536D3E89.4000007@redhat.com> Message-ID: I considered that aswell. The thing is the mobile app is already completed, and I'm not in the position to make such design calls. My idea was to create a normal Application, and use the URLs I define there instead of just giving the token to the mobile app, that's what you meant right? Nonetheless I'll definitely pass on your suggestion up, it definitely sounds better and cleaner. Thank you for such a quick response! On Fri, May 9, 2014 at 5:46 PM, Bill Burke wrote: > You can do a Basic Auth request > > POST /content-root/realms/{realm}/tokens/grants/access > Authorization: Basic auth with client_id and secret > Content-Type: application/x-www-form-urlencoded > > client_id is the id of your register application. > > form parameters are: > > username > password > > > BTW, for mobile, IMO, you are better off doing oauth with the mobile > client and doing a mobile redirect to your browser and back. That way > Keycloak can manage your accounts. > > > > > On 5/9/2014 4:35 PM, Rodrigo Sasaki wrote: > > Hello everyone, > > > > Fist of all I apologize if I do anything that isn't normal, this is the > > 1st time I subscribe to a mailing list, please let me know if I should > > have done anything differently. > > > > Alright then, my question is this: Is there a way for me to get a token > > providing only user and password? Let me try and clarify it better. > > > > We are using a homegrown solution based on SkeletonKey and we have a > > flow where we use an URL that requires username and password and returns > > directly an Access Token, with no Access Codes envolved. We use this so > > that our own mobile apps can get access to our REST services. > > > > Is there any way I could get around this with Keycloak? Getting an > > access token directly to my mobile app? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140509/42a1048e/attachment.html From rodrigopsasaki at gmail.com Fri May 9 17:06:37 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Fri, 9 May 2014 18:06:37 -0300 Subject: [keycloak-user] Token Grant In-Reply-To: References: <536D3E89.4000007@redhat.com> Message-ID: I'm sorry but I believe I may have misunderstood you somehow, I tried building a request for that URL to test it. The application I'm trying to access is the product-portal application from the unconfigured demo, I followed the tutorials and got it running, so here's the post I created: POST http://localhost:8080/auth/rest/realms/demo/tokens/grants/access Authorization: Basic cHJvZHVjdC1wb3J0YWw6MWQ5MDRlYzAtNjViMS00MDljLTljYTUtMDhkMGI1ODI0Y2I4 Content-Type: application/x-www-form-urlencoded Form Data: username: product-portal password: key generated by keycloak Here the Authorization header was also built on the name product-portal and the key that keycloak generated, so I entered it twice, and I know that can't be right, but I don't really know where my mistake is. I apologize for the inconvenience, but if it's not much trouble, could you clarify that for me? On Fri, May 9, 2014 at 5:50 PM, Rodrigo Sasaki wrote: > I considered that aswell. > > The thing is the mobile app is already completed, and I'm not in the > position to make such design calls. > > My idea was to create a normal Application, and use the URLs I define > there instead of just giving the token to the mobile app, that's what you > meant right? > > Nonetheless I'll definitely pass on your suggestion up, it definitely > sounds better and cleaner. Thank you for such a quick response! > > > On Fri, May 9, 2014 at 5:46 PM, Bill Burke wrote: > >> You can do a Basic Auth request >> >> POST /content-root/realms/{realm}/tokens/grants/access >> Authorization: Basic auth with client_id and secret >> Content-Type: application/x-www-form-urlencoded >> >> client_id is the id of your register application. >> >> form parameters are: >> >> username >> password >> >> >> BTW, for mobile, IMO, you are better off doing oauth with the mobile >> client and doing a mobile redirect to your browser and back. That way >> Keycloak can manage your accounts. >> >> >> >> >> On 5/9/2014 4:35 PM, Rodrigo Sasaki wrote: >> > Hello everyone, >> > >> > Fist of all I apologize if I do anything that isn't normal, this is the >> > 1st time I subscribe to a mailing list, please let me know if I should >> > have done anything differently. >> > >> > Alright then, my question is this: Is there a way for me to get a token >> > providing only user and password? Let me try and clarify it better. >> > >> > We are using a homegrown solution based on SkeletonKey and we have a >> > flow where we use an URL that requires username and password and returns >> > directly an Access Token, with no Access Codes envolved. We use this so >> > that our own mobile apps can get access to our REST services. >> > >> > Is there any way I could get around this with Keycloak? Getting an >> > access token directly to my mobile app? >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Rodrigo Sasaki > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140509/3263881f/attachment-0001.html From bburke at redhat.com Fri May 9 17:14:23 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 09 May 2014 17:14:23 -0400 Subject: [keycloak-user] Token Grant In-Reply-To: References: <536D3E89.4000007@redhat.com> Message-ID: <536D452F.60608@redhat.com> Authorization header would be generated from "product-portal" and "key generated by keycloak". Form Data: username: bburke password: bills-password On 5/9/2014 5:06 PM, Rodrigo Sasaki wrote: > I'm sorry but I believe I may have misunderstood you somehow, I tried > building a request for that URL to test it. > > The application I'm trying to access is the product-portal application > from the unconfigured demo, I followed the tutorials and got it running, > so here's the post I created: > > POST http://localhost:8080/auth/rest/realms/demo/tokens/grants/access > Authorization: Basic > cHJvZHVjdC1wb3J0YWw6MWQ5MDRlYzAtNjViMS00MDljLTljYTUtMDhkMGI1ODI0Y2I4 > Content-Type: application/x-www-form-urlencoded > > Form Data: > username: product-portal > password: key generated by keycloak > > > Here the Authorization header was also built on the name product-portal > and the key that keycloak generated, so I entered it twice, and I know > that can't be right, but I don't really know where my mistake is. I > apologize for the inconvenience, but if it's not much trouble, could you > clarify that for me? > > > On Fri, May 9, 2014 at 5:50 PM, Rodrigo Sasaki > wrote: > > I considered that aswell. > > The thing is the mobile app is already completed, and I'm not in the > position to make such design calls. > > My idea was to create a normal Application, and use the URLs I > define there instead of just giving the token to the mobile app, > that's what you meant right? > > Nonetheless I'll definitely pass on your suggestion up, it > definitely sounds better and cleaner. Thank you for such a quick > response! > > > On Fri, May 9, 2014 at 5:46 PM, Bill Burke > wrote: > > You can do a Basic Auth request > > POST /content-root/realms/{realm}/tokens/grants/access > Authorization: Basic auth with client_id and secret > Content-Type: application/x-www-form-urlencoded > > client_id is the id of your register application. > > form parameters are: > > username > password > > > BTW, for mobile, IMO, you are better off doing oauth with the mobile > client and doing a mobile redirect to your browser and back. > That way > Keycloak can manage your accounts. > > > > > On 5/9/2014 4:35 PM, Rodrigo Sasaki wrote: > > Hello everyone, > > > > Fist of all I apologize if I do anything that isn't normal, > this is the > > 1st time I subscribe to a mailing list, please let me know if > I should > > have done anything differently. > > > > Alright then, my question is this: Is there a way for me to > get a token > > providing only user and password? Let me try and clarify it > better. > > > > We are using a homegrown solution based on SkeletonKey and we > have a > > flow where we use an URL that requires username and password > and returns > > directly an Access Token, with no Access Codes envolved. We > use this so > > that our own mobile apps can get access to our REST services. > > > > Is there any way I could get around this with Keycloak? > Getting an > > access token directly to my mobile app? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Rodrigo Sasaki > > > > > -- > Rodrigo Sasaki -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri May 9 17:22:48 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 09 May 2014 17:22:48 -0400 Subject: [keycloak-user] Token Grant In-Reply-To: References: <536D3E89.4000007@redhat.com> Message-ID: <536D4728.6080907@redhat.com> We're doing a lot of work with Keycloak and Mobile in the LiveOak project. Its just a matter of us documenting and providing examples which takes time. On 5/9/2014 4:50 PM, Rodrigo Sasaki wrote: > I considered that aswell. > > The thing is the mobile app is already completed, and I'm not in the > position to make such design calls. > > My idea was to create a normal Application, and use the URLs I define > there instead of just giving the token to the mobile app, that's what > you meant right? > > Nonetheless I'll definitely pass on your suggestion up, it definitely > sounds better and cleaner. Thank you for such a quick response! > > > On Fri, May 9, 2014 at 5:46 PM, Bill Burke > wrote: > > You can do a Basic Auth request > > POST /content-root/realms/{realm}/tokens/grants/access > Authorization: Basic auth with client_id and secret > Content-Type: application/x-www-form-urlencoded > > client_id is the id of your register application. > > form parameters are: > > username > password > > > BTW, for mobile, IMO, you are better off doing oauth with the mobile > client and doing a mobile redirect to your browser and back. That way > Keycloak can manage your accounts. > > > > > On 5/9/2014 4:35 PM, Rodrigo Sasaki wrote: > > Hello everyone, > > > > Fist of all I apologize if I do anything that isn't normal, this > is the > > 1st time I subscribe to a mailing list, please let me know if I > should > > have done anything differently. > > > > Alright then, my question is this: Is there a way for me to get a > token > > providing only user and password? Let me try and clarify it better. > > > > We are using a homegrown solution based on SkeletonKey and we have a > > flow where we use an URL that requires username and password and > returns > > directly an Access Token, with no Access Codes envolved. We use > this so > > that our own mobile apps can get access to our REST services. > > > > Is there any way I could get around this with Keycloak? Getting an > > access token directly to my mobile app? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Rodrigo Sasaki -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jim.boettcher at hp.com Fri May 9 17:23:49 2014 From: jim.boettcher at hp.com (Boettcher, Jim) Date: Fri, 9 May 2014 21:23:49 +0000 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> Message-ID: <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> Here is some more information on my problem. I have done a local build with the source from 5/8/2014. I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 I have 2 applications running on the server at myhost.net:7116 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app 2. rest-app - a REST service Both the gui-app and rest-app are configured to be secured by the auth-server. When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. When the Ajax request is made to the rest-app the problems start. First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. Can you look into these problems and let me know if there is a way to get this working for the applications that I have? Thanks -Jim -----Original Message----- From: Boettcher, Jim Sent: Tuesday, May 06, 2014 8:31 AM To: 'Stian Thorgersen'; Bill Burke Cc: keycloak-user at lists.jboss.org Subject: RE: How to set up CORS for javascript calling a REST app I first tried with the Alpa-3 release. I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] Jim -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Tuesday, May 06, 2014 4:55 AM To: Bill Burke Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Monday, 5 May, 2014 11:42:11 PM > Subject: Re: [keycloak-user] How to set up CORS for javascript calling > a REST app > > You are using the latest release? I'll take a look. I don't have any > unit tests for the CORs stuff in the last alpha release (have some in > trunk though) and I don't think I tested it manually either. > > On 5/5/2014 3:41 PM, Boettcher, Jim wrote: > > Hi, > > > > I?m trying to get CORS working for a javascript app. The javascript > > app > > (gui_app) is making AJAX requests to a different REST app (rest_app). > > > > In the Keycloak admin console I created an application for the > > rest_app application and set a Web Origin of ?*? . I then copied the > > Installation for Jboss Subsystem XML to the standalone.xml of the > > JBoss 7.1.1 server that the rest_app is running on. I modified the > > configuration to add > > > > true > > > > When I try to open the gui_app from Chrome I get errors like: > > > > XMLHttpRequest cannot load > > http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'https://localhost:7116' is therefore not allowed access. > > > > I?ve tried playing with various settings but can?t get anything to work. > > > > Is there an example available for how to get this to work? > > > > Is there anything else that needs to be done on the Keycloak server > > side? Or on the Adapter side? > > > > Thanks, > > > > Jim > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri May 9 17:38:10 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 09 May 2014 17:38:10 -0400 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> Message-ID: <536D4AC2.5010905@redhat.com> I want to reproduce your setup as a CORS example. So your setup is? 1. Keycloak deployed on auth.domain.com 2. gui-app deployed on gui.domain.com 3. rest-app deployed on rest-app.domain.com Is that right? The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? If that is correct, I'll put together an example that you can try out within master. On 5/9/2014 5:23 PM, Boettcher, Jim wrote: > Here is some more information on my problem. > I have done a local build with the source from 5/8/2014. > I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 > I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 > I have 2 applications running on the server at myhost.net:7116 > 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app > 2. rest-app - a REST service > Both the gui-app and rest-app are configured to be secured by the auth-server. > > When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. > > When the Ajax request is made to the rest-app the problems start. > First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. > In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. > Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: > XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. > > If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: > XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. > > Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: > XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. > > I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: > A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. > But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. > > Can you look into these problems and let me know if there is a way to get this working for the applications that I have? > > Thanks > -Jim > > -----Original Message----- > From: Boettcher, Jim > Sent: Tuesday, May 06, 2014 8:31 AM > To: 'Stian Thorgersen'; Bill Burke > Cc: keycloak-user at lists.jboss.org > Subject: RE: How to set up CORS for javascript calling a REST app > > I first tried with the Alpa-3 release. > I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. > > I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: > Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V > at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] > > Jim > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen > Sent: Tuesday, May 06, 2014 4:55 AM > To: Bill Burke > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app > > I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, 5 May, 2014 11:42:11 PM >> Subject: Re: [keycloak-user] How to set up CORS for javascript calling >> a REST app >> >> You are using the latest release? I'll take a look. I don't have any >> unit tests for the CORs stuff in the last alpha release (have some in >> trunk though) and I don't think I tested it manually either. >> >> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>> Hi, >>> >>> I?m trying to get CORS working for a javascript app. The javascript >>> app >>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>> >>> In the Keycloak admin console I created an application for the >>> rest_app application and set a Web Origin of ?*? . I then copied the >>> Installation for Jboss Subsystem XML to the standalone.xml of the >>> JBoss 7.1.1 server that the rest_app is running on. I modified the >>> configuration to add >>> >>> true >>> >>> When I try to open the gui_app from Chrome I get errors like: >>> >>> XMLHttpRequest cannot load >>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>> No 'Access-Control-Allow-Origin' header is present on the requested >>> resource. Origin 'https://localhost:7116' is therefore not allowed access. >>> >>> I?ve tried playing with various settings but can?t get anything to work. >>> >>> Is there an example available for how to get this to work? >>> >>> Is there anything else that needs to be done on the Keycloak server >>> side? Or on the Adapter side? >>> >>> Thanks, >>> >>> Jim >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bensechrist at gmail.com Fri May 9 17:42:57 2014 From: bensechrist at gmail.com (Ben) Date: Fri, 9 May 2014 17:42:57 -0400 Subject: [keycloak-user] Keycloak Adapter Error Message-ID: I am using Keycloak Beta 1 Snapshot as my SSO but when any user logs in it gives a 403 forbidden and the error shown below. Any idea what went wrong? ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates( SSLSessionImpl.java:397) [jsse.jar:1.7.0_45] at org.apache.http.conn.ssl.AbstractVerifier.verify( AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket( SSLSocketFactory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection( DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.AbstractPoolEntry.open( AbstractPoolEntry.java:151) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open( AbstractPooledConnAdapter.java:125) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect( DefaultRequestDirector.java:640) at org.apache.http.impl.client.DefaultRequestDirector.execute( DefaultRequestDirector.java:479) at org.apache.http.impl.client.AbstractHttpClient.execute( AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute( AbstractHttpClient.java:805) at org.apache.http.impl.client.AbstractHttpClient.execute( AbstractHttpClient.java:784) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken( ServerRequest.java:78) [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken( ServerRequest.java:55) [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode( OAuthRequestAuthenticator.java:256) [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate( OAuthRequestAuthenticator.java:205) [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.adapters.RequestAuthenticator.authenticate( RequestAuthenticator.java:59) [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate( ServletKeycloakAuthMech.java:38) [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition( SecurityContextImpl.java:281) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition( SecurityContextImpl.java:298) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100( SecurityContextImpl.java:268) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication( SecurityContextImpl.java:131) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition( SecurityContextImpl.java:106) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate( SecurityContextImpl.java:99) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest( AuthenticationCallHandler.java:50) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest( AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest( ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest( ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest( CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest( SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest( JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest( ServletPreAuthActionsHandler.java:54) [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000( ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:615) [rt.jar:1.7.0_45] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140509/a8c0fd72/attachment.html From bburke at redhat.com Fri May 9 18:13:44 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 09 May 2014 18:13:44 -0400 Subject: [keycloak-user] Keycloak Adapter Error In-Reply-To: References: Message-ID: <536D5318.8020906@redhat.com> Your server is secured via SSL? (https)? If so, In your adapter config set: "disable-trust-manager": true or provide a keystore file that holds the public cert of your server: "truststore": "/path", "truststore-password": "password" On 5/9/2014 5:42 PM, Ben wrote: > I am using Keycloak Beta 1 Snapshot as my SSO but when any user logs in > it gives a 403 forbidden and the error shown below. Any idea what went > wrong? > > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) > failed to turn code into token: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > [jsse.jar:1.7.0_45] > > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:78) > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:55) > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256) > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205) > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:59) > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:38) > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:54) > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [rt.jar:1.7.0_45] > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [rt.jar:1.7.0_45] > > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bensechrist at gmail.com Fri May 9 21:43:58 2014 From: bensechrist at gmail.com (Ben) Date: Fri, 9 May 2014 21:43:58 -0400 Subject: [keycloak-user] Keycloak Adapter Error In-Reply-To: <536D5318.8020906@redhat.com> References: <536D5318.8020906@redhat.com> Message-ID: I am fairly new to this. I am using Wildfly 8.0.0 Final. Where should I set this? On Fri, May 9, 2014 at 6:13 PM, Bill Burke wrote: > Your server is secured via SSL? (https)? If so, > > In your adapter config set: > > "disable-trust-manager": true > > or provide a keystore file that holds the public cert of your server: > > "truststore": "/path", > "truststore-password": "password" > > > > > > On 5/9/2014 5:42 PM, Ben wrote: > > I am using Keycloak Beta 1 Snapshot as my SSO but when any user logs in > > it gives a 403 forbidden and the error shown below. Any idea what went > > wrong? > > > > > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) > > failed to turn code into token: > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > > > at > > > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > > [jsse.jar:1.7.0_45] > > > > at > > > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > > > > at > > > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > > > > at > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > > > > at > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > > at > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > > at > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > > at > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > > > > at > > > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:78) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:55) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:59) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:38) > > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:54) > > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > [rt.jar:1.7.0_45] > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > [rt.jar:1.7.0_45] > > > > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140509/5e2c7164/attachment-0001.html From conrad at mindless.com Sat May 10 08:05:02 2014 From: conrad at mindless.com (Conrad Winchester) Date: Sat, 10 May 2014 13:05:02 +0100 Subject: [keycloak-user] Pointers Please Message-ID: <0D975D36-47D4-4454-BB25-653FAF8D8BF1@mindless.com> Hi guys, first of all thank you for making keycloak. I am developing a new restful back-end for a mobile app and I wanted it to support Oauth 2 and social login, and it looks like keycloak seems to fit the bill. Both key cloak and my app are sitting inside the same Wildfly container, and I have set up a realm and roles etc? I could do with a few pointers though, because we are a native app and want to avoid directing to web pages if possible. I am trawling through the hours of video, and haven?t found answers yet, but would like to know if the following is possible. 1) Register a new user by REST from a mobile application - Any pointers to an example or description of how to do this please. 2) Login and get a token directly from the auth server for the user of the mobile app by using a grant type of password (i.e. no web page redirection involved)? Any pointers to an example or description of how to do this please. 3) Any pointers on how to link the Keycloak user to the user of my application (which will contain information pertinent to that user not stored in keycloak) - how do I do that at the time of registration? I know its a pain to get these basic questions, and I hope they are not asked too regularly, but any help would be greatly appreciated. Conrad From jim.boettcher at hp.com Sat May 10 22:00:44 2014 From: jim.boettcher at hp.com (Boettcher, Jim) Date: Sun, 11 May 2014 02:00:44 +0000 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <536D4AC2.5010905@redhat.com> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> <536D4AC2.5010905@redhat.com> Message-ID: <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> Keycloak is deployed on localhost port 8080. The gui-app is deployed on myhost.domain.com/gui-app The rest-app is deployed on myhost.domain.com/rest-app The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before. -----Original Message----- From: Bill Burke [mailto:bburke at redhat.com] Sent: Friday, May 09, 2014 5:38 PM To: Boettcher, Jim; Stian Thorgersen Cc: keycloak-user at lists.jboss.org Subject: Re: How to set up CORS for javascript calling a REST app I want to reproduce your setup as a CORS example. So your setup is? 1. Keycloak deployed on auth.domain.com 2. gui-app deployed on gui.domain.com 3. rest-app deployed on rest-app.domain.com Is that right? The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? If that is correct, I'll put together an example that you can try out within master. On 5/9/2014 5:23 PM, Boettcher, Jim wrote: > Here is some more information on my problem. > I have done a local build with the source from 5/8/2014. > I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 > I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 > I have 2 applications running on the server at myhost.net:7116 > 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app > 2. rest-app - a REST service > Both the gui-app and rest-app are configured to be secured by the auth-server. > > When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. > > When the Ajax request is made to the rest-app the problems start. > First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. > In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. > Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: > XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. > > If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: > XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. > > Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: > XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. > > I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: > A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. > But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. > > Can you look into these problems and let me know if there is a way to get this working for the applications that I have? > > Thanks > -Jim > > -----Original Message----- > From: Boettcher, Jim > Sent: Tuesday, May 06, 2014 8:31 AM > To: 'Stian Thorgersen'; Bill Burke > Cc: keycloak-user at lists.jboss.org > Subject: RE: How to set up CORS for javascript calling a REST app > > I first tried with the Alpa-3 release. > I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. > > I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: > Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V > at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] > at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] > > Jim > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen > Sent: Tuesday, May 06, 2014 4:55 AM > To: Bill Burke > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app > > I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, 5 May, 2014 11:42:11 PM >> Subject: Re: [keycloak-user] How to set up CORS for javascript calling >> a REST app >> >> You are using the latest release? I'll take a look. I don't have any >> unit tests for the CORs stuff in the last alpha release (have some in >> trunk though) and I don't think I tested it manually either. >> >> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>> Hi, >>> >>> I?m trying to get CORS working for a javascript app. The javascript >>> app >>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>> >>> In the Keycloak admin console I created an application for the >>> rest_app application and set a Web Origin of ?*? . I then copied the >>> Installation for Jboss Subsystem XML to the standalone.xml of the >>> JBoss 7.1.1 server that the rest_app is running on. I modified the >>> configuration to add >>> >>> true >>> >>> When I try to open the gui_app from Chrome I get errors like: >>> >>> XMLHttpRequest cannot load >>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>> No 'Access-Control-Allow-Origin' header is present on the requested >>> resource. Origin 'https://localhost:7116' is therefore not allowed access. >>> >>> I?ve tried playing with various settings but can?t get anything to work. >>> >>> Is there an example available for how to get this to work? >>> >>> Is there anything else that needs to be done on the Keycloak server >>> side? Or on the Adapter side? >>> >>> Thanks, >>> >>> Jim >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From smysnk at gmail.com Sun May 11 01:29:38 2014 From: smysnk at gmail.com (Josh) Date: Sat, 10 May 2014 23:29:38 -0600 Subject: [keycloak-user] failed verification of token Message-ID: Hi, Running KeyCloak alpha 4 on Wildfly 8.1.0.CR1. I'm currently trying to get the bundled examples working but having a hell of a time doing so. I have my domain setup, domain roles configured, application scope configured, keycloak.json in WEB-INF, web.xml set to KEYCLOAK. When I go to access the "Customer Listings" of customer-portal.war it redirects me to keycloak login, after I successfully login with valid user with "user" role. Once the keycloak server redirects back to the application I am greeted with a "Forbidden" page. Here are my logs: [0m[32m23:22:58,030 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest http://localhost:8080/customer-portal/customers/view.jsp [0m[32m23:22:58,030 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) checkCorsPreflight http://localhost:8080/customer-portal/customers/view.jsp [0m[0m23:22:58,031 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate() [0m[0m23:22:58,031 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer [0m[0m23:22:58,032 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-7) try oauth [0m[0m23:22:58,032 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-7) session was null, returning null [0m[0m23:22:58,032 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) there was no code [0m[0m23:22:58,032 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) redirecting to auth server [0m[0m23:22:58,032 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) sending redirect uri: http://localhost:8080/customer-portal/customers/view.jsp [0m[32m23:22:58,125 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-8) adminRequest http://localhost:8080/customer-portal/customers/view.jsp?code=eyJhbGciOiJSUzI1NiJ9.NWRkZjJjZmYtNTJhNi00YzRhLWI2N2QtNzcwYjU4ZjRkYTFmMTM5OTc4NTM2NzYyNg.VZ713boG0lvc9Qq5Su3QLYITgHknYGKBcc0NYyGEoIou__cEWwUEcGGnQB4_HAW8RNko1gwVNtgY08NJfxWCubCzPqhkJBsO5ywDJDqBj1sps19wnSmLNWac3wSHfm9O5c-_YxKi3XmhjHtQXl7AWnBhcn8zgI1-yBAFB4pPD7w0cv3DE36xUt2fRuBWud9iHzwTDl0iEhMkZP9r9VtqJee8WByaLlkCir7HOFLjzN-ZReEwacFR86ra_eD6TJdb1gb_L5-SL2IAl6mpMo-JnJP0fwx90VbXnx8yVdviO_-DeRdneUmrOWZPawU_DPt4FHdoaffAMdZQM-9b2dv79A&state=2%2F058bc8d1-d621-4f4e-9afa-6608f522c7bb [0m[32m23:22:58,125 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-8) checkCorsPreflight http://localhost:8080/customer-portal/customers/view.jsp?code=eyJhbGciOiJSUzI1NiJ9.NWRkZjJjZmYtNTJhNi00YzRhLWI2N2QtNzcwYjU4ZjRkYTFmMTM5OTc4NTM2NzYyNg.VZ713boG0lvc9Qq5Su3QLYITgHknYGKBcc0NYyGEoIou__cEWwUEcGGnQB4_HAW8RNko1gwVNtgY08NJfxWCubCzPqhkJBsO5ywDJDqBj1sps19wnSmLNWac3wSHfm9O5c-_YxKi3XmhjHtQXl7AWnBhcn8zgI1-yBAFB4pPD7w0cv3DE36xUt2fRuBWud9iHzwTDl0iEhMkZP9r9VtqJee8WByaLlkCir7HOFLjzN-ZReEwacFR86ra_eD6TJdb1gb_L5-SL2IAl6mpMo-JnJP0fwx90VbXnx8yVdviO_-DeRdneUmrOWZPawU_DPt4FHdoaffAMdZQM-9b2dv79A&state=2%2F058bc8d1-d621-4f4e-9afa-6608f522c7bb [0m[0m23:22:58,126 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-8) --> authenticate() [0m[0m23:22:58,126 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-8) try bearer [0m[0m23:22:58,126 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-8) try oauth [0m[0m23:22:58,126 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-8) session was null, returning null [0m[0m23:22:58,126 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was a code, resolving [0m[0m23:22:58,126 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) checking state cookie for after code [0m[0m23:22:58,126 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) ** reseting application state cookie [0m[32m23:22:58,128 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-8) Get connection: {}->http://localhost:8083, timeout = 0 [0m[32m23:22:58,128 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-8) [{}-> http://localhost:8083] total kept alive: 1, total issued: 0, total allocated: 1 out of 20 [0m[32m23:22:58,128 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-8) Getting free connection [{}->http://localhost:8083][null] [0m[32m23:22:58,128 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-8) Stale connection check [0m[32m23:22:58,130 DEBUG [org.apache.http.client.protocol.RequestAddCookies] (default task-8) CookieSpec selected: best-match [0m[32m23:22:58,130 DEBUG [org.apache.http.client.protocol.RequestAuthCache] (default task-8) Auth cache not set in the context [0m[32m23:22:58,130 DEBUG [org.apache.http.client.protocol.RequestProxyAuthentication] (default task-8) Proxy auth state: UNCHALLENGED [0m[32m23:22:58,130 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-8) Attempt 1 to execute request [0m[32m23:22:58,130 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-8) Sending request: POST /auth/rest/realms/demo/tokens/access/codes HTTP/1.1 [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "POST /auth/rest/realms/demo/tokens/access/codes HTTP/1.1[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "Authorization: Basic Y3VzdG9tZXItcG9ydGFsOjQxMmU1NzUzLWZiMTAtNGViMS05NjAzLTQzOWY5ZTdkZjZkOA==[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "Content-Length: 549[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "Content-Type: application/x-www-form-urlencoded; charset=UTF-8[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "Host: localhost:8083[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "Connection: Keep-Alive[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.wire] (default task-8) >> "[\r][\n]" [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> POST /auth/rest/realms/demo/tokens/access/codes HTTP/1.1 [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> Authorization: Basic Y3VzdG9tZXItcG9ydGFsOjQxMmU1NzUzLWZiMTAtNGViMS05NjAzLTQzOWY5ZTdkZjZkOA== [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> Content-Length: 549 [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> Host: localhost:8083 [0m[32m23:22:58,131 DEBUG [org.apache.http.headers] (default task-8) >> Connection: Keep-Alive [0m[32m23:22:58,132 DEBUG [org.apache.http.wire] (default task-8) >> "grant_type=authorization_code&code=eyJhbGciOiJSUzI1NiJ9.NWRkZjJjZmYtNTJhNi00YzRhLWI2N2QtNzcwYjU4ZjRkYTFmMTM5OTc4NTM2NzYyNg.VZ713boG0lvc9Qq5Su3QLYITgHknYGKBcc0NYyGEoIou__cEWwUEcGGnQB4_HAW8RNko1gwVNtgY08NJfxWCubCzPqhkJBsO5ywDJDqBj1sps19wnSmLNWac3wSHfm9O5c-_YxKi3XmhjHtQXl7AWnBhcn8zgI1-yBAFB4pPD7w0cv3DE36xUt2fRuBWud9iHzwTDl0iEhMkZP9r9VtqJee8WByaLlkCir7HOFLjzN-ZReEwacFR86ra_eD6TJdb1gb_L5-SL2IAl6mpMo-JnJP0fwx90VbXnx8yVdviO_-DeRdneUmrOWZPawU_DPt4FHdoaffAMdZQM-9b2dv79A&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp" [0m[32m23:22:58,161 DEBUG [org.apache.http.wire] (default task-8) << "HTTP/1.1 200 OK[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "Connection: keep-alive[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "X-Powered-By: Undertow 1[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "Server: Wildfly 8[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "Transfer-Encoding: chunked[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "Content-Type: application/json[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "Date: Sun, 11 May 2014 05:16:07 GMT[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.wire] (default task-8) << "[\r][\n]" [0m[32m23:22:58,162 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-8) Receiving response: HTTP/1.1 200 OK [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << HTTP/1.1 200 OK [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << Connection: keep-alive [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << X-Powered-By: Undertow 1 [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << Server: Wildfly 8 [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << Transfer-Encoding: chunked [0m[32m23:22:58,162 DEBUG [org.apache.http.headers] (default task-8) << Content-Type: application/json [0m[32m23:22:58,163 DEBUG [org.apache.http.headers] (default task-8) << Date: Sun, 11 May 2014 05:16:07 GMT [0m[32m23:22:58,163 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-8) Connection can be kept alive indefinitely [0m[32m23:22:58,163 DEBUG [org.apache.http.wire] (default task-8) << "08bd[\r][\n]" {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJlYTBjZTliNS1kMWY2LTQ4YjUtODc3Ny04ZDIwNGU2ZjU5YjMiLCJleHAiOjEzOTk3ODU2NjcsIm5iZiI6MCwiaWF0IjoxMzk5Nzg1MzY3LCJpc3MiOiJiaWdnZXJiZWFyIiwiYXVkIjoiYmlnZ2VyYmVhciIsInN1YiI6IjQ5M2I5Yzk2LWFhNzMtNGRhZi1iZWYwLTM5Y2FiMDVkY2YxZCIsImF6cCI6ImN1c3RvbWVyLXBvcnRhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNteXNuayIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.b959FHRFh5coZeJw5su_SS4fjZ5R9cB5m_Tg93Xtu_Cw38ghqkL1bQaY0CwN-3ZBUNw9uuTMxWsIwHMzqU2rGcCCnj1Bx85L6QPQQuexvYA02Kc_8A6qmVwpOCu5mXy6FtRAvIB2LA260v7IS7zIQqqEopMo6TI45tpDUJaJDnzxKrtfPiGpQE_Y3hvs8k_KYDN9jqH9lSXPi7ZY4-kYeMQbXm6viOIDZ3QQirjpsOHwOYJs2tp5ct1W7TYc_JFLRKOhWiptGnv0dcLivASNCgREiHzPD_8MC8TarqXJ2mZ7oBx7gBXXXyUVdFjR7j9OTMNqHZfEsjU97lh0zuoImQ","expires_in":300,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYjVhNDFiZi00Y2FlLTQwYTMtOTJlYS1hYWY3OGJlOWMxZmYiLCJleHAiOjEzOTk4MjEzNjcsIm5iZiI6MCwiaWF0IjoxMzk5Nzg1MzY3LCJpc3MiOiJiaWdnZXJiZWFyIiwic3ViIjoiNDkzYjljOTYtYWE3My00ZGFmLWJlZjAtMzljYWIwNWRjZjFkIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6ImN1c3RvbWVyLXBvcnRhbCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.FPueXowyHa7vcREfxMEsWh7JKfTkDgtbEaS_0AYPJFEsv1rF8JvWAaiW6FDkU1a8fDKYbTrr7TbxmQS7PJQBZcDAoSkYM2LE5W0O_yk9jF41jwMkS-Go4VwwNm28stlwVDH_LRG1yRyozQdK8b5Q3FzaES7yLklDGi5PARFt8WBTW2Jb_phjUk0HRDqEakxnHj0x-zUkQASfqNFyE_yQo1g6xwiLSkxGnRDuzfUb6iiJ6ZzYyNYcyiiSGGUF9duzHuGOW8ahWUqQZr9YaL1RQR-uOB_EfrJ2L-5lLLMF8ZsDE7VRLfr66vWaER1hx3C_95wOzZg16rhz3UmZOEfsQg","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5ODEzYmEyNy01MmUwLTRhZjMtOWY5Ny0yNDNjOTVmNmQxMWYiLCJleHAiOjEzOTk3ODU2NjcsIm5iZiI6MCwiaWF0IjoxMzk5Nzg1MzY3LCJpc3MiOiJiaWdnZXJiZWFyIiwiYXVkIjoiYmlnZ2VyYmVhciIsInN1YiI6IjQ5M2I5Yzk2LWFhNzMtNGRhZi1iZWYwLTM5Y2FiMDVkY2YxZCIsImF6cCI6ImN1c3RvbWVyLXBvcnRhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNteXNuayJ9.AghauR6v63SLqna4jBERvRL-Lzl0j0PaHqprr1qZSt7qQ6jLtXHQVfuUAoU1nAWBb3MWcNmA13_BIvT7nsqTZEadfgJJxvYrOI-omvEhy0OGfmYP2r1rtK6ijc2anxzf4G3J15p87Zekf498ccGaKzFIpyP70XwCWeA5zzZkrYgnbJrpOdENIkYIE__OOooX_bwZxIQZgEoucD12QQFprcuUDnRzSbg0yS-2kVTqJUdigqAP1ANGACLrXC-SNDyNhrgasspGanabBmdFvOeCgMMbIrm4BjSQa948dRwHkUC3zcjX5URi4hjQfmoe-QH0Phl9jKlCEtjr8gir0TvIPQ","not-before-policy":0}[0m[32m23:22:58,315 DEBUG [org.apache.http.wire] (default task-8) << "[\r][\n]" [0m[32m23:22:58,315 DEBUG [org.apache.http.wire] (default task-8) << "0[\r][\n]" [0m[32m23:22:58,315 DEBUG [org.apache.http.wire] (default task-8) << "[\r][\n]" [0m[32m23:22:58,315 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-8) Released connection is reusable. [0m[32m23:22:58,315 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-8) Releasing connection [{}->http://localhost:8083][null] [0m[32m23:22:58,315 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-8) Pooling connection [{}->http://localhost:8083][null]; keep alive indefinitely [0m[32m23:22:58,315 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-8) Notifying no-one, there are no waiting threads [0m[31m23:22:58,318 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) failed verification of token [0m[32m23:23:00,262 DEBUG [org.jboss.ejb.client.txn] (Periodic Recovery) Send recover request for transaction origin node identifier 1 to EJB receiver with node name joshuas-macbook-pro [0m[32m23:23:05,995 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-9) adminRequest http://localhost:8080/customer-portal/customers/view.jsp?code=eyJhbGciOiJSUzI1NiJ9.NWRkZjJjZmYtNTJhNi00YzRhLWI2N2QtNzcwYjU4ZjRkYTFmMTM5OTc4NTM2NzYyNg.VZ713boG0lvc9Qq5Su3QLYITgHknYGKBcc0NYyGEoIou__cEWwUEcGGnQB4_HAW8RNko1gwVNtgY08NJfxWCubCzPqhkJBsO5ywDJDqBj1sps19wnSmLNWac3wSHfm9O5c-_YxKi3XmhjHtQXl7AWnBhcn8zgI1-yBAFB4pPD7w0cv3DE36xUt2fRuBWud9iHzwTDl0iEhMkZP9r9VtqJee8WByaLlkCir7HOFLjzN-ZReEwacFR86ra_eD6TJdb1gb_L5-SL2IAl6mpMo-JnJP0fwx90VbXnx8yVdviO_-DeRdneUmrOWZPawU_DPt4FHdoaffAMdZQM-9b2dv79A&state=2%2F058bc8d1-d621-4f4e-9afa-6608f522c7bb [0m[32m23:23:05,996 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-9) checkCorsPreflight http://localhost:8080/customer-portal/customers/view.jsp?code=eyJhbGciOiJSUzI1NiJ9.NWRkZjJjZmYtNTJhNi00YzRhLWI2N2QtNzcwYjU4ZjRkYTFmMTM5OTc4NTM2NzYyNg.VZ713boG0lvc9Qq5Su3QLYITgHknYGKBcc0NYyGEoIou__cEWwUEcGGnQB4_HAW8RNko1gwVNtgY08NJfxWCubCzPqhkJBsO5ywDJDqBj1sps19wnSmLNWac3wSHfm9O5c-_YxKi3XmhjHtQXl7AWnBhcn8zgI1-yBAFB4pPD7w0cv3DE36xUt2fRuBWud9iHzwTDl0iEhMkZP9r9VtqJee8WByaLlkCir7HOFLjzN-ZReEwacFR86ra_eD6TJdb1gb_L5-SL2IAl6mpMo-JnJP0fwx90VbXnx8yVdviO_-DeRdneUmrOWZPawU_DPt4FHdoaffAMdZQM-9b2dv79A&state=2%2F058bc8d1-d621-4f4e-9afa-6608f522c7bb [0m[0m23:23:05,996 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-9) --> authenticate() [0m[0m23:23:05,996 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-9) try bearer [0m[0m23:23:05,996 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-9) try oauth [0m[0m23:23:05,997 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-9) session was null, returning null [0m[0m23:23:05,997 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) there was a code, resolving [0m[0m23:23:05,997 INFO [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) checking state cookie for after code [0m[33m23:23:05,997 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) No state cookie [ Any help would be appreciated, thank you! - Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140510/2882d830/attachment-0001.html From ungarida at gmail.com Sun May 11 16:19:31 2014 From: ungarida at gmail.com (Davide Ungari) Date: Sun, 11 May 2014 22:19:31 +0200 Subject: [keycloak-user] MongoDB - Model provider not found Message-ID: Hi everybody, I'm using Mongo as database and it was working fine. I'm building from source auth-server.war and after update to HEAD now I'm getting this error at startup: Caused by: java.lang.RuntimeException: Model provider not found at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:131) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:73) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.7.0_51] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) [rt.jar:1.7.0_51] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [rt.jar:1.7.0_51] at java.lang.reflect.Constructor.newInstance(Constructor.java:526) [rt.jar:1.7.0_51] at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148) ... 15 more Any ideas? -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140511/94d979b8/attachment.html From delkant at gmail.com Sun May 11 19:45:45 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Sun, 11 May 2014 19:45:45 -0400 Subject: [keycloak-user] Unable to add Realm Message-ID: Hi Guys, I was using keycloak 1.0-alpha-4 to test it and do very basic authentication,in that way I was able to win some time and continuing the development of my app. Today I decided to try to build the last code/version and deploy it. After checked the code out I did: mvn clean install and mvn package, I made the changes to point the DS to a mysql db I'm using... and then deployed the war.. no issues so far. Then I logged in with admin/admin change the password and tried to add a new Realm but is not working, the new realm is listed in the left menu but I cannot change the settings. Is this a bug? Am I missing something? Thanks, Rodrigo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140511/f1319f90/attachment.html From smysnk at gmail.com Mon May 12 03:06:43 2014 From: smysnk at gmail.com (Josh) Date: Mon, 12 May 2014 01:06:43 -0600 Subject: [keycloak-user] ERR_INCOMPLETE_CHUNKED_ENCODING Message-ID: Hi, Another weird problem I seem to be having is I am getting intermittent errors from web resources served from the auth-server.war. If I refresh the admin console enough times it seems to eventually correct itself. ie. GET http://localhost:8083/auth/theme/login/patternfly/lib/zocial/zocial.cssnet::ERR_INCOMPLETE_CHUNKED_ENCODING Using Wildfly: 8.1.0.CR1 Both alpha4, beta1 have this problem. Any ideas? - Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140512/655fb345/attachment.html From n.preusker at gmail.com Mon May 12 05:38:39 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 12 May 2014 11:38:39 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: <53576AFC.7000400@redhat.com>

<97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com> Message-ID: Hi, any news on KEYCLOAK-425 ? Cheers, Nils On Thu, Apr 24, 2014 at 5:05 PM, Nils Preusker wrote: > Hi guys, > > just a quick question about https://issues.jboss.org/browse/KEYCLOAK-425(keycloak-wildfly-adapter-dist-1.0-alpha-3.zip not in JBoss Maven > Repository). Would you agree that this should be fixed/ the adapter should > be in the maven repo, or should I just create the keycloak wildfly adapter > myself with the maven dependency plugin in the build of my integration test > project? > > If you are planning to fix it, can you give an estimate when it will be > available? > > Cheers, > Nils > > > On Wed, Apr 23, 2014 at 1:12 PM, Nils Preusker wrote: > >> Great, thanks for the link Stian! >> >> -- >> Blog: www.nilspreusker.de >> >> > On Apr 23, 2014, at 12:58, Stian Thorgersen wrote: >> > >> > In the future we may move our testsuite to Arquillian, as this makes it >> possible for us to test the actual distribution of Keycloak (on WildFly) >> rather than a "custom" server. >> > >> > For testing bearer-only services, you're right the simplest solution >> would be to just create tokens manually. Have a look at >> https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, >> which does exactly that. >> > >> > ----- Original Message ----- >> >> From: "Nils Preusker" >> >> To: keycloak-user at lists.jboss.org >> >> Sent: Wednesday, 23 April, 2014 11:43:56 AM >> >> Subject: Re: [keycloak-user] bootstrapping of keycloak for integration >> testing >> >> >> >> Another question regarding keycloak artifacts in maven, shouldn't >> >> "keycloak-wildfly-adapter-dist" also be available? At least this would >> make >> >> it much easier to create a maven configuration that bootstraps a >> Wildfly >> >> instance with the keycloak adapter. >> >> >> >> I've looked at the integration test suite and find the approach quite >> nice. >> >> However, in order to re-use it I would currently have to duplicate >> most of >> >> the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in >> the test >> >> directory of the keycloak-testsuite-integration module. >> >> >> >> So I thought I'd do the following: >> >> >> >> * create an integration-test module >> >> * bootstrap Wildfly with the wildfly adapter installed with the >> >> maven-dependency-plugin and maven-resources-plugin (currently >> struggling >> >> with the missing artifacts in the repo here so I installed it locally >> for >> >> now...) >> >> * deploy the auth-server.war/ keycloak-server.war and the archives I >> want to >> >> test in an arquillian test case (@Deploy...) >> >> >> >> That's where I'm at right now. I guess the next step would be to get >> the >> >> KeycloakSessionFactory in order to add a test realm programmatically. >> >> >> >> However, I just realized that it might be better (and easier) to just >> >> bootstrap an embedded Keycloak instance (no server, just the core >> services) >> >> and use it to create a test realm and create tokens that can be used >> in the >> >> test cases. After all, I just need a way to generate bearer tokens to >> make >> >> HTTP requests to the wars I would like to test. Any thoughts on how I >> could >> >> best accomplish that? >> >> >> >> Cheers, >> >> Nils >> >> >> >> >> >> >> >> >> >> On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < n.preusker at gmail.com> >> >> wrote: >> >> >> >> >> >> >> >> Thanks Marek, I've created a JIRA issue about the missing war in the >> maven >> >> repo: https://issues.jboss.org/browse/KEYCLOAK-424 >> >> >> >> I'll have a look at the integration test suite and let you know what I >> came >> >> up with. >> >> >> >> Cheers, >> >> Nils >> >> >> >> >> >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < mposolda at redhat.com> wrote: >> >> >> >> >> >> >> >> Hi Nils, >> >> >> >> >> >> On 22.4.2014 12:55, Nils Preusker wrote: >> >> >> >> >> >> >> >> Hi guys, >> >> >> >> I'm just setting up an integration test project for our application >> and I'm >> >> wondering what's the best way to bootstrap keycloak within it. >> >> >> >> I'm using arquillian for testing and I'm using the >> maven-dependency-plugin >> >> and maven-resources-plugin to put together a wildfly instance with the >> >> keycloak-wildfly-adapter. >> >> >> >> So far, that approach works nicely. However, I'm not quite sure yet >> how to go >> >> about >> >> >> >> * importing a realm and >> >> * creating a bearer/ access token to use in the test cases >> >> >> >> One approach would be to deploy the auth-server.war (is there a mvn >> >> repository to pull it from?), POST the realm to the respective URL of >> the >> >> admin console and do the authentication the same way (POST >> >> http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). >> >> Looks like it's not. The WAR is here just for Alpha1 >> >> >> https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ >> >> but not for later releases, which looks like a bug IMO. Can you create >> JIRA >> >> for it? I think it won't be bad if release will include all the >> artifacts >> >> including docs and distribution stuff (like WAR and full Wildfly >> appliance) >> >> >> >> >> >> >> >> >> >> >> >> Alternatively, I suppose I could deploy a small helper war or jar that >> >> accesses the core services of keycloak to import the realm and create >> test >> >> access tokens (some convenience method like "createLogin()" in a test >> >> utility that is deployed with shrink wrap maybe). >> >> >> >> Which option do you recommend or is there a third one that I'm missing? >> >> Maybe it will be interesting for you that we have integration testsuite >> >> https://github.com/keycloak/keycloak/tree/master/testsuite/integration. >> >> This testsuite is using embedded Undertow server and it >> programmatically >> >> deploys Keycloak server on it. You can take a look at KeycloakServer >> class >> >> and also at individual tests to see how it works. The point is that >> it's >> >> embedded, so test classes have access to KeycloakSessionFactory inside >> >> KeycloakSetup actions and so they can directly use the model API to >> setup >> >> needed things. >> >> >> >> For example in LoginTest, you can see that there is some setup action, >> which >> >> creates new user with usage of Keycloak model API: >> >> >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 >> >> and then there is selenium test, which verifies that this user is able >> to >> >> login: >> >> >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 >> >> >> >> Maybe you can reuse some parts of our testsuite and programmaticaly >> deploy >> >> Keycloak server in similar way like it's done here (not sure if it's >> >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). >> If you >> >> still don't have access to Keycloak model API, you can maybe write some >> >> selenium utils, which will do needed setup in KC admin console UI... >> >> >> >> Another alternative might be that you will use 2 servers in your >> testsuite. >> >> Your wildfly server with adapter installed will be on localhost:8080 >> (you >> >> have it already running) and KC server will be on localhost:8081 (You >> can >> >> directly reuse our testsuite for setup this). >> >> >> >> Good luck and let me know if still having issues. Btw. we don't have >> any >> >> integration tests for admin console and real AS7 and Wildfly adapters >> AFAIK. >> >> So it would be nice if you can share your work once you have your >> testsuite >> >> up and running :-) >> >> >> >> Marek >> >> >> >> >> >> >> >> >> >> Cheers, >> >> Nils >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140512/6b78f967/attachment-0001.html From bburke at redhat.com Mon May 12 10:24:32 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 12 May 2014 10:24:32 -0400 Subject: [keycloak-user] Pointers Please In-Reply-To: <0D975D36-47D4-4454-BB25-653FAF8D8BF1@mindless.com> References: <0D975D36-47D4-4454-BB25-653FAF8D8BF1@mindless.com> Message-ID: <5370D9A0.1030600@redhat.com> On 5/10/2014 8:05 AM, Conrad Winchester wrote: > Hi guys, > > first of all thank you for making keycloak. I am developing a new restful back-end for a mobile app and I wanted it to support Oauth 2 and social login, and it looks like keycloak seems to fit the bill. > > Both key cloak and my app are sitting inside the same Wildfly container, and I have set up a realm and roles etc? > > I could do with a few pointers though, because we are a native app and want to avoid directing to web pages if possible. I am trawling through the hours of video, and haven?t found answers yet, but would like to know if the following is possible. > > 1) Register a new user by REST from a mobile application - Any pointers to an example or description of how to do this please. Yes, the token service has a REST endpoint for registrations. You have to enable registrations in realm settings in the admin console though. /realms/{realm}/tokens/registrations Unfortunately this isn't documented yet. > 2) Login and get a token directly from the auth server for the user of the mobile app by using a grant type of password (i.e. no web page redirection involved)? Any pointers to an example or description of how to do this please. You can, but it currently requires the registration of a confidential client (Application or OAuth Client) in the admin console. /realms/{realm}/tokens/grants/access It uses Basic Authentication with the client_id and client secret. Then the username/password must be passed in as form parameters. Again, something we don't document yet. > 3) Any pointers on how to link the Keycloak user to the user of my application (which will contain information pertinent to that user not stored in keycloak) - how do I do that at the time of registration? > The IDToken/AccessToken instance you get has a "subject" attribute. This is the userId of the user in the keycloak database. You'd have to link this ID to the appropriate user in your database. > I know its a pain to get these basic questions, and I hope they are not asked too regularly, but any help would be greatly appreciated. > Any question is valid! Sorry we're behind on the documentation! Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon May 12 10:31:34 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 12 May 2014 10:31:34 -0400 Subject: [keycloak-user] ERR_INCOMPLETE_CHUNKED_ENCODING In-Reply-To: References: Message-ID: <5370DB46.4030408@redhat.com> Not sure what that could be. Do you see any exceptions thrown on the server? On 5/12/2014 3:06 AM, Josh wrote: > Hi, > > Another weird problem I seem to be having is I am getting intermittent > errors from web resources served from the auth-server.war. If I refresh > the admin console enough times it seems to eventually correct itself. > > ie. > > GET > http://localhost:8083/auth/theme/login/patternfly/lib/zocial/zocial.css > net::ERR_INCOMPLETE_CHUNKED_ENCODING > > Using Wildfly: 8.1.0.CR1 > Both alpha4, beta1 have this problem. > > > Any ideas? > > - Josh > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon May 12 10:35:42 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 12 May 2014 10:35:42 -0400 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: <53576AFC.7000400@redhat.com>

<97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com>

Message-ID: <5370DC3E.7060600@redhat.com> I don't know if it is kosher to do this. Need to ask our repo admins if it is ok to put up such a large distro in the maven repo. On 5/12/2014 5:38 AM, Nils Preusker wrote: > Hi, > > any news on KEYCLOAK-425 ? > > Cheers, > Nils > > > On Thu, Apr 24, 2014 at 5:05 PM, Nils Preusker > wrote: > > Hi guys, > > just a quick question about > https://issues.jboss.org/browse/KEYCLOAK-425 > (keycloak-wildfly-adapter-dist-1.0-alpha-3.zip not in JBoss Maven > Repository). Would you agree that this should be fixed/ the adapter > should be in the maven repo, or should I just create the keycloak > wildfly adapter myself with the maven dependency plugin in the build > of my integration test project? > > If you are planning to fix it, can you give an estimate when it will > be available? > > Cheers, > Nils > > > On Wed, Apr 23, 2014 at 1:12 PM, Nils Preusker > wrote: > > Great, thanks for the link Stian! > > -- > Blog: www.nilspreusker.de > > > On Apr 23, 2014, at 12:58, Stian Thorgersen > wrote: > > > > In the future we may move our testsuite to Arquillian, as > this makes it possible for us to test the actual distribution of > Keycloak (on WildFly) rather than a "custom" server. > > > > For testing bearer-only services, you're right the simplest > solution would be to just create tokens manually. Have a look at > https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, > which does exactly that. > > > > ----- Original Message ----- > >> From: "Nils Preusker" > > >> To: keycloak-user at lists.jboss.org > > >> Sent: Wednesday, 23 April, 2014 11:43:56 AM > >> Subject: Re: [keycloak-user] bootstrapping of keycloak for > integration testing > >> > >> Another question regarding keycloak artifacts in maven, > shouldn't > >> "keycloak-wildfly-adapter-dist" also be available? At least > this would make > >> it much easier to create a maven configuration that > bootstraps a Wildfly > >> instance with the keycloak adapter. > >> > >> I've looked at the integration test suite and find the > approach quite nice. > >> However, in order to re-use it I would currently have to > duplicate most of > >> the code (KeycloakServer, AbstractKeycloakRule etc.) since > it is in the test > >> directory of the keycloak-testsuite-integration module. > >> > >> So I thought I'd do the following: > >> > >> * create an integration-test module > >> * bootstrap Wildfly with the wildfly adapter installed with the > >> maven-dependency-plugin and maven-resources-plugin > (currently struggling > >> with the missing artifacts in the repo here so I installed > it locally for > >> now...) > >> * deploy the auth-server.war/ keycloak-server.war and the > archives I want to > >> test in an arquillian test case (@Deploy...) > >> > >> That's where I'm at right now. I guess the next step would > be to get the > >> KeycloakSessionFactory in order to add a test realm > programmatically. > >> > >> However, I just realized that it might be better (and > easier) to just > >> bootstrap an embedded Keycloak instance (no server, just the > core services) > >> and use it to create a test realm and create tokens that can > be used in the > >> test cases. After all, I just need a way to generate bearer > tokens to make > >> HTTP requests to the wars I would like to test. Any thoughts > on how I could > >> best accomplish that? > >> > >> Cheers, > >> Nils > >> > >> > >> > >> > >> On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < > n.preusker at gmail.com > > >> wrote: > >> > >> > >> > >> Thanks Marek, I've created a JIRA issue about the missing > war in the maven > >> repo: https://issues.jboss.org/browse/KEYCLOAK-424 > >> > >> I'll have a look at the integration test suite and let you > know what I came > >> up with. > >> > >> Cheers, > >> Nils > >> > >> > >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < > mposolda at redhat.com > wrote: > >> > >> > >> > >> Hi Nils, > >> > >> > >> On 22.4.2014 12:55, Nils Preusker wrote: > >> > >> > >> > >> Hi guys, > >> > >> I'm just setting up an integration test project for our > application and I'm > >> wondering what's the best way to bootstrap keycloak within it. > >> > >> I'm using arquillian for testing and I'm using the > maven-dependency-plugin > >> and maven-resources-plugin to put together a wildfly > instance with the > >> keycloak-wildfly-adapter. > >> > >> So far, that approach works nicely. However, I'm not quite > sure yet how to go > >> about > >> > >> * importing a realm and > >> * creating a bearer/ access token to use in the test cases > >> > >> One approach would be to deploy the auth-server.war (is > there a mvn > >> repository to pull it from?), POST the realm to the > respective URL of the > >> admin console and do the authentication the same way (POST > >> > http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access > ). > >> Looks like it's not. The WAR is here just for Alpha1 > >> > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ > >> but not for later releases, which looks like a bug IMO. Can > you create JIRA > >> for it? I think it won't be bad if release will include all > the artifacts > >> including docs and distribution stuff (like WAR and full > Wildfly appliance) > >> > >> > >> > >> > >> > >> Alternatively, I suppose I could deploy a small helper war > or jar that > >> accesses the core services of keycloak to import the realm > and create test > >> access tokens (some convenience method like "createLogin()" > in a test > >> utility that is deployed with shrink wrap maybe). > >> > >> Which option do you recommend or is there a third one that > I'm missing? > >> Maybe it will be interesting for you that we have > integration testsuite > >> > https://github.com/keycloak/keycloak/tree/master/testsuite/integration > . > >> This testsuite is using embedded Undertow server and it > programmatically > >> deploys Keycloak server on it. You can take a look at > KeycloakServer class > >> and also at individual tests to see how it works. The point > is that it's > >> embedded, so test classes have access to > KeycloakSessionFactory inside > >> KeycloakSetup actions and so they can directly use the model > API to setup > >> needed things. > >> > >> For example in LoginTest, you can see that there is some > setup action, which > >> creates new user with usage of Keycloak model API: > >> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 > >> and then there is selenium test, which verifies that this > user is able to > >> login: > >> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 > >> > >> Maybe you can reuse some parts of our testsuite and > programmaticaly deploy > >> Keycloak server in similar way like it's done here (not sure > if it's > >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume > that yes). If you > >> still don't have access to Keycloak model API, you can maybe > write some > >> selenium utils, which will do needed setup in KC admin > console UI... > >> > >> Another alternative might be that you will use 2 servers in > your testsuite. > >> Your wildfly server with adapter installed will be on > localhost:8080 (you > >> have it already running) and KC server will be on > localhost:8081 (You can > >> directly reuse our testsuite for setup this). > >> > >> Good luck and let me know if still having issues. Btw. we > don't have any > >> integration tests for admin console and real AS7 and Wildfly > adapters AFAIK. > >> So it would be nice if you can share your work once you have > your testsuite > >> up and running :-) > >> > >> Marek > >> > >> > >> > >> > >> Cheers, > >> Nils > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon May 12 10:36:38 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 12 May 2014 10:36:38 -0400 Subject: [keycloak-user] Keycloak Adapter Error In-Reply-To: References: <536D5318.8020906@redhat.com> Message-ID: <5370DC76.2060809@redhat.com> This would be set in the keycloak.json file for your application. The adapter config. On 5/9/2014 9:43 PM, Ben wrote: > I am fairly new to this. I am using Wildfly 8.0.0 Final. Where should I > set this? > > > On Fri, May 9, 2014 at 6:13 PM, Bill Burke > wrote: > > Your server is secured via SSL? (https)? If so, > > In your adapter config set: > > "disable-trust-manager": true > > or provide a keystore file that holds the public cert of your server: > > "truststore": "/path", > "truststore-password": "password" > > > > > > On 5/9/2014 5:42 PM, Ben wrote: > > I am using Keycloak Beta 1 Snapshot as my SSO but when any user > logs in > > it gives a 403 forbidden and the error shown below. Any idea what > went > > wrong? > > > > > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default > task-7) > > failed to turn code into token: > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > > > at > > > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > > [jsse.jar:1.7.0_45] > > > > at > > > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > > > > at > > > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > > > > at > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > > > > at > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > > at > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > > at > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > > at > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > > > > at > > > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:78) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:55) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:59) > > [keycloak-adapter-core-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:38) > > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:54) > > [keycloak-undertow-adapter-1.0-beta-1-SNAPSHOT.jar:] > > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > > > > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) > > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > [rt.jar:1.7.0_45] > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > [rt.jar:1.7.0_45] > > > > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon May 12 11:25:31 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 12 May 2014 11:25:31 -0400 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> <536D4AC2.5010905@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> Message-ID: <5370E7EB.1030008@redhat.com> If I don't ping you by late tomorrow with an example for you, feel free to chastise me :) On 5/10/2014 10:00 PM, Boettcher, Jim wrote: > Keycloak is deployed on localhost port 8080. > The gui-app is deployed on myhost.domain.com/gui-app > The rest-app is deployed on myhost.domain.com/rest-app > > The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before. > > > -----Original Message----- > From: Bill Burke [mailto:bburke at redhat.com] > Sent: Friday, May 09, 2014 5:38 PM > To: Boettcher, Jim; Stian Thorgersen > Cc: keycloak-user at lists.jboss.org > Subject: Re: How to set up CORS for javascript calling a REST app > > I want to reproduce your setup as a CORS example. So your setup is? > > 1. Keycloak deployed on auth.domain.com > 2. gui-app deployed on gui.domain.com > 3. rest-app deployed on rest-app.domain.com > > Is that right? > > The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? > > If that is correct, I'll put together an example that you can try out within master. > > > > On 5/9/2014 5:23 PM, Boettcher, Jim wrote: >> Here is some more information on my problem. >> I have done a local build with the source from 5/8/2014. >> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 >> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 >> I have 2 applications running on the server at myhost.net:7116 >> 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app >> 2. rest-app - a REST service >> Both the gui-app and rest-app are configured to be secured by the auth-server. >> >> When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. >> >> When the Ajax request is made to the rest-app the problems start. >> First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. >> In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. >> Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: >> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. >> >> If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: >> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. >> >> Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: >> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. >> >> I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: >> A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. >> But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. >> >> Can you look into these problems and let me know if there is a way to get this working for the applications that I have? >> >> Thanks >> -Jim >> >> -----Original Message----- >> From: Boettcher, Jim >> Sent: Tuesday, May 06, 2014 8:31 AM >> To: 'Stian Thorgersen'; Bill Burke >> Cc: keycloak-user at lists.jboss.org >> Subject: RE: How to set up CORS for javascript calling a REST app >> >> I first tried with the Alpa-3 release. >> I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. >> >> I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: >> Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V >> at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] >> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] >> at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] >> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] >> at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] >> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] >> at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] >> >> Jim >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen >> Sent: Tuesday, May 06, 2014 4:55 AM >> To: Bill Burke >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app >> >> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? >> >> ----- Original Message ----- >>> From: "Bill Burke" >>> To: keycloak-user at lists.jboss.org >>> Sent: Monday, 5 May, 2014 11:42:11 PM >>> Subject: Re: [keycloak-user] How to set up CORS for javascript calling >>> a REST app >>> >>> You are using the latest release? I'll take a look. I don't have any >>> unit tests for the CORs stuff in the last alpha release (have some in >>> trunk though) and I don't think I tested it manually either. >>> >>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>>> Hi, >>>> >>>> I?m trying to get CORS working for a javascript app. The javascript >>>> app >>>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>>> >>>> In the Keycloak admin console I created an application for the >>>> rest_app application and set a Web Origin of ?*? . I then copied the >>>> Installation for Jboss Subsystem XML to the standalone.xml of the >>>> JBoss 7.1.1 server that the rest_app is running on. I modified the >>>> configuration to add >>>> >>>> true >>>> >>>> When I try to open the gui_app from Chrome I get errors like: >>>> >>>> XMLHttpRequest cannot load >>>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>>> No 'Access-Control-Allow-Origin' header is present on the requested >>>> resource. Origin 'https://localhost:7116' is therefore not allowed access. >>>> >>>> I?ve tried playing with various settings but can?t get anything to work. >>>> >>>> Is there an example available for how to get this to work? >>>> >>>> Is there anything else that needs to be done on the Keycloak server >>>> side? Or on the Adapter side? >>>> >>>> Thanks, >>>> >>>> Jim >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From smysnk at gmail.com Mon May 12 13:12:29 2014 From: smysnk at gmail.com (Josh) Date: Mon, 12 May 2014 11:12:29 -0600 Subject: [keycloak-user] ERR_INCOMPLETE_CHUNKED_ENCODING In-Reply-To: <5370DB46.4030408@redhat.com> References: <5370DB46.4030408@redhat.com> Message-ID: No exception on the server. This instance is running on Vagrant + Docker, there is a good possibility there is something going wrong with the networking between my host and the container. I'll try and reproduce with wildfly running on host. On Mon, May 12, 2014 at 8:31 AM, Bill Burke wrote: > Not sure what that could be. Do you see any exceptions thrown on the > server? > > On 5/12/2014 3:06 AM, Josh wrote: > > Hi, > > > > Another weird problem I seem to be having is I am getting intermittent > > errors from web resources served from the auth-server.war. If I refresh > > the admin console enough times it seems to eventually correct itself. > > > > ie. > > > > GET > > http://localhost:8083/auth/theme/login/patternfly/lib/zocial/zocial.css > > net::ERR_INCOMPLETE_CHUNKED_ENCODING > > > > Using Wildfly: 8.1.0.CR1 > > Both alpha4, beta1 have this problem. > > > > > > Any ideas? > > > > - Josh > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140512/e0eafab8/attachment.html From ungarida at gmail.com Mon May 12 14:13:53 2014 From: ungarida at gmail.com (Davide Ungari) Date: Mon, 12 May 2014 20:13:53 +0200 Subject: [keycloak-user] MongoDB - Model provider not found Message-ID: I found out that: 1- the command "mvn package" does not include mongo module and driver 2- there is a regression on data model, updating source of keycloak I must drop database in order to see the admin console works again -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140512/a8ed059b/attachment.html From delkant at gmail.com Mon May 12 15:23:16 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Mon, 12 May 2014 15:23:16 -0400 Subject: [keycloak-user] Unable to add Realm In-Reply-To: References: Message-ID: I'm sorry... it's already reported https://issues.jboss.org/browse/KEYCLOAK-453 Thanks, Rodrigo. On Sun, May 11, 2014 at 7:45 PM, Rodrigo Del Canto wrote: > Hi Guys, > > I was using keycloak 1.0-alpha-4 > to test it and do very basic authentication,in that way I was able to win > some time and continuing the development of my app. > > Today I decided to try to build the last code/version and deploy it. > > After checked the code out I did: mvn clean install and mvn package, I > made the changes to point the DS to a mysql db I'm using... and then > deployed the war.. no issues so far. > > Then I logged in with admin/admin change the password and tried to add a > new Realm but is not working, the new realm is listed in the left menu but > I cannot change the settings. > > Is this a bug? Am I missing something? > > Thanks, > > Rodrigo. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140512/c792b3af/attachment.html From smysnk at gmail.com Tue May 13 13:17:43 2014 From: smysnk at gmail.com (Josh) Date: Tue, 13 May 2014 11:17:43 -0600 Subject: [keycloak-user] ERR_INCOMPLETE_CHUNKED_ENCODING In-Reply-To: References: <5370DB46.4030408@redhat.com> Message-ID: I can verify now this was in fact caused by networking of VirtualBox provider for Vagrant. I finally bit the bullet and bought VMWare Fusion and problems magically gone away. VirtualBox is evil! On Mon, May 12, 2014 at 11:12 AM, Josh wrote: > No exception on the server. This instance is running on Vagrant + Docker, > there is a good possibility there is something going wrong with the > networking between my host and the container. I'll try and reproduce with > wildfly running on host. > > > On Mon, May 12, 2014 at 8:31 AM, Bill Burke wrote: > >> Not sure what that could be. Do you see any exceptions thrown on the >> server? >> >> On 5/12/2014 3:06 AM, Josh wrote: >> > Hi, >> > >> > Another weird problem I seem to be having is I am getting intermittent >> > errors from web resources served from the auth-server.war. If I refresh >> > the admin console enough times it seems to eventually correct itself. >> > >> > ie. >> > >> > GET >> > http://localhost:8083/auth/theme/login/patternfly/lib/zocial/zocial.css >> > net::ERR_INCOMPLETE_CHUNKED_ENCODING >> > >> > Using Wildfly: 8.1.0.CR1 >> > Both alpha4, beta1 have this problem. >> > >> > >> > Any ideas? >> > >> > - Josh >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140513/53016623/attachment-0001.html From bburke at redhat.com Tue May 13 17:57:33 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 13 May 2014 17:57:33 -0400 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <5370E7EB.1030008@redhat.com> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> <536D4AC2.5010905@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> <5370E7EB.1030008@redhat.com> Message-ID: <5372954D.7050002@redhat.com> Ok, I have an example working in master for your setup. $ git at github.com:keycloak/keycloak.git $ cd keycloak $ mvn clean install $ cd distribution $ mvn clean install $ cd application-dist/target $ unzip keycloak*...zip In one window bring up server: $ cd application-dist/target/keycloak.../keycloak/bin $ standalone.sh In another build the demo: $ cd application-dist/target/keycloak.../examples/cors $ mvn clean install jboss-as:deploy Read the README.md in the examples/cors directory to run the demo. Let me know how it goes. The key to getting it working is setting the Web Origin for the application you are logging into. Basicallhy the origin should be whatever the base URI is (minus the path) for that application. Also, setting keycloak.json setting of enable-cors to true is also a must. On 5/12/2014 11:25 AM, Bill Burke wrote: > If I don't ping you by late tomorrow with an example for you, feel free > to chastise me :) > > On 5/10/2014 10:00 PM, Boettcher, Jim wrote: >> Keycloak is deployed on localhost port 8080. >> The gui-app is deployed on myhost.domain.com/gui-app >> The rest-app is deployed on myhost.domain.com/rest-app >> >> The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before. >> >> >> -----Original Message----- >> From: Bill Burke [mailto:bburke at redhat.com] >> Sent: Friday, May 09, 2014 5:38 PM >> To: Boettcher, Jim; Stian Thorgersen >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: How to set up CORS for javascript calling a REST app >> >> I want to reproduce your setup as a CORS example. So your setup is? >> >> 1. Keycloak deployed on auth.domain.com >> 2. gui-app deployed on gui.domain.com >> 3. rest-app deployed on rest-app.domain.com >> >> Is that right? >> >> The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? >> >> If that is correct, I'll put together an example that you can try out within master. >> >> >> >> On 5/9/2014 5:23 PM, Boettcher, Jim wrote: >>> Here is some more information on my problem. >>> I have done a local build with the source from 5/8/2014. >>> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 >>> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 >>> I have 2 applications running on the server at myhost.net:7116 >>> 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app >>> 2. rest-app - a REST service >>> Both the gui-app and rest-app are configured to be secured by the auth-server. >>> >>> When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. >>> >>> When the Ajax request is made to the rest-app the problems start. >>> First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. >>> In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. >>> Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: >>> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. >>> >>> If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: >>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. >>> >>> Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: >>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. >>> >>> I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: >>> A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. >>> But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. >>> >>> Can you look into these problems and let me know if there is a way to get this working for the applications that I have? >>> >>> Thanks >>> -Jim >>> >>> -----Original Message----- >>> From: Boettcher, Jim >>> Sent: Tuesday, May 06, 2014 8:31 AM >>> To: 'Stian Thorgersen'; Bill Burke >>> Cc: keycloak-user at lists.jboss.org >>> Subject: RE: How to set up CORS for javascript calling a REST app >>> >>> I first tried with the Alpa-3 release. >>> I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. >>> >>> I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: >>> Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V >>> at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] >>> >>> Jim >>> >>> >>> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen >>> Sent: Tuesday, May 06, 2014 4:55 AM >>> To: Bill Burke >>> Cc: keycloak-user at lists.jboss.org >>> Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app >>> >>> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Monday, 5 May, 2014 11:42:11 PM >>>> Subject: Re: [keycloak-user] How to set up CORS for javascript calling >>>> a REST app >>>> >>>> You are using the latest release? I'll take a look. I don't have any >>>> unit tests for the CORs stuff in the last alpha release (have some in >>>> trunk though) and I don't think I tested it manually either. >>>> >>>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>>>> Hi, >>>>> >>>>> I?m trying to get CORS working for a javascript app. The javascript >>>>> app >>>>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>>>> >>>>> In the Keycloak admin console I created an application for the >>>>> rest_app application and set a Web Origin of ?*? . I then copied the >>>>> Installation for Jboss Subsystem XML to the standalone.xml of the >>>>> JBoss 7.1.1 server that the rest_app is running on. I modified the >>>>> configuration to add >>>>> >>>>> true >>>>> >>>>> When I try to open the gui_app from Chrome I get errors like: >>>>> >>>>> XMLHttpRequest cannot load >>>>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>>>> No 'Access-Control-Allow-Origin' header is present on the requested >>>>> resource. Origin 'https://localhost:7116' is therefore not allowed access. >>>>> >>>>> I?ve tried playing with various settings but can?t get anything to work. >>>>> >>>>> Is there an example available for how to get this to work? >>>>> >>>>> Is there anything else that needs to be done on the Keycloak server >>>>> side? Or on the Adapter side? >>>>> >>>>> Thanks, >>>>> >>>>> Jim >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jim.boettcher at hp.com Wed May 14 13:35:25 2014 From: jim.boettcher at hp.com (Boettcher, Jim) Date: Wed, 14 May 2014 17:35:25 +0000 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <5372954D.7050002@redhat.com> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> <536D4AC2.5010905@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> <5370E7EB.1030008@redhat.com> <5372954D.7050002@redhat.com> Message-ID: <567C02B1AFF42E499D63011F4C931ABE240EEFF3@G5W2731.americas.hpqcorp.net> Hi Bill, Thank you for the cors example. The setup we were trying to get to work is somewhat different than what you have in the cors example. We were not using the keycloak.js adapter to do the token negotiation on the client. We have a number of different client apps and we were hoping to get this working by using the server adapter. The gui-app is configured to use the as7-adapter module installed in the JBoss server. When the jsp page is requested the adapter on the server intercepts the request and does all the token negotiation and then stores the access token in the session. The user should now be logged in with SSO. Now when an Ajax request is made from the gui-app to the rest-app we were hoping to get the SSO to work on the rest-app. The rest-app is also configured to use the as7-adapter module installed in the JBoss server. We were hoping to get this to work similar to how the demo example for the customer and product apps work with SSO. In our case the gui-app would work like the customer-portal of the example and our rest-app would work like the product-portal of the example. So in our case we wanted to try to get our rest-app to do the SSO token negotiation using the KEYCLOAK_IDENTITY cookie and access code like the product-portal example does. Note we are not trying to do the bearer token type calls to the database rest service like the demo example does. -Jim -----Original Message----- From: Bill Burke [mailto:bburke at redhat.com] Sent: Tuesday, May 13, 2014 5:58 PM To: Boettcher, Jim Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app Ok, I have an example working in master for your setup. $ git at github.com:keycloak/keycloak.git $ cd keycloak $ mvn clean install $ cd distribution $ mvn clean install $ cd application-dist/target $ unzip keycloak*...zip In one window bring up server: $ cd application-dist/target/keycloak.../keycloak/bin $ standalone.sh In another build the demo: $ cd application-dist/target/keycloak.../examples/cors $ mvn clean install jboss-as:deploy Read the README.md in the examples/cors directory to run the demo. Let me know how it goes. The key to getting it working is setting the Web Origin for the application you are logging into. Basicallhy the origin should be whatever the base URI is (minus the path) for that application. Also, setting keycloak.json setting of enable-cors to true is also a must. On 5/12/2014 11:25 AM, Bill Burke wrote: > If I don't ping you by late tomorrow with an example for you, feel > free to chastise me :) > > On 5/10/2014 10:00 PM, Boettcher, Jim wrote: >> Keycloak is deployed on localhost port 8080. >> The gui-app is deployed on myhost.domain.com/gui-app The rest-app is >> deployed on myhost.domain.com/rest-app >> >> The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before. >> >> >> -----Original Message----- >> From: Bill Burke [mailto:bburke at redhat.com] >> Sent: Friday, May 09, 2014 5:38 PM >> To: Boettcher, Jim; Stian Thorgersen >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: How to set up CORS for javascript calling a REST app >> >> I want to reproduce your setup as a CORS example. So your setup is? >> >> 1. Keycloak deployed on auth.domain.com 2. gui-app deployed on >> gui.domain.com 3. rest-app deployed on rest-app.domain.com >> >> Is that right? >> >> The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? >> >> If that is correct, I'll put together an example that you can try out within master. >> >> >> >> On 5/9/2014 5:23 PM, Boettcher, Jim wrote: >>> Here is some more information on my problem. >>> I have done a local build with the source from 5/8/2014. >>> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 >>> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 >>> I have 2 applications running on the server at myhost.net:7116 >>> 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app >>> 2. rest-app - a REST service >>> Both the gui-app and rest-app are configured to be secured by the auth-server. >>> >>> When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. >>> >>> When the Ajax request is made to the rest-app the problems start. >>> First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. >>> In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. >>> Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: >>> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. >>> >>> If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: >>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. >>> >>> Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: >>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. >>> >>> I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: >>> A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. >>> But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. >>> >>> Can you look into these problems and let me know if there is a way to get this working for the applications that I have? >>> >>> Thanks >>> -Jim >>> >>> -----Original Message----- >>> From: Boettcher, Jim >>> Sent: Tuesday, May 06, 2014 8:31 AM >>> To: 'Stian Thorgersen'; Bill Burke >>> Cc: keycloak-user at lists.jboss.org >>> Subject: RE: How to set up CORS for javascript calling a REST app >>> >>> I first tried with the Alpa-3 release. >>> I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. >>> >>> I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: >>> Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V >>> at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(Synchronou >>> sDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] >>> >>> Jim >>> >>> >>> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org >>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian >>> Thorgersen >>> Sent: Tuesday, May 06, 2014 4:55 AM >>> To: Bill Burke >>> Cc: keycloak-user at lists.jboss.org >>> Subject: Re: [keycloak-user] How to set up CORS for javascript >>> calling a REST app >>> >>> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Monday, 5 May, 2014 11:42:11 PM >>>> Subject: Re: [keycloak-user] How to set up CORS for javascript >>>> calling a REST app >>>> >>>> You are using the latest release? I'll take a look. I don't have >>>> any unit tests for the CORs stuff in the last alpha release (have >>>> some in trunk though) and I don't think I tested it manually either. >>>> >>>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>>>> Hi, >>>>> >>>>> I?m trying to get CORS working for a javascript app. The >>>>> javascript app >>>>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>>>> >>>>> In the Keycloak admin console I created an application for the >>>>> rest_app application and set a Web Origin of ?*? . I then copied >>>>> the Installation for Jboss Subsystem XML to the standalone.xml of >>>>> the JBoss 7.1.1 server that the rest_app is running on. I modified >>>>> the configuration to add >>>>> >>>>> true >>>>> >>>>> When I try to open the gui_app from Chrome I get errors like: >>>>> >>>>> XMLHttpRequest cannot load >>>>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>>>> No 'Access-Control-Allow-Origin' header is present on the >>>>> requested resource. Origin 'https://localhost:7116' is therefore not allowed access. >>>>> >>>>> I?ve tried playing with various settings but can?t get anything to work. >>>>> >>>>> Is there an example available for how to get this to work? >>>>> >>>>> Is there anything else that needs to be done on the Keycloak >>>>> server side? Or on the Adapter side? >>>>> >>>>> Thanks, >>>>> >>>>> Jim >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From rodrigopsasaki at gmail.com Wed May 14 15:52:07 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Wed, 14 May 2014 16:52:07 -0300 Subject: [keycloak-user] Migrating Users Database Message-ID: Hi, I'm trying to replace my current authentication system with Keycloak, but I have one problem. I already have a database of users, populated with millions of records, and I wanted to make it work with Keycloak. What would be the best approach on this scenario? Should I migrate everything to the Keycloak tables, or try to make Keycloak understand my current database? Is there any recommendation on this matter? And if there is, some explanation or documentation? Thanks! -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140514/e175cb68/attachment-0001.html From bburke at redhat.com Wed May 14 21:50:38 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 14 May 2014 21:50:38 -0400 Subject: [keycloak-user] How to set up CORS for javascript calling a REST app In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE240EEFF3@G5W2731.americas.hpqcorp.net> References: <567C02B1AFF42E499D63011F4C931ABE22CCACD4@G5W2731.americas.hpqcorp.net> <536813C3.2030207@redhat.com> <1200899652.1346715.1399366478548.JavaMail.zimbra@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240ECB6E@G5W2731.americas.hpqcorp.net> <536D4AC2.5010905@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240EDC1B@G5W2731.americas.hpqcorp.net> <5370E7EB.1030008@redhat.com> <5372954D.7050002@redhat.com> <567C02B1AFF42E499D63011F4C931ABE240EEFF3@G5W2731.americas.hpqcorp.net> Message-ID: <53741D6E.5060401@redhat.com> Then it its just a matter of giving the gui-app an allowed origin of itself. Admin console->Applications->gui-app->Web Origin->https://gui.app.com The rest-app should just be a plain bearer-only service that turns on cors in the keycloak.json file: "enable-cors": true On 5/14/2014 1:35 PM, Boettcher, Jim wrote: > Hi Bill, > > Thank you for the cors example. > The setup we were trying to get to work is somewhat different than what you have in the cors example. We were not using the keycloak.js adapter to do the token negotiation on the client. We have a number of different client apps and we were hoping to get this working by using the server adapter. > The gui-app is configured to use the as7-adapter module installed in the JBoss server. When the jsp page is requested the adapter on the server intercepts the request and does all the token negotiation and then stores the access token in the session. The user should now be logged in with SSO. > Now when an Ajax request is made from the gui-app to the rest-app we were hoping to get the SSO to work on the rest-app. The rest-app is also configured to use the as7-adapter module installed in the JBoss server. We were hoping to get this to work similar to how the demo example for the customer and product apps work with SSO. In our case the gui-app would work like the customer-portal of the example and our rest-app would work like the product-portal of the example. > So in our case we wanted to try to get our rest-app to do the SSO token negotiation using the KEYCLOAK_IDENTITY cookie and access code like the product-portal example does. Note we are not trying to do the bearer token type calls to the database rest service like the demo example does. > > -Jim > > > -----Original Message----- > From: Bill Burke [mailto:bburke at redhat.com] > Sent: Tuesday, May 13, 2014 5:58 PM > To: Boettcher, Jim > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app > > Ok, I have an example working in master for your setup. > > $ git at github.com:keycloak/keycloak.git > $ cd keycloak > $ mvn clean install > $ cd distribution > $ mvn clean install > $ cd application-dist/target > $ unzip keycloak*...zip > > In one window bring up server: > $ cd application-dist/target/keycloak.../keycloak/bin > $ standalone.sh > > In another build the demo: > $ cd application-dist/target/keycloak.../examples/cors > $ mvn clean install jboss-as:deploy > > Read the README.md in the examples/cors directory to run the demo. > > Let me know how it goes. The key to getting it working is setting the Web Origin for the application you are logging into. Basicallhy the origin should be whatever the base URI is (minus the path) for that application. Also, setting keycloak.json setting of enable-cors to true is also a must. > > On 5/12/2014 11:25 AM, Bill Burke wrote: >> If I don't ping you by late tomorrow with an example for you, feel >> free to chastise me :) >> >> On 5/10/2014 10:00 PM, Boettcher, Jim wrote: >>> Keycloak is deployed on localhost port 8080. >>> The gui-app is deployed on myhost.domain.com/gui-app The rest-app is >>> deployed on myhost.domain.com/rest-app >>> >>> The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before. >>> >>> >>> -----Original Message----- >>> From: Bill Burke [mailto:bburke at redhat.com] >>> Sent: Friday, May 09, 2014 5:38 PM >>> To: Boettcher, Jim; Stian Thorgersen >>> Cc: keycloak-user at lists.jboss.org >>> Subject: Re: How to set up CORS for javascript calling a REST app >>> >>> I want to reproduce your setup as a CORS example. So your setup is? >>> >>> 1. Keycloak deployed on auth.domain.com 2. gui-app deployed on >>> gui.domain.com 3. rest-app deployed on rest-app.domain.com >>> >>> Is that right? >>> >>> The XHR's origin is "gui.domain.com" correct? This request to rest-app is made using the access token (bearer auth)? Just curious, how do you obtain the access token? >>> >>> If that is correct, I'll put together an example that you can try out within master. >>> >>> >>> >>> On 5/9/2014 5:23 PM, Boettcher, Jim wrote: >>>> Here is some more information on my problem. >>>> I have done a local build with the source from 5/8/2014. >>>> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 >>>> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 >>>> I have 2 applications running on the server at myhost.net:7116 >>>> 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app >>>> 2. rest-app - a REST service >>>> Both the gui-app and rest-app are configured to be secured by the auth-server. >>>> >>>> When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. >>>> >>>> When the Ajax request is made to the rest-app the problems start. >>>> First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. >>>> In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. >>>> Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: >>>> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi?backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. >>>> >>>> If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: >>>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. >>>> >>>> Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: >>>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt?5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. >>>> >>>> I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: >>>> A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. >>>> But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. >>>> >>>> Can you look into these problems and let me know if there is a way to get this working for the applications that I have? >>>> >>>> Thanks >>>> -Jim >>>> >>>> -----Original Message----- >>>> From: Boettcher, Jim >>>> Sent: Tuesday, May 06, 2014 8:31 AM >>>> To: 'Stian Thorgersen'; Bill Burke >>>> Cc: keycloak-user at lists.jboss.org >>>> Subject: RE: How to set up CORS for javascript calling a REST app >>>> >>>> I first tried with the Alpa-3 release. >>>> I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. >>>> >>>> I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: >>>> Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V >>>> at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] >>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] >>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] >>>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] >>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(Synchronou >>>> sDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] >>>> >>>> Jim >>>> >>>> >>>> -----Original Message----- >>>> From: keycloak-user-bounces at lists.jboss.org >>>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian >>>> Thorgersen >>>> Sent: Tuesday, May 06, 2014 4:55 AM >>>> To: Bill Burke >>>> Cc: keycloak-user at lists.jboss.org >>>> Subject: Re: [keycloak-user] How to set up CORS for javascript >>>> calling a REST app >>>> >>>> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" >>>>> To: keycloak-user at lists.jboss.org >>>>> Sent: Monday, 5 May, 2014 11:42:11 PM >>>>> Subject: Re: [keycloak-user] How to set up CORS for javascript >>>>> calling a REST app >>>>> >>>>> You are using the latest release? I'll take a look. I don't have >>>>> any unit tests for the CORs stuff in the last alpha release (have >>>>> some in trunk though) and I don't think I tested it manually either. >>>>> >>>>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >>>>>> Hi, >>>>>> >>>>>> I?m trying to get CORS working for a javascript app. The >>>>>> javascript app >>>>>> (gui_app) is making AJAX requests to a different REST app (rest_app). >>>>>> >>>>>> In the Keycloak admin console I created an application for the >>>>>> rest_app application and set a Web Origin of ?*? . I then copied >>>>>> the Installation for Jboss Subsystem XML to the standalone.xml of >>>>>> the JBoss 7.1.1 server that the rest_app is running on. I modified >>>>>> the configuration to add >>>>>> >>>>>> true >>>>>> >>>>>> When I try to open the gui_app from Chrome I get errors like: >>>>>> >>>>>> XMLHttpRequest cannot load >>>>>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true. >>>>>> No 'Access-Control-Allow-Origin' header is present on the >>>>>> requested resource. Origin 'https://localhost:7116' is therefore not allowed access. >>>>>> >>>>>> I?ve tried playing with various settings but can?t get anything to work. >>>>>> >>>>>> Is there an example available for how to get this to work? >>>>>> >>>>>> Is there anything else that needs to be done on the Keycloak >>>>>> server side? Or on the Adapter side? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Jim >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Thu May 15 04:13:51 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 15 May 2014 04:13:51 -0400 (EDT) Subject: [keycloak-user] Migrating Users Database In-Reply-To: References: Message-ID: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> At the moment we have an Authentication SPI that will let you easily authenticate users with your existing database of users. The first time a new user logs in using this approach a user will be pulled in to the Keycloak database. There's no documentation for this feature yet, but look at the SPI at https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api and the implementation that uses the Keycloak model itself to authenticate at https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model. In the future we plan to provide a Sync SPI that will take this one step further and let you sync users (and roles) to/from an existing database. However, if you plan to completely replace your current authentication system the cleanest solution may be to import your current user database into Keycloak once and for all. If you're interested in this approach let me know. ----- Original Message ----- > From: "Rodrigo Sasaki" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 14 May, 2014 8:52:07 PM > Subject: [keycloak-user] Migrating Users Database > > Hi, > > I'm trying to replace my current authentication system with Keycloak, but I > have one problem. I already have a database of users, populated with > millions of records, and I wanted to make it work with Keycloak. > > What would be the best approach on this scenario? Should I migrate everything > to the Keycloak tables, or try to make Keycloak understand my current > database? > > Is there any recommendation on this matter? And if there is, some explanation > or documentation? > > Thanks! > > -- > Rodrigo Sasaki > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 15 04:31:03 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 15 May 2014 04:31:03 -0400 (EDT) Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: References: Message-ID: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> I'm not sure why the mongo model has been removed from the WAR, I'll look into that. We don't yet have support for upgrading the database when upgrading Keycloak. This will be added soon. The plan is to provide a mechanism to export the database to a json file, and after installing a new version of Keycloak you import this json file again. We'll make this import backwards compatible so you can import a json file from any older versions of Keycloak. ----- Original Message ----- > From: "Davide Ungari" > To: keycloak-user at lists.jboss.org > Sent: Monday, 12 May, 2014 7:13:53 PM > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > I found out that: > 1- the command "mvn package" does not include mongo module and driver > 2- there is a regression on data model, updating source of keycloak I must > drop database in order to see the admin console works again > -- > Davide > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 15 04:46:43 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 15 May 2014 04:46:43 -0400 (EDT) Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: <5370DC3E.7060600@redhat.com> References:

<97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com>

<5370DC3E.7060600@redhat.com> Message-ID: <1156794497.7738672.1400143603726.JavaMail.zimbra@redhat.com> I'm sure it is, as that's how we get WildFly ourselves: https://repository.jboss.org/nexus/index.html#nexus-search;quick~wildfly-dist ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Monday, 12 May, 2014 3:35:42 PM > Subject: Re: [keycloak-user] bootstrapping of keycloak for integration testing > > I don't know if it is kosher to do this. Need to ask our repo admins if > it is ok to put up such a large distro in the maven repo. > > On 5/12/2014 5:38 AM, Nils Preusker wrote: > > Hi, > > > > any news on KEYCLOAK-425 ? > > > > Cheers, > > Nils > > > > > > On Thu, Apr 24, 2014 at 5:05 PM, Nils Preusker > > wrote: > > > > Hi guys, > > > > just a quick question about > > https://issues.jboss.org/browse/KEYCLOAK-425 > > (keycloak-wildfly-adapter-dist-1.0-alpha-3.zip not in JBoss Maven > > Repository). Would you agree that this should be fixed/ the adapter > > should be in the maven repo, or should I just create the keycloak > > wildfly adapter myself with the maven dependency plugin in the build > > of my integration test project? > > > > If you are planning to fix it, can you give an estimate when it will > > be available? > > > > Cheers, > > Nils > > > > > > On Wed, Apr 23, 2014 at 1:12 PM, Nils Preusker > > wrote: > > > > Great, thanks for the link Stian! > > > > -- > > Blog: www.nilspreusker.de > > > > > On Apr 23, 2014, at 12:58, Stian Thorgersen > > wrote: > > > > > > In the future we may move our testsuite to Arquillian, as > > this makes it possible for us to test the actual distribution of > > Keycloak (on WildFly) rather than a "custom" server. > > > > > > For testing bearer-only services, you're right the simplest > > solution would be to just create tokens manually. Have a look at > > https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, > > which does exactly that. > > > > > > ----- Original Message ----- > > >> From: "Nils Preusker" > > > > >> To: keycloak-user at lists.jboss.org > > > > >> Sent: Wednesday, 23 April, 2014 11:43:56 AM > > >> Subject: Re: [keycloak-user] bootstrapping of keycloak for > > integration testing > > >> > > >> Another question regarding keycloak artifacts in maven, > > shouldn't > > >> "keycloak-wildfly-adapter-dist" also be available? At least > > this would make > > >> it much easier to create a maven configuration that > > bootstraps a Wildfly > > >> instance with the keycloak adapter. > > >> > > >> I've looked at the integration test suite and find the > > approach quite nice. > > >> However, in order to re-use it I would currently have to > > duplicate most of > > >> the code (KeycloakServer, AbstractKeycloakRule etc.) since > > it is in the test > > >> directory of the keycloak-testsuite-integration module. > > >> > > >> So I thought I'd do the following: > > >> > > >> * create an integration-test module > > >> * bootstrap Wildfly with the wildfly adapter installed with the > > >> maven-dependency-plugin and maven-resources-plugin > > (currently struggling > > >> with the missing artifacts in the repo here so I installed > > it locally for > > >> now...) > > >> * deploy the auth-server.war/ keycloak-server.war and the > > archives I want to > > >> test in an arquillian test case (@Deploy...) > > >> > > >> That's where I'm at right now. I guess the next step would > > be to get the > > >> KeycloakSessionFactory in order to add a test realm > > programmatically. > > >> > > >> However, I just realized that it might be better (and > > easier) to just > > >> bootstrap an embedded Keycloak instance (no server, just the > > core services) > > >> and use it to create a test realm and create tokens that can > > be used in the > > >> test cases. After all, I just need a way to generate bearer > > tokens to make > > >> HTTP requests to the wars I would like to test. Any thoughts > > on how I could > > >> best accomplish that? > > >> > > >> Cheers, > > >> Nils > > >> > > >> > > >> > > >> > > >> On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < > > n.preusker at gmail.com > > > >> wrote: > > >> > > >> > > >> > > >> Thanks Marek, I've created a JIRA issue about the missing > > war in the maven > > >> repo: https://issues.jboss.org/browse/KEYCLOAK-424 > > >> > > >> I'll have a look at the integration test suite and let you > > know what I came > > >> up with. > > >> > > >> Cheers, > > >> Nils > > >> > > >> > > >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < > > mposolda at redhat.com > wrote: > > >> > > >> > > >> > > >> Hi Nils, > > >> > > >> > > >> On 22.4.2014 12:55, Nils Preusker wrote: > > >> > > >> > > >> > > >> Hi guys, > > >> > > >> I'm just setting up an integration test project for our > > application and I'm > > >> wondering what's the best way to bootstrap keycloak within it. > > >> > > >> I'm using arquillian for testing and I'm using the > > maven-dependency-plugin > > >> and maven-resources-plugin to put together a wildfly > > instance with the > > >> keycloak-wildfly-adapter. > > >> > > >> So far, that approach works nicely. However, I'm not quite > > sure yet how to go > > >> about > > >> > > >> * importing a realm and > > >> * creating a bearer/ access token to use in the test cases > > >> > > >> One approach would be to deploy the auth-server.war (is > > there a mvn > > >> repository to pull it from?), POST the realm to the > > respective URL of the > > >> admin console and do the authentication the same way (POST > > >> > > http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access > > ). > > >> Looks like it's not. The WAR is here just for Alpha1 > > >> > > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ > > >> but not for later releases, which looks like a bug IMO. Can > > you create JIRA > > >> for it? I think it won't be bad if release will include all > > the artifacts > > >> including docs and distribution stuff (like WAR and full > > Wildfly appliance) > > >> > > >> > > >> > > >> > > >> > > >> Alternatively, I suppose I could deploy a small helper war > > or jar that > > >> accesses the core services of keycloak to import the realm > > and create test > > >> access tokens (some convenience method like "createLogin()" > > in a test > > >> utility that is deployed with shrink wrap maybe). > > >> > > >> Which option do you recommend or is there a third one that > > I'm missing? > > >> Maybe it will be interesting for you that we have > > integration testsuite > > >> > > https://github.com/keycloak/keycloak/tree/master/testsuite/integration > > . > > >> This testsuite is using embedded Undertow server and it > > programmatically > > >> deploys Keycloak server on it. You can take a look at > > KeycloakServer class > > >> and also at individual tests to see how it works. The point > > is that it's > > >> embedded, so test classes have access to > > KeycloakSessionFactory inside > > >> KeycloakSetup actions and so they can directly use the model > > API to setup > > >> needed things. > > >> > > >> For example in LoginTest, you can see that there is some > > setup action, which > > >> creates new user with usage of Keycloak model API: > > >> > > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 > > >> and then there is selenium test, which verifies that this > > user is able to > > >> login: > > >> > > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 > > >> > > >> Maybe you can reuse some parts of our testsuite and > > programmaticaly deploy > > >> Keycloak server in similar way like it's done here (not sure > > if it's > > >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume > > that yes). If you > > >> still don't have access to Keycloak model API, you can maybe > > write some > > >> selenium utils, which will do needed setup in KC admin > > console UI... > > >> > > >> Another alternative might be that you will use 2 servers in > > your testsuite. > > >> Your wildfly server with adapter installed will be on > > localhost:8080 (you > > >> have it already running) and KC server will be on > > localhost:8081 (You can > > >> directly reuse our testsuite for setup this). > > >> > > >> Good luck and let me know if still having issues. Btw. we > > don't have any > > >> integration tests for admin console and real AS7 and Wildfly > > adapters AFAIK. > > >> So it would be nice if you can share your work once you have > > your testsuite > > >> up and running :-) > > >> > > >> Marek > > >> > > >> > > >> > > >> > > >> Cheers, > > >> Nils > > >> > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list keycloak-user at lists.jboss.org > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > >> > > >> > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rodrigopsasaki at gmail.com Thu May 15 07:02:01 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Thu, 15 May 2014 08:02:01 -0300 Subject: [keycloak-user] Migrating Users Database In-Reply-To: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> Message-ID: I am very interested in importing the whole database. It seems to be the cleanest way to do what we want to do here, and migrate to keycloak completely. Are there any guidelines on how to do this? Nonetheless I will look into the SPI you mentioned, might come in handy sometime. On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen wrote: > At the moment we have an Authentication SPI that will let you easily > authenticate users with your existing database of users. The first time a > new user logs in using this approach a user will be pulled in to the > Keycloak database. There's no documentation for this feature yet, but look > at the SPI at > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-apiand the implementation that uses the Keycloak model itself to authenticate > at > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model > . > > In the future we plan to provide a Sync SPI that will take this one step > further and let you sync users (and roles) to/from an existing database. > > However, if you plan to completely replace your current authentication > system the cleanest solution may be to import your current user database > into Keycloak once and for all. If you're interested in this approach let > me know. > > ----- Original Message ----- > > From: "Rodrigo Sasaki" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > Subject: [keycloak-user] Migrating Users Database > > > > Hi, > > > > I'm trying to replace my current authentication system with Keycloak, > but I > > have one problem. I already have a database of users, populated with > > millions of records, and I wanted to make it work with Keycloak. > > > > What would be the best approach on this scenario? Should I migrate > everything > > to the Keycloak tables, or try to make Keycloak understand my current > > database? > > > > Is there any recommendation on this matter? And if there is, some > explanation > > or documentation? > > > > Thanks! > > > > -- > > Rodrigo Sasaki > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140515/36e42fed/attachment.html From bburke at redhat.com Thu May 15 10:03:11 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 15 May 2014 10:03:11 -0400 Subject: [keycloak-user] Migrating Users Database In-Reply-To: References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> Message-ID: <5374C91F.6000108@redhat.com> FYI, Keycloak will be very slow until we start our performance work (scheduled for Beta-2). Right now, every login/logout/token action is all DB hits. We don't cache anything at the moment! On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: > I am very interested in importing the whole database. It seems to be the > cleanest way to do what we want to do here, and migrate to keycloak > completely. > > Are there any guidelines on how to do this? Nonetheless I will look into > the SPI you mentioned, might come in handy sometime. > > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen > wrote: > > At the moment we have an Authentication SPI that will let you easily > authenticate users with your existing database of users. The first > time a new user logs in using this approach a user will be pulled in > to the Keycloak database. There's no documentation for this feature > yet, but look at the SPI at > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api > and the implementation that uses the Keycloak model itself to > authenticate at > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model. > > In the future we plan to provide a Sync SPI that will take this one > step further and let you sync users (and roles) to/from an existing > database. > > However, if you plan to completely replace your current > authentication system the cleanest solution may be to import your > current user database into Keycloak once and for all. If you're > interested in this approach let me know. > > ----- Original Message ----- > > From: "Rodrigo Sasaki" > > > To: keycloak-user at lists.jboss.org > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > Subject: [keycloak-user] Migrating Users Database > > > > Hi, > > > > I'm trying to replace my current authentication system with > Keycloak, but I > > have one problem. I already have a database of users, populated with > > millions of records, and I wanted to make it work with Keycloak. > > > > What would be the best approach on this scenario? Should I > migrate everything > > to the Keycloak tables, or try to make Keycloak understand my current > > database? > > > > Is there any recommendation on this matter? And if there is, some > explanation > > or documentation? > > > > Thanks! > > > > -- > > Rodrigo Sasaki > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Rodrigo Sasaki > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From rodrigopsasaki at gmail.com Thu May 15 10:05:42 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Thu, 15 May 2014 11:05:42 -0300 Subject: [keycloak-user] Migrating Users Database In-Reply-To: <5374C91F.6000108@redhat.com> References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> <5374C91F.6000108@redhat.com> Message-ID: That's quite alright at the moment. We have seen the roadmap and if it stays around the announced dates, there shouldn't be a problem for us here. On Thu, May 15, 2014 at 11:03 AM, Bill Burke wrote: > FYI, Keycloak will be very slow until we start our performance work > (scheduled for Beta-2). Right now, every login/logout/token action is > all DB hits. We don't cache anything at the moment! > > On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: > > I am very interested in importing the whole database. It seems to be the > > cleanest way to do what we want to do here, and migrate to keycloak > > completely. > > > > Are there any guidelines on how to do this? Nonetheless I will look into > > the SPI you mentioned, might come in handy sometime. > > > > > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen > > wrote: > > > > At the moment we have an Authentication SPI that will let you easily > > authenticate users with your existing database of users. The first > > time a new user logs in using this approach a user will be pulled in > > to the Keycloak database. There's no documentation for this feature > > yet, but look at the SPI at > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api > > and the implementation that uses the Keycloak model itself to > > authenticate at > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model > . > > > > In the future we plan to provide a Sync SPI that will take this one > > step further and let you sync users (and roles) to/from an existing > > database. > > > > However, if you plan to completely replace your current > > authentication system the cleanest solution may be to import your > > current user database into Keycloak once and for all. If you're > > interested in this approach let me know. > > > > ----- Original Message ----- > > > From: "Rodrigo Sasaki" > > > > > To: keycloak-user at lists.jboss.org > > > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > > Subject: [keycloak-user] Migrating Users Database > > > > > > Hi, > > > > > > I'm trying to replace my current authentication system with > > Keycloak, but I > > > have one problem. I already have a database of users, populated > with > > > millions of records, and I wanted to make it work with Keycloak. > > > > > > What would be the best approach on this scenario? Should I > > migrate everything > > > to the Keycloak tables, or try to make Keycloak understand my > current > > > database? > > > > > > Is there any recommendation on this matter? And if there is, some > > explanation > > > or documentation? > > > > > > Thanks! > > > > > > -- > > > Rodrigo Sasaki > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > Rodrigo Sasaki > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140515/0167d5b0/attachment.html From rodrigopsasaki at gmail.com Thu May 15 14:30:00 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Thu, 15 May 2014 15:30:00 -0300 Subject: [keycloak-user] Migrating Users Database In-Reply-To: References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> <5374C91F.6000108@redhat.com> Message-ID: By the way, do you have further information regarding that SPI you mentioned? I was looking at the source code but I couldn't derive much from it, I don't know exactly how I should implement my own provider, and how do I tell keycloak to use mine instead of its own. On Thu, May 15, 2014 at 11:05 AM, Rodrigo Sasaki wrote: > That's quite alright at the moment. > > We have seen the roadmap and if it stays around the announced dates, there > shouldn't be a problem for us here. > > > On Thu, May 15, 2014 at 11:03 AM, Bill Burke wrote: > >> FYI, Keycloak will be very slow until we start our performance work >> (scheduled for Beta-2). Right now, every login/logout/token action is >> all DB hits. We don't cache anything at the moment! >> >> On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: >> > I am very interested in importing the whole database. It seems to be the >> > cleanest way to do what we want to do here, and migrate to keycloak >> > completely. >> > >> > Are there any guidelines on how to do this? Nonetheless I will look into >> > the SPI you mentioned, might come in handy sometime. >> > >> > >> > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen > > > wrote: >> > >> > At the moment we have an Authentication SPI that will let you easily >> > authenticate users with your existing database of users. The first >> > time a new user logs in using this approach a user will be pulled in >> > to the Keycloak database. There's no documentation for this feature >> > yet, but look at the SPI at >> > >> https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api >> > and the implementation that uses the Keycloak model itself to >> > authenticate at >> > >> https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model >> . >> > >> > In the future we plan to provide a Sync SPI that will take this one >> > step further and let you sync users (and roles) to/from an existing >> > database. >> > >> > However, if you plan to completely replace your current >> > authentication system the cleanest solution may be to import your >> > current user database into Keycloak once and for all. If you're >> > interested in this approach let me know. >> > >> > ----- Original Message ----- >> > > From: "Rodrigo Sasaki" > > > >> > > To: keycloak-user at lists.jboss.org >> > >> > > Sent: Wednesday, 14 May, 2014 8:52:07 PM >> > > Subject: [keycloak-user] Migrating Users Database >> > > >> > > Hi, >> > > >> > > I'm trying to replace my current authentication system with >> > Keycloak, but I >> > > have one problem. I already have a database of users, populated >> with >> > > millions of records, and I wanted to make it work with Keycloak. >> > > >> > > What would be the best approach on this scenario? Should I >> > migrate everything >> > > to the Keycloak tables, or try to make Keycloak understand my >> current >> > > database? >> > > >> > > Is there any recommendation on this matter? And if there is, some >> > explanation >> > > or documentation? >> > > >> > > Thanks! >> > > >> > > -- >> > > Rodrigo Sasaki >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org> >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > >> > -- >> > Rodrigo Sasaki >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Rodrigo Sasaki > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140515/0539bac3/attachment-0001.html From stian at redhat.com Fri May 16 03:50:30 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 May 2014 03:50:30 -0400 (EDT) Subject: [keycloak-user] Migrating Users Database In-Reply-To: References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> <5374C91F.6000108@redhat.com> Message-ID: <647442795.8715244.1400226630637.JavaMail.zimbra@redhat.com> We will add some documentation to this soon, but you basically need to: - Implement https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProviderFactory.java - Implement https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProvider.java - Add a 'META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory' that contains the fully qualified name of your AuthenticationProviderFactory implementation Build as a JAR and drop into keycloak/standalone/deployments/auth-server.war/WEB-INF/lib. Start the server, open the admin console, navigate to realm settings and authentication. Click Add Provider and it should now have your new provider. Add it to the realm. It will now use your provider to authenticate users. ----- Original Message ----- > From: "Rodrigo Sasaki" > To: "Bill Burke" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 15 May, 2014 7:30:00 PM > Subject: Re: [keycloak-user] Migrating Users Database > > By the way, do you have further information regarding that SPI you mentioned? > > I was looking at the source code but I couldn't derive much from it, I don't > know exactly how I should implement my own provider, and how do I tell > keycloak to use mine instead of its own. > > > On Thu, May 15, 2014 at 11:05 AM, Rodrigo Sasaki < rodrigopsasaki at gmail.com > > wrote: > > > > That's quite alright at the moment. > > We have seen the roadmap and if it stays around the announced dates, there > shouldn't be a problem for us here. > > > On Thu, May 15, 2014 at 11:03 AM, Bill Burke < bburke at redhat.com > wrote: > > > FYI, Keycloak will be very slow until we start our performance work > (scheduled for Beta-2). Right now, every login/logout/token action is > all DB hits. We don't cache anything at the moment! > > On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: > > I am very interested in importing the whole database. It seems to be the > > cleanest way to do what we want to do here, and migrate to keycloak > > completely. > > > > Are there any guidelines on how to do this? Nonetheless I will look into > > the SPI you mentioned, might come in handy sometime. > > > > > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen < stian at redhat.com > > > wrote: > > > > At the moment we have an Authentication SPI that will let you easily > > authenticate users with your existing database of users. The first > > time a new user logs in using this approach a user will be pulled in > > to the Keycloak database. There's no documentation for this feature > > yet, but look at the SPI at > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api > > and the implementation that uses the Keycloak model itself to > > authenticate at > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model > > . > > > > In the future we plan to provide a Sync SPI that will take this one > > step further and let you sync users (and roles) to/from an existing > > database. > > > > However, if you plan to completely replace your current > > authentication system the cleanest solution may be to import your > > current user database into Keycloak once and for all. If you're > > interested in this approach let me know. > > > > ----- Original Message ----- > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com > > > > > > To: keycloak-user at lists.jboss.org > > > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > > Subject: [keycloak-user] Migrating Users Database > > > > > > Hi, > > > > > > I'm trying to replace my current authentication system with > > Keycloak, but I > > > have one problem. I already have a database of users, populated with > > > millions of records, and I wanted to make it work with Keycloak. > > > > > > What would be the best approach on this scenario? Should I > > migrate everything > > > to the Keycloak tables, or try to make Keycloak understand my current > > > database? > > > > > > Is there any recommendation on this matter? And if there is, some > > explanation > > > or documentation? > > > > > > Thanks! > > > > > > -- > > > Rodrigo Sasaki > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > Rodrigo Sasaki > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Rodrigo Sasaki > > > > -- > Rodrigo Sasaki > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri May 16 12:10:40 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 May 2014 12:10:40 -0400 (EDT) Subject: [keycloak-user] No refresh-token when requesting access token In-Reply-To: References: Message-ID: <1390352622.9157236.1400256640342.JavaMail.zimbra@redhat.com> Sorry for the rather slow response, but this has been added to master now ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Friday, 2 May, 2014 2:35:00 PM > Subject: [keycloak-user] No refresh-token when requesting access token > > Hi, > > I noticed that when I request an access token (curl -v -H "Content-type: > application/x-www-form-urlencoded" > http://localhost:8080/auth/rest/realms/keycloak-admin/tokens/grants/access > --data "client_id=...&client_secret=...&username=...&password=..." -H > "Accept: application/json"), the response doesn't contain a refresh token. > > Is this intentional? And might it change in future versions? > > According to http://tools.ietf.org/html/rfc6749#section-4.3 (which is the > spec the above method implements, right?), the refresh token in the access > token response is optional. > > If I'm not mistaken, adding .generateRefreshToken() here: > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L201 > should do the trick, right? > > Cheers, > Nils > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ungarida at gmail.com Fri May 16 16:20:02 2014 From: ungarida at gmail.com (Davide Ungari) Date: Fri, 16 May 2014 22:20:02 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian, I think the problem was that I was running "mvn package" inside /keycloak/distribuition instead it works if your run it from root directory. I have all the jars, model-mongo included, but the application fails at startup with error message "No Persistence provider for EntityManager named jpa-keycloak-audit-store\". What am I doing wrong this time? If you need I'm free to test the import process as you do it. Thanks. -- Davide On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen wrote: > I'm not sure why the mongo model has been removed from the WAR, I'll look > into that. > > We don't yet have support for upgrading the database when upgrading > Keycloak. This will be added soon. The plan is to provide a mechanism to > export the database to a json file, and after installing a new version of > Keycloak you import this json file again. We'll make this import backwards > compatible so you can import a json file from any older versions of > Keycloak. > > ----- Original Message ----- > > From: "Davide Ungari" > > To: keycloak-user at lists.jboss.org > > Sent: Monday, 12 May, 2014 7:13:53 PM > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > I found out that: > > 1- the command "mvn package" does not include mongo module and driver > > 2- there is a regression on data model, updating source of keycloak I > must > > drop database in order to see the admin console works again > > -- > > Davide > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140516/b169ee9e/attachment.html From n.preusker at gmail.com Fri May 16 17:35:10 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Fri, 16 May 2014 22:35:10 +0100 Subject: [keycloak-user] No refresh-token when requesting access token In-Reply-To: <1390352622.9157236.1400256640342.JavaMail.zimbra@redhat.com> References: <1390352622.9157236.1400256640342.JavaMail.zimbra@redhat.com> Message-ID: Cheers, any idea when you'll do the next release? Nils -- Blog: www.nilspreusker.de > On May 16, 2014, at 17:10, Stian Thorgersen wrote: > > Sorry for the rather slow response, but this has been added to master now > > ----- Original Message ----- >> From: "Nils Preusker" >> To: keycloak-user at lists.jboss.org >> Sent: Friday, 2 May, 2014 2:35:00 PM >> Subject: [keycloak-user] No refresh-token when requesting access token >> >> Hi, >> >> I noticed that when I request an access token (curl -v -H "Content-type: >> application/x-www-form-urlencoded" >> http://localhost:8080/auth/rest/realms/keycloak-admin/tokens/grants/access >> --data "client_id=...&client_secret=...&username=...&password=..." -H >> "Accept: application/json"), the response doesn't contain a refresh token. >> >> Is this intentional? And might it change in future versions? >> >> According to http://tools.ietf.org/html/rfc6749#section-4.3 (which is the >> spec the above method implements, right?), the refresh token in the access >> token response is optional. >> >> If I'm not mistaken, adding .generateRefreshToken() here: >> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L201 >> should do the trick, right? >> >> Cheers, >> Nils >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri May 16 20:13:26 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 16 May 2014 20:13:26 -0400 Subject: [keycloak-user] No refresh-token when requesting access token In-Reply-To: References: <1390352622.9157236.1400256640342.JavaMail.zimbra@redhat.com> Message-ID: <5376A9A6.4050405@redhat.com> I'm gonna guess 2 weeks. We're running behind. Still a bunch of jiras to finish and docs to write. On 5/16/2014 5:35 PM, Nils Preusker wrote: > Cheers, any idea when you'll do the next release? > > Nils > > -- > Blog: www.nilspreusker.de > >> On May 16, 2014, at 17:10, Stian Thorgersen wrote: >> >> Sorry for the rather slow response, but this has been added to master now >> >> ----- Original Message ----- >>> From: "Nils Preusker" >>> To: keycloak-user at lists.jboss.org >>> Sent: Friday, 2 May, 2014 2:35:00 PM >>> Subject: [keycloak-user] No refresh-token when requesting access token >>> >>> Hi, >>> >>> I noticed that when I request an access token (curl -v -H "Content-type: >>> application/x-www-form-urlencoded" >>> http://localhost:8080/auth/rest/realms/keycloak-admin/tokens/grants/access >>> --data "client_id=...&client_secret=...&username=...&password=..." -H >>> "Accept: application/json"), the response doesn't contain a refresh token. >>> >>> Is this intentional? And might it change in future versions? >>> >>> According to http://tools.ietf.org/html/rfc6749#section-4.3 (which is the >>> spec the above method implements, right?), the refresh token in the access >>> token response is optional. >>> >>> If I'm not mistaken, adding .generateRefreshToken() here: >>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L201 >>> should do the trick, right? >>> >>> Cheers, >>> Nils >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From rodrigopsasaki at gmail.com Mon May 19 12:05:28 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Mon, 19 May 2014 13:05:28 -0300 Subject: [keycloak-user] Migrating Users Database In-Reply-To: <647442795.8715244.1400226630637.JavaMail.zimbra@redhat.com> References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> <5374C91F.6000108@redhat.com> <647442795.8715244.1400226630637.JavaMail.zimbra@redhat.com> Message-ID: I have done most of what you mentioned, although I didn't find the "Settings and Authentication" part on the Realm Settings. I couldn't add the new provider to it like you said, and the version I'm using is the one available on the github repo. Also I saw that I should probably implement a RealmAdapter aswell, to provide access to my table structure, is that correct? If so, how should I configure Keycloak to use my adapter to find users, and not it's default one? Or at least not only it's default one On Fri, May 16, 2014 at 4:50 AM, Stian Thorgersen wrote: > We will add some documentation to this soon, but you basically need to: > > - Implement > https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProviderFactory.java > - Implement > https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProvider.java > - Add a > 'META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory' > that contains the fully qualified name of your > AuthenticationProviderFactory implementation > > Build as a JAR and drop into > keycloak/standalone/deployments/auth-server.war/WEB-INF/lib. > > Start the server, open the admin console, navigate to realm settings and > authentication. Click Add Provider and it should now have your new > provider. Add it to the realm. > > It will now use your provider to authenticate users. > > ----- Original Message ----- > > From: "Rodrigo Sasaki" > > To: "Bill Burke" > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, 15 May, 2014 7:30:00 PM > > Subject: Re: [keycloak-user] Migrating Users Database > > > > By the way, do you have further information regarding that SPI you > mentioned? > > > > I was looking at the source code but I couldn't derive much from it, I > don't > > know exactly how I should implement my own provider, and how do I tell > > keycloak to use mine instead of its own. > > > > > > On Thu, May 15, 2014 at 11:05 AM, Rodrigo Sasaki < > rodrigopsasaki at gmail.com > > > wrote: > > > > > > > > That's quite alright at the moment. > > > > We have seen the roadmap and if it stays around the announced dates, > there > > shouldn't be a problem for us here. > > > > > > On Thu, May 15, 2014 at 11:03 AM, Bill Burke < bburke at redhat.com > > wrote: > > > > > > FYI, Keycloak will be very slow until we start our performance work > > (scheduled for Beta-2). Right now, every login/logout/token action is > > all DB hits. We don't cache anything at the moment! > > > > On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: > > > I am very interested in importing the whole database. It seems to be > the > > > cleanest way to do what we want to do here, and migrate to keycloak > > > completely. > > > > > > Are there any guidelines on how to do this? Nonetheless I will look > into > > > the SPI you mentioned, might come in handy sometime. > > > > > > > > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen < stian at redhat.com > > > > wrote: > > > > > > At the moment we have an Authentication SPI that will let you easily > > > authenticate users with your existing database of users. The first > > > time a new user logs in using this approach a user will be pulled in > > > to the Keycloak database. There's no documentation for this feature > > > yet, but look at the SPI at > > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api > > > and the implementation that uses the Keycloak model itself to > > > authenticate at > > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model > > > . > > > > > > In the future we plan to provide a Sync SPI that will take this one > > > step further and let you sync users (and roles) to/from an existing > > > database. > > > > > > However, if you plan to completely replace your current > > > authentication system the cleanest solution may be to import your > > > current user database into Keycloak once and for all. If you're > > > interested in this approach let me know. > > > > > > ----- Original Message ----- > > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com > > > > > > > > To: keycloak-user at lists.jboss.org > > > > > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > > > Subject: [keycloak-user] Migrating Users Database > > > > > > > > Hi, > > > > > > > > I'm trying to replace my current authentication system with > > > Keycloak, but I > > > > have one problem. I already have a database of users, populated with > > > > millions of records, and I wanted to make it work with Keycloak. > > > > > > > > What would be the best approach on this scenario? Should I > > > migrate everything > > > > to the Keycloak tables, or try to make Keycloak understand my current > > > > database? > > > > > > > > Is there any recommendation on this matter? And if there is, some > > > explanation > > > > or documentation? > > > > > > > > Thanks! > > > > > > > > -- > > > > Rodrigo Sasaki > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > -- > > > Rodrigo Sasaki > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > Rodrigo Sasaki > > > > > > > > -- > > Rodrigo Sasaki > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140519/63b06ecb/attachment-0001.html From mposolda at redhat.com Mon May 19 16:38:36 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 May 2014 22:38:36 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> Message-ID: <537A6BCC.2040104@redhat.com> Hi, I guess you removed persistence.xml from auth-server.war right? In newest version, persistence.xml contains configuration of model-api, but also for audit-api . Default implementation of audit-api is based on JPA and needs persistence.xml . Thing is that default implementation of audit-api is always based on JPA even if you changed your model implementation to "mongo". My opinion is, that we should change this behaviour. So default implementation of audit-api will be same like the chosen implementation of model-api. So if someone (like you) changed the implementation of model to be based on mongo, the audit-api will automatically use mongo as well. I will discuss with guys about this tomorrow. Until this is done, I think that easiest solution for you is to manually switch audit-api to use mongo as well. So in addition to property "-Dkeycloak.model=mongo" you also need to add property "-Dkeycloak.audit=mongo" . Marek On 16.5.2014 22:20, Davide Ungari wrote: > Hi Stian, > I think the problem was that I was running "mvn package" inside > /keycloak/distribuition instead it works if your run it from root > directory. > > I have all the jars, model-mongo included, but the application fails > at startup with error message "No Persistence provider for > EntityManager named jpa-keycloak-audit-store\". What am I doing wrong > this time? > > If you need I'm free to test the import process as you do it. > > Thanks. > > -- > Davide > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen > wrote: > > I'm not sure why the mongo model has been removed from the WAR, > I'll look into that. > "jpa-keycloak-identity-store" > We don't yet have support for upgrading the database when > upgrading Keycloak. This will be added soon. The plan is to > provide a mechanism to export the database to a json file, and > after installing a new version of Keycloak you import this json > file again. We'll make this import backwards compatible so you can > import a json file from any older versions of Keycloak. > > ----- Original Message ----- > > From: "Davide Ungari" > > > To: keycloak-user at lists.jboss.org > > > Sent: Monday, 12 May, 2014 7:13:53 PM > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > I found out that: > > 1- the command "mvn package" does not include mongo module and > driver > > 2- there is a regression on data model, updating source of > keycloak I must > > drop database in order to see the admin console works again > > -- > > Davide > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140519/8dfe4084/attachment.html From mposolda at redhat.com Mon May 19 16:20:28 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 May 2014 22:20:28 +0200 Subject: [keycloak-user] Migrating Users Database In-Reply-To: References: <728585658.7711296.1400141631441.JavaMail.zimbra@redhat.com> <5374C91F.6000108@redhat.com> <647442795.8715244.1400226630637.JavaMail.zimbra@redhat.com> Message-ID: <537A678C.8030705@redhat.com> Hi Rodrigo, it's not "Settings and Authentication", but it's tab "Settings" and then top bar called "Authentication" inside it. It will be opened if you login to admin console and then open URL: http://localhost:8081/auth/admin/#/realms/keycloak-admin (Replace 'keycloak-admin' with name of your realm, for example 'test'). Once you open it, you can click to button "Add provider" and your provider should be available in the list of available authentication providers. For the inspiration, you can take a look at the existing implementations, for example this one: https://github.com/keycloak/keycloak/tree/master/authentication/authentication-picketlink and it's configuration in file: https://github.com/keycloak/keycloak/blob/master/authentication/authentication-picketlink/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory . Note that it's using standard java ServiceLoader mechanism described here - http://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoader.html You don't need implement RealmAdapter . RealmAdapter is not related to authentication SPI. It's implementation of interface RealmModel, which is part of model-api. You need to implement model-api just in case that you want to create your own storage for all keycloak data, but implementing whole model-api is much more complicated and challenging than implementation of authentication-api. So in shortcut, you need to implement AuthenticationProvider interface, which will be able to read data from your internal database. Marek On 19.5.2014 18:05, Rodrigo Sasaki wrote: > I have done most of what you mentioned, although I didn't find the > "Settings and Authentication" part on the Realm Settings. I couldn't > add the new provider to it like you said, and the version I'm using is > the one available on the github repo. > > Also I saw that I should probably implement a RealmAdapter aswell, to > provide access to my table structure, is that correct? If so, how > should I configure Keycloak to use my adapter to find users, and not > it's default one? Or at least not only it's default one > > > On Fri, May 16, 2014 at 4:50 AM, Stian Thorgersen > wrote: > > We will add some documentation to this soon, but you basically > need to: > > - Implement > https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProviderFactory.java > - Implement > https://github.com/keycloak/keycloak/blob/master/authentication/authentication-api/src/main/java/org/keycloak/authentication/AuthenticationProvider.java > - Add a > 'META-INF/services/org.keycloak.authentication.AuthenticationProviderFactory' > that contains the fully qualified name of your > AuthenticationProviderFactory implementation > > Build as a JAR and drop into > keycloak/standalone/deployments/auth-server.war/WEB-INF/lib. > > Start the server, open the admin console, navigate to realm > settings and authentication. Click Add Provider and it should now > have your new provider. Add it to the realm. > > It will now use your provider to authenticate users. > > ----- Original Message ----- > > From: "Rodrigo Sasaki" > > > To: "Bill Burke" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Thursday, 15 May, 2014 7:30:00 PM > > Subject: Re: [keycloak-user] Migrating Users Database > > > > By the way, do you have further information regarding that SPI > you mentioned? > > > > I was looking at the source code but I couldn't derive much from > it, I don't > > know exactly how I should implement my own provider, and how do > I tell > > keycloak to use mine instead of its own. > > > > > > On Thu, May 15, 2014 at 11:05 AM, Rodrigo Sasaki < > rodrigopsasaki at gmail.com > > > wrote: > > > > > > > > That's quite alright at the moment. > > > > We have seen the roadmap and if it stays around the announced > dates, there > > shouldn't be a problem for us here. > > > > > > On Thu, May 15, 2014 at 11:03 AM, Bill Burke < bburke at redhat.com > > wrote: > > > > > > FYI, Keycloak will be very slow until we start our performance work > > (scheduled for Beta-2). Right now, every login/logout/token > action is > > all DB hits. We don't cache anything at the moment! > > > > On 5/15/2014 7:02 AM, Rodrigo Sasaki wrote: > > > I am very interested in importing the whole database. It seems > to be the > > > cleanest way to do what we want to do here, and migrate to > keycloak > > > completely. > > > > > > Are there any guidelines on how to do this? Nonetheless I will > look into > > > the SPI you mentioned, might come in handy sometime. > > > > > > > > > On Thu, May 15, 2014 at 5:13 AM, Stian Thorgersen < > stian at redhat.com > > > >> wrote: > > > > > > At the moment we have an Authentication SPI that will let you > easily > > > authenticate users with your existing database of users. The first > > > time a new user logs in using this approach a user will be > pulled in > > > to the Keycloak database. There's no documentation for this > feature > > > yet, but look at the SPI at > > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-api > > > and the implementation that uses the Keycloak model itself to > > > authenticate at > > > > https://github.com/keycloak/keycloak/tree/master/authentication/authentication-model > > > . > > > > > > In the future we plan to provide a Sync SPI that will take > this one > > > step further and let you sync users (and roles) to/from an > existing > > > database. > > > > > > However, if you plan to completely replace your current > > > authentication system the cleanest solution may be to import your > > > current user database into Keycloak once and for all. If you're > > > interested in this approach let me know. > > > > > > ----- Original Message ----- > > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com > > > > >> > > > > To: keycloak-user at lists.jboss.org > > > >

> > > > > Sent: Wednesday, 14 May, 2014 8:52:07 PM > > > > Subject: [keycloak-user] Migrating Users Database > > > > > > > > Hi, > > > > > > > > I'm trying to replace my current authentication system with > > > Keycloak, but I > > > > have one problem. I already have a database of users, > populated with > > > > millions of records, and I wanted to make it work with Keycloak. > > > > > > > > What would be the best approach on this scenario? Should I > > > migrate everything > > > > to the Keycloak tables, or try to make Keycloak understand > my current > > > > database? > > > > > > > > Is there any recommendation on this matter? And if there is, > some > > > explanation > > > > or documentation? > > > > > > > > Thanks! > > > > > > > > -- > > > > Rodrigo Sasaki > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > -- > > > Rodrigo Sasaki > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >admin > > > > -- > > Rodrigo Sasaki > > > > > > > > -- > > Rodrigo Sasaki > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Rodrigo Sasaki > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140519/b8406192/attachment-0001.html From ungarida at gmail.com Tue May 20 03:17:52 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 20 May 2014 09:17:52 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: <537A6BCC.2040104@redhat.com> References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> Message-ID: Hi Marek, thanks for your answer. You could add a paragraph in documentation page http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 about this. -- Davide On Mon, May 19, 2014 at 10:38 PM, Marek Posolda wrote: > Hi, > > I guess you removed persistence.xml from auth-server.war right? In newest > version, persistence.xml contains configuration of model-api, but also for > audit-api . Default implementation of audit-api is based on JPA and needs > persistence.xml . > > Thing is that default implementation of audit-api is always based on JPA > even if you changed your model implementation to "mongo". My opinion is, > that we should change this behaviour. So default implementation of > audit-api will be same like the chosen implementation of model-api. So if > someone (like you) changed the implementation of model to be based on > mongo, the audit-api will automatically use mongo as well. I will discuss > with guys about this tomorrow. > > Until this is done, I think that easiest solution for you is to manually > switch audit-api to use mongo as well. So in addition to property > "-Dkeycloak.model=mongo" you also need to add property > "-Dkeycloak.audit=mongo" . > > Marek > > > On 16.5.2014 22:20, Davide Ungari wrote: > > Hi Stian, > I think the problem was that I was running "mvn package" inside > /keycloak/distribuition instead it works if your run it from root > directory. > > I have all the jars, model-mongo included, but the application fails at > startup with error message "No Persistence provider for EntityManager named > jpa-keycloak-audit-store\". What am I doing wrong this time? > > If you need I'm free to test the import process as you do it. > > Thanks. > > -- > Davide > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen wrote: > >> I'm not sure why the mongo model has been removed from the WAR, I'll look >> into that. >> "jpa-keycloak-identity-store" >> >> We don't yet have support for upgrading the database when upgrading >> Keycloak. This will be added soon. The plan is to provide a mechanism to >> export the database to a json file, and after installing a new version of >> Keycloak you import this json file again. We'll make this import backwards >> compatible so you can import a json file from any older versions of >> Keycloak. >> >> ----- Original Message ----- >> > From: "Davide Ungari" >> > To: keycloak-user at lists.jboss.org >> > Sent: Monday, 12 May, 2014 7:13:53 PM >> > Subject: Re: [keycloak-user] MongoDB - Model provider not found >> > >> > I found out that: >> > 1- the command "mvn package" does not include mongo module and driver >> > 2- there is a regression on data model, updating source of keycloak I >> must >> > drop database in order to see the admin console works again >> > -- >> > Davide >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140520/9467eccf/attachment.html From bardacp at gmail.com Tue May 20 03:41:43 2014 From: bardacp at gmail.com (Peter Bardac) Date: Tue, 20 May 2014 09:41:43 +0200 Subject: [keycloak-user] How to logout user from keycloak Message-ID: Hi, I'd like to ask how can i simply logout from web application. It seems that using simple HttpServletRequest.logout() does not work for me. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140520/e9b4331b/attachment.html From stian at redhat.com Tue May 20 04:45:59 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 20 May 2014 04:45:59 -0400 (EDT) Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> Message-ID: <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> In master this has recently changed and is now configured in a config file instead of through system properties. The documentation will be updated in due time. ----- Original Message ----- > From: "Davide Ungari" > To: "Marek Posolda" > Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org > Sent: Tuesday, 20 May, 2014 8:17:52 AM > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > Hi Marek, > thanks for your answer. > > You could add a paragraph in documentation page > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 > about > this. > > > -- > Davide > > > On Mon, May 19, 2014 at 10:38 PM, Marek Posolda wrote: > > > Hi, > > > > I guess you removed persistence.xml from auth-server.war right? In newest > > version, persistence.xml contains configuration of model-api, but also for > > audit-api . Default implementation of audit-api is based on JPA and needs > > persistence.xml . > > > > Thing is that default implementation of audit-api is always based on JPA > > even if you changed your model implementation to "mongo". My opinion is, > > that we should change this behaviour. So default implementation of > > audit-api will be same like the chosen implementation of model-api. So if > > someone (like you) changed the implementation of model to be based on > > mongo, the audit-api will automatically use mongo as well. I will discuss > > with guys about this tomorrow. > > > > Until this is done, I think that easiest solution for you is to manually > > switch audit-api to use mongo as well. So in addition to property > > "-Dkeycloak.model=mongo" you also need to add property > > "-Dkeycloak.audit=mongo" . > > > > Marek > > > > > > On 16.5.2014 22:20, Davide Ungari wrote: > > > > Hi Stian, > > I think the problem was that I was running "mvn package" inside > > /keycloak/distribuition instead it works if your run it from root > > directory. > > > > I have all the jars, model-mongo included, but the application fails at > > startup with error message "No Persistence provider for EntityManager named > > jpa-keycloak-audit-store\". What am I doing wrong this time? > > > > If you need I'm free to test the import process as you do it. > > > > Thanks. > > > > -- > > Davide > > > > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen wrote: > > > >> I'm not sure why the mongo model has been removed from the WAR, I'll look > >> into that. > >> "jpa-keycloak-identity-store" > >> > >> We don't yet have support for upgrading the database when upgrading > >> Keycloak. This will be added soon. The plan is to provide a mechanism to > >> export the database to a json file, and after installing a new version of > >> Keycloak you import this json file again. We'll make this import backwards > >> compatible so you can import a json file from any older versions of > >> Keycloak. > >> > >> ----- Original Message ----- > >> > From: "Davide Ungari" > >> > To: keycloak-user at lists.jboss.org > >> > Sent: Monday, 12 May, 2014 7:13:53 PM > >> > Subject: Re: [keycloak-user] MongoDB - Model provider not found > >> > > >> > I found out that: > >> > 1- the command "mvn package" does not include mongo module and driver > >> > 2- there is a regression on data model, updating source of keycloak I > >> must > >> > drop database in order to see the admin console works again > >> > -- > >> > Davide > >> > > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > _______________________________________________ > > keycloak-user mailing > > listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > From stian at redhat.com Tue May 20 05:13:40 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 20 May 2014 05:13:40 -0400 (EDT) Subject: [keycloak-user] How to logout user from keycloak In-Reply-To: References: Message-ID: <1707862899.10754476.1400577220081.JavaMail.zimbra@redhat.com> Hopefully we can make HttpServletRequest.logout() work, can you jira it please? Until that's fixed you can logout by adding redirecting or adding a link to: http:///auth/realms//tokens/logout?redirect_uri= ----- Original Message ----- > From: "Peter Bardac" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 20 May, 2014 8:41:43 AM > Subject: [keycloak-user] How to logout user from keycloak > > Hi, > > I'd like to ask how can i simply logout from web application. It seems that > using simple HttpServletRequest.logout() does not work for me. > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ungarida at gmail.com Tue May 20 05:38:41 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 20 May 2014 11:38:41 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian, I'm aligned to master. Could you show me the class I must read to understand how to configure it? -- Davide On Tue, May 20, 2014 at 10:45 AM, Stian Thorgersen wrote: > In master this has recently changed and is now configured in a config file > instead of through system properties. The documentation will be updated in > due time. > > ----- Original Message ----- > > From: "Davide Ungari" > > To: "Marek Posolda" > > Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org > > Sent: Tuesday, 20 May, 2014 8:17:52 AM > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > Hi Marek, > > thanks for your answer. > > > > You could add a paragraph in documentation page > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 > > about > > this. > > > > > > -- > > Davide > > > > > > On Mon, May 19, 2014 at 10:38 PM, Marek Posolda > wrote: > > > > > Hi, > > > > > > I guess you removed persistence.xml from auth-server.war right? In > newest > > > version, persistence.xml contains configuration of model-api, but also > for > > > audit-api . Default implementation of audit-api is based on JPA and > needs > > > persistence.xml . > > > > > > Thing is that default implementation of audit-api is always based on > JPA > > > even if you changed your model implementation to "mongo". My opinion > is, > > > that we should change this behaviour. So default implementation of > > > audit-api will be same like the chosen implementation of model-api. So > if > > > someone (like you) changed the implementation of model to be based on > > > mongo, the audit-api will automatically use mongo as well. I will > discuss > > > with guys about this tomorrow. > > > > > > Until this is done, I think that easiest solution for you is to > manually > > > switch audit-api to use mongo as well. So in addition to property > > > "-Dkeycloak.model=mongo" you also need to add property > > > "-Dkeycloak.audit=mongo" . > > > > > > Marek > > > > > > > > > On 16.5.2014 22:20, Davide Ungari wrote: > > > > > > Hi Stian, > > > I think the problem was that I was running "mvn package" inside > > > /keycloak/distribuition instead it works if your run it from root > > > directory. > > > > > > I have all the jars, model-mongo included, but the application fails > at > > > startup with error message "No Persistence provider for EntityManager > named > > > jpa-keycloak-audit-store\". What am I doing wrong this time? > > > > > > If you need I'm free to test the import process as you do it. > > > > > > Thanks. > > > > > > -- > > > Davide > > > > > > > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen >wrote: > > > > > >> I'm not sure why the mongo model has been removed from the WAR, I'll > look > > >> into that. > > >> "jpa-keycloak-identity-store" > > >> > > >> We don't yet have support for upgrading the database when upgrading > > >> Keycloak. This will be added soon. The plan is to provide a mechanism > to > > >> export the database to a json file, and after installing a new > version of > > >> Keycloak you import this json file again. We'll make this import > backwards > > >> compatible so you can import a json file from any older versions of > > >> Keycloak. > > >> > > >> ----- Original Message ----- > > >> > From: "Davide Ungari" > > >> > To: keycloak-user at lists.jboss.org > > >> > Sent: Monday, 12 May, 2014 7:13:53 PM > > >> > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > >> > > > >> > I found out that: > > >> > 1- the command "mvn package" does not include mongo module and > driver > > >> > 2- there is a regression on data model, updating source of keycloak > I > > >> must > > >> > drop database in order to see the admin console works again > > >> > -- > > >> > Davide > > >> > > > >> > _______________________________________________ > > >> > keycloak-user mailing list > > >> > keycloak-user at lists.jboss.org > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing > > > listkeycloak-user at lists.jboss.orghttps:// > lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140520/2be6d2a5/attachment-0001.html From stian at redhat.com Tue May 20 05:52:10 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 20 May 2014 05:52:10 -0400 (EDT) Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> Message-ID: <394393468.10770898.1400579530894.JavaMail.zimbra@redhat.com> You need to edit: standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/keycloak-server.json For mongo replace "model" and "audit" with: "audit": { "provider": "mongo", "mongo": { "host": "", "port": , "user": , "password": } }, "model": { "provider": "mongo" "mongo": { "host": "", "port": , "user": , "password": } } "host" and "port" are optional if not specified "localhost" and 27017 will be used. "user" and "password" are optional as well, these are only required if you've enabled authentication for your mongo db. You can also change the db name by adding "db". ----- Original Message ----- > From: "Davide Ungari" > To: "Stian Thorgersen" > Cc: "Marek Posolda" , keycloak-user at lists.jboss.org > Sent: Tuesday, 20 May, 2014 10:38:41 AM > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > Hi Stian, > I'm aligned to master. > Could you show me the class I must read to understand how to configure it? > > -- > Davide > > > On Tue, May 20, 2014 at 10:45 AM, Stian Thorgersen wrote: > > > In master this has recently changed and is now configured in a config file > > instead of through system properties. The documentation will be updated in > > due time. > > > > ----- Original Message ----- > > > From: "Davide Ungari" > > > To: "Marek Posolda" > > > Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org > > > Sent: Tuesday, 20 May, 2014 8:17:52 AM > > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > > > Hi Marek, > > > thanks for your answer. > > > > > > You could add a paragraph in documentation page > > > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 > > > about > > > this. > > > > > > > > > -- > > > Davide > > > > > > > > > On Mon, May 19, 2014 at 10:38 PM, Marek Posolda > > wrote: > > > > > > > Hi, > > > > > > > > I guess you removed persistence.xml from auth-server.war right? In > > newest > > > > version, persistence.xml contains configuration of model-api, but also > > for > > > > audit-api . Default implementation of audit-api is based on JPA and > > needs > > > > persistence.xml . > > > > > > > > Thing is that default implementation of audit-api is always based on > > JPA > > > > even if you changed your model implementation to "mongo". My opinion > > is, > > > > that we should change this behaviour. So default implementation of > > > > audit-api will be same like the chosen implementation of model-api. So > > if > > > > someone (like you) changed the implementation of model to be based on > > > > mongo, the audit-api will automatically use mongo as well. I will > > discuss > > > > with guys about this tomorrow. > > > > > > > > Until this is done, I think that easiest solution for you is to > > manually > > > > switch audit-api to use mongo as well. So in addition to property > > > > "-Dkeycloak.model=mongo" you also need to add property > > > > "-Dkeycloak.audit=mongo" . > > > > > > > > Marek > > > > > > > > > > > > On 16.5.2014 22:20, Davide Ungari wrote: > > > > > > > > Hi Stian, > > > > I think the problem was that I was running "mvn package" inside > > > > /keycloak/distribuition instead it works if your run it from root > > > > directory. > > > > > > > > I have all the jars, model-mongo included, but the application fails > > at > > > > startup with error message "No Persistence provider for EntityManager > > named > > > > jpa-keycloak-audit-store\". What am I doing wrong this time? > > > > > > > > If you need I'm free to test the import process as you do it. > > > > > > > > Thanks. > > > > > > > > -- > > > > Davide > > > > > > > > > > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen > >wrote: > > > > > > > >> I'm not sure why the mongo model has been removed from the WAR, I'll > > look > > > >> into that. > > > >> "jpa-keycloak-identity-store" > > > >> > > > >> We don't yet have support for upgrading the database when upgrading > > > >> Keycloak. This will be added soon. The plan is to provide a mechanism > > to > > > >> export the database to a json file, and after installing a new > > version of > > > >> Keycloak you import this json file again. We'll make this import > > backwards > > > >> compatible so you can import a json file from any older versions of > > > >> Keycloak. > > > >> > > > >> ----- Original Message ----- > > > >> > From: "Davide Ungari" > > > >> > To: keycloak-user at lists.jboss.org > > > >> > Sent: Monday, 12 May, 2014 7:13:53 PM > > > >> > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > >> > > > > >> > I found out that: > > > >> > 1- the command "mvn package" does not include mongo module and > > driver > > > >> > 2- there is a regression on data model, updating source of keycloak > > I > > > >> must > > > >> > drop database in order to see the admin console works again > > > >> > -- > > > >> > Davide > > > >> > > > > >> > _______________________________________________ > > > >> > keycloak-user mailing list > > > >> > keycloak-user at lists.jboss.org > > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >> > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing > > > > listkeycloak-user at lists.jboss.orghttps:// > > lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > From rodrigopsasaki at gmail.com Tue May 20 13:36:58 2014 From: rodrigopsasaki at gmail.com (Rodrigo Sasaki) Date: Tue, 20 May 2014 14:36:58 -0300 Subject: [keycloak-user] Deployment failure Message-ID: I have been using Keycloak building directly form Github sources for a while now without any trouble, Today I updated my version here and now I can't deploy it anymore, is it expected? Here are some specifics: I'm using JBoss 7.1.1.Final. I added the *extension* and the *subsystem* as requested in item *6.2.1* of the Keycloak Reference Guide. I also extracted the adapter zip into the modules, it was all working, but today I have this message, and I can't quite sort out the problem: *14:27:50,537 ERROR [org.jboss.as ] (MSC service thread 1-8) JBAS015875: JBoss AS 7.1.1.Final "Brontes" started (with errors) in 2271ms - Started 196 of 304 services (28 services failed or missing dependencies, 78 services are passive or on-demand)* *14:27:50,739 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "auth-server.war" was rolled back with failure message {"JBAS014771: Services with missing/unavailable dependencies" => * *["jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#jpa-keycloak-audit-store\", * *jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\"Missing[jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#jpa-keycloak-audit-store\", * *jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\"]"]}* and directly below that *JBAS014775: New missing/unsatisfied dependencies:* * service jboss.persistenceunit."auth-server.war#jpa-keycloak-audit-store" (missing) dependents: [service jboss.deployment.unit."auth-server.war".WeldService] * * service jboss.persistenceunit."auth-server.war#jpa-keycloak-identity-store" (missing) dependents: [service jboss.deployment.unit."auth-server.war".WeldService] * Did I do something wrong, or is this expected in the current code base? Perhaps there's something I can do to satisfy these dependencies -- Rodrigo Sasaki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140520/4934be54/attachment.html From bburke at redhat.com Tue May 20 14:24:58 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 20 May 2014 14:24:58 -0400 Subject: [keycloak-user] Deployment failure In-Reply-To: References: Message-ID: <537B9DFA.30202@redhat.com> I'll look into it tonight. On 5/20/2014 1:36 PM, Rodrigo Sasaki wrote: > I have been using Keycloak building directly form Github sources for a > while now without any trouble, > > Today I updated my version here and now I can't deploy it anymore, is it > expected? > > Here are some specifics: > > I'm using JBoss 7.1.1.Final. > > I added the *extension* and the *subsystem* as requested in item > *6.2.1* of the Keycloak Reference Guide. > > I also extracted the adapter zip into the modules, it was all working, > but today I have this message, and I can't quite sort out the problem: > > > *14:27:50,537 ERROR [org.jboss.as ] (MSC service > thread 1-8) JBAS015875: JBoss AS 7.1.1.Final "Brontes" started (with > errors) in 2271ms - Started 196 of 304 services (28 services failed or > missing dependencies, 78 services are passive or on-demand)* > * > * > *14:27:50,739 INFO [org.jboss.as.server] (DeploymentScanner-threads - > 2) JBAS015870: Deploy of deployment "auth-server.war" was rolled back > with failure message {"JBAS014771: Services with missing/unavailable > dependencies" => * > *["jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#jpa-keycloak-audit-store\", > * > *jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\"Missing[jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#jpa-keycloak-audit-store\", > * > *jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\"]"]}* > * > * > * > * > and directly below that > > *JBAS014775: New missing/unsatisfied dependencies:* > * service > jboss.persistenceunit."auth-server.war#jpa-keycloak-audit-store" > (missing) dependents: [service > jboss.deployment.unit."auth-server.war".WeldService] * > * service > jboss.persistenceunit."auth-server.war#jpa-keycloak-identity-store" > (missing) dependents: [service > jboss.deployment.unit."auth-server.war".WeldService] * > * > * > Did I do something wrong, or is this expected in the current code base? > Perhaps there's something I can do to satisfy these dependencies > > > -- > Rodrigo Sasaki > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Tue May 20 16:18:22 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 20 May 2014 22:18:22 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: <394393468.10770898.1400579530894.JavaMail.zimbra@redhat.com> References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> <394393468.10770898.1400579530894.JavaMail.zimbra@redhat.com> Message-ID: Following your instruction he application startup is fine. Now after login I have another exception that involves Mongo : 22:15:21,616 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /auth/realms/keycloak-admin/tokens/access/codes: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: Can't found converter for type class org.keycloak.models.mongo.keycloak.entities.MongoClientUserSessionAssociationEntity in registered appObjectMappers at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.6.Final.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:41) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] Caused by: java.lang.IllegalArgumentException: Can't found converter for type class org.keycloak.models.mongo.keycloak.entities.MongoClientUserSessionAssociationEntity in registered appObjectMappers at org.keycloak.models.mongo.api.types.MapperRegistry.convertApplicationObjectToDBObject(MapperRegistry.java:80) [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.models.mongo.impl.MongoStoreImpl.insertEntity(MongoStoreImpl.java:171) [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.models.mongo.keycloak.adapters.UserSessionAdapter.associateClient(UserSessionAdapter.java:102) [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] at org.keycloak.services.resources.TokenService.accessCodeToToken(TokenService.java:656) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.6.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.6.Final.jar:] ... 37 more -- Davide On Tue, May 20, 2014 at 11:52 AM, Stian Thorgersen wrote: > You need to edit: > > > standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/keycloak-server.json > > For mongo replace "model" and "audit" with: > > "audit": { > "provider": "mongo", > "mongo": { > "host": "", > "port": , > "user": , > "password": > } > }, > > "model": { > "provider": "mongo" > "mongo": { > "host": "", > "port": , > "user": , > "password": > } > } > > "host" and "port" are optional if not specified "localhost" and 27017 will > be used. "user" and "password" are optional as well, these are only > required if you've enabled authentication for your mongo db. You can also > change the db name by adding "db". > > ----- Original Message ----- > > From: "Davide Ungari" > > To: "Stian Thorgersen" > > Cc: "Marek Posolda" , keycloak-user at lists.jboss.org > > Sent: Tuesday, 20 May, 2014 10:38:41 AM > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > Hi Stian, > > I'm aligned to master. > > Could you show me the class I must read to understand how to configure > it? > > > > -- > > Davide > > > > > > On Tue, May 20, 2014 at 10:45 AM, Stian Thorgersen > wrote: > > > > > In master this has recently changed and is now configured in a config > file > > > instead of through system properties. The documentation will be > updated in > > > due time. > > > > > > ----- Original Message ----- > > > > From: "Davide Ungari" > > > > To: "Marek Posolda" > > > > Cc: "Stian Thorgersen" , > keycloak-user at lists.jboss.org > > > > Sent: Tuesday, 20 May, 2014 8:17:52 AM > > > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > > > > > Hi Marek, > > > > thanks for your answer. > > > > > > > > You could add a paragraph in documentation page > > > > > > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 > > > > about > > > > this. > > > > > > > > > > > > -- > > > > Davide > > > > > > > > > > > > On Mon, May 19, 2014 at 10:38 PM, Marek Posolda > > > > wrote: > > > > > > > > > Hi, > > > > > > > > > > I guess you removed persistence.xml from auth-server.war right? In > > > newest > > > > > version, persistence.xml contains configuration of model-api, but > also > > > for > > > > > audit-api . Default implementation of audit-api is based on JPA and > > > needs > > > > > persistence.xml . > > > > > > > > > > Thing is that default implementation of audit-api is always based > on > > > JPA > > > > > even if you changed your model implementation to "mongo". My > opinion > > > is, > > > > > that we should change this behaviour. So default implementation of > > > > > audit-api will be same like the chosen implementation of > model-api. So > > > if > > > > > someone (like you) changed the implementation of model to be based > on > > > > > mongo, the audit-api will automatically use mongo as well. I will > > > discuss > > > > > with guys about this tomorrow. > > > > > > > > > > Until this is done, I think that easiest solution for you is to > > > manually > > > > > switch audit-api to use mongo as well. So in addition to property > > > > > "-Dkeycloak.model=mongo" you also need to add property > > > > > "-Dkeycloak.audit=mongo" . > > > > > > > > > > Marek > > > > > > > > > > > > > > > On 16.5.2014 22:20, Davide Ungari wrote: > > > > > > > > > > Hi Stian, > > > > > I think the problem was that I was running "mvn package" inside > > > > > /keycloak/distribuition instead it works if your run it from root > > > > > directory. > > > > > > > > > > I have all the jars, model-mongo included, but the application > fails > > > at > > > > > startup with error message "No Persistence provider for > EntityManager > > > named > > > > > jpa-keycloak-audit-store\". What am I doing wrong this time? > > > > > > > > > > If you need I'm free to test the import process as you do it. > > > > > > > > > > Thanks. > > > > > > > > > > -- > > > > > Davide > > > > > > > > > > > > > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen < > stian at redhat.com > > > >wrote: > > > > > > > > > >> I'm not sure why the mongo model has been removed from the WAR, > I'll > > > look > > > > >> into that. > > > > >> "jpa-keycloak-identity-store" > > > > >> > > > > >> We don't yet have support for upgrading the database when > upgrading > > > > >> Keycloak. This will be added soon. The plan is to provide a > mechanism > > > to > > > > >> export the database to a json file, and after installing a new > > > version of > > > > >> Keycloak you import this json file again. We'll make this import > > > backwards > > > > >> compatible so you can import a json file from any older versions > of > > > > >> Keycloak. > > > > >> > > > > >> ----- Original Message ----- > > > > >> > From: "Davide Ungari" > > > > >> > To: keycloak-user at lists.jboss.org > > > > >> > Sent: Monday, 12 May, 2014 7:13:53 PM > > > > >> > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > >> > > > > > >> > I found out that: > > > > >> > 1- the command "mvn package" does not include mongo module and > > > driver > > > > >> > 2- there is a regression on data model, updating source of > keycloak > > > I > > > > >> must > > > > >> > drop database in order to see the admin console works again > > > > >> > -- > > > > >> > Davide > > > > >> > > > > > >> > _______________________________________________ > > > > >> > keycloak-user mailing list > > > > >> > keycloak-user at lists.jboss.org > > > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >> > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing > > > > > listkeycloak-user at lists.jboss.orghttps:// > > > lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140520/4fc70c34/attachment-0001.html From mposolda at redhat.com Tue May 20 18:14:58 2014 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 21 May 2014 00:14:58 +0200 Subject: [keycloak-user] MongoDB - Model provider not found In-Reply-To: References: <604752553.7717330.1400142663059.JavaMail.zimbra@redhat.com> <537A6BCC.2040104@redhat.com> <1418816592.10742338.1400575559611.JavaMail.zimbra@redhat.com> <394393468.10770898.1400579530894.JavaMail.zimbra@redhat.com> Message-ID: <537BD3E2.2040905@redhat.com> i've looked at this one and have it fixed in branch https://github.com/mposolda/keycloak/ . Feel free to give it try if you are impatient, but still it seems that there are some more issues with mongo model (few integration tests are still failing). I will send PR to master tomorrow morning with mongo model fully working. Marek On 20.5.2014 22:18, Davide Ungari wrote: > Following your instruction he application startup is fine. > Now after login I have another exception that involves Mongo : > > 22:15:21,616 ERROR [io.undertow.request] (default task-3) UT005023: > Exception handling request to > /auth/realms/keycloak-admin/tokens/access/codes: > org.jboss.resteasy.spi.UnhandledException: > java.lang.IllegalArgumentException: Can't found converter for type > class > org.keycloak.models.mongo.keycloak.entities.MongoClientUserSessionAssociationEntity > in registered appObjectMappers > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > [resteasy-jaxrs-3.0.6.Final.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) > [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:41) > [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) > [undertow-core-1.0.0.Final.jar:1.0.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [rt.jar:1.7.0_51] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [rt.jar:1.7.0_51] > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] > Caused by: java.lang.IllegalArgumentException: Can't found converter > for type class > org.keycloak.models.mongo.keycloak.entities.MongoClientUserSessionAssociationEntity > in registered appObjectMappers > at > org.keycloak.models.mongo.api.types.MapperRegistry.convertApplicationObjectToDBObject(MapperRegistry.java:80) > [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] > at > org.keycloak.models.mongo.impl.MongoStoreImpl.insertEntity(MongoStoreImpl.java:171) > [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] > at > org.keycloak.models.mongo.keycloak.adapters.UserSessionAdapter.associateClient(UserSessionAdapter.java:102) > [keycloak-model-mongo-1.0-beta-1-SNAPSHOT.jar:] > at > org.keycloak.services.resources.TokenService.accessCodeToToken(TokenService.java:656) > [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_51] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_51] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_51] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > [resteasy-jaxrs-3.0.6.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > [resteasy-jaxrs-3.0.6.Final.jar:] > ... 37 more > > > -- > Davide > > > On Tue, May 20, 2014 at 11:52 AM, Stian Thorgersen > wrote: > > You need to edit: > > standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/keycloak-server.json > > For mongo replace "model" and "audit" with: > > "audit": { > "provider": "mongo", > "mongo": { > "host": "", > "port": , > "user": , > "password": > } > }, > > "model": { > "provider": "mongo" > "mongo": { > "host": "", > "port": , > "user": , > "password": > } > } > > "host" and "port" are optional if not specified "localhost" and > 27017 will be used. "user" and "password" are optional as well, > these are only required if you've enabled authentication for your > mongo db. You can also change the db name by adding "db". > > ----- Original Message ----- > > From: "Davide Ungari" > > > To: "Stian Thorgersen" > > > Cc: "Marek Posolda" >, keycloak-user at lists.jboss.org > > > Sent: Tuesday, 20 May, 2014 10:38:41 AM > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > Hi Stian, > > I'm aligned to master. > > Could you show me the class I must read to understand how to > configure it? > > > > -- > > Davide > > > > > > On Tue, May 20, 2014 at 10:45 AM, Stian Thorgersen > > wrote: > > > > > In master this has recently changed and is now configured in a > config file > > > instead of through system properties. The documentation will > be updated in > > > due time. > > > > > > ----- Original Message ----- > > > > From: "Davide Ungari" > > > > > To: "Marek Posolda" > > > > > Cc: "Stian Thorgersen" >, keycloak-user at lists.jboss.org > > > > > Sent: Tuesday, 20 May, 2014 8:17:52 AM > > > > Subject: Re: [keycloak-user] MongoDB - Model provider not found > > > > > > > > Hi Marek, > > > > thanks for your answer. > > > > > > > > You could add a paragraph in documentation page > > > > > > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e167 > > > > about > > > > this. > > > > > > > > > > > > -- > > > > Davide > > > > > > > > > > > > On Mon, May 19, 2014 at 10:38 PM, Marek Posolda > > > > > wrote: > > > > > > > > > Hi, > > > > > > > > > > I guess you removed persistence.xml from auth-server.war > right? In > > > newest > > > > > version, persistence.xml contains configuration of > model-api, but also > > > for > > > > > audit-api . Default implementation of audit-api is based > on JPA and > > > needs > > > > > persistence.xml . > > > > > > > > > > Thing is that default implementation of audit-api is > always based on > > > JPA > > > > > even if you changed your model implementation to "mongo". > My opinion > > > is, > > > > > that we should change this behaviour. So default > implementation of > > > > > audit-api will be same like the chosen implementation of > model-api. So > > > if > > > > > someone (like you) changed the implementation of model to > be based on > > > > > mongo, the audit-api will automatically use mongo as well. > I will > > > discuss > > > > > with guys about this tomorrow. > > > > > > > > > > Until this is done, I think that easiest solution for you > is to > > > manually > > > > > switch audit-api to use mongo as well. So in addition to > property > > > > > "-Dkeycloak.model=mongo" you also need to add property > > > > > "-Dkeycloak.audit=mongo" . > > > > > > > > > > Marek > > > > > > > > > > > > > > > On 16.5.2014 22:20, Davide Ungari wrote: > > > > > > > > > > Hi Stian, > > > > > I think the problem was that I was running "mvn package" > inside > > > > > /keycloak/distribuition instead it works if your run it > from root > > > > > directory. > > > > > > > > > > I have all the jars, model-mongo included, but the > application fails > > > at > > > > > startup with error message "No Persistence provider for > EntityManager > > > named > > > > > jpa-keycloak-audit-store\". What am I doing wrong this time? > > > > > > > > > > If you need I'm free to test the import process as you do it. > > > > > > > > > > Thanks. > > > > > > > > > > -- > > > > > Davide > > > > > > > > > > > > > > > On Thu, May 15, 2014 at 10:31 AM, Stian Thorgersen > > > > >wrote: > > > > > > > > > >> I'm not sure why the mongo model has been removed from > the WAR, I'll > > > look > > > > >> into that. > > > > >> "jpa-keycloak-identity-store" > > > > >> > > > > >> We don't yet have support for upgrading the database when > upgrading > > > > >> Keycloak. This will be added soon. The plan is to provide > a mechanism > > > to > > > > >> export the database to a json file, and after installing > a new > > > version of > > > > >> Keycloak you import this json file again. We'll make this > import > > > backwards > > > > >> compatible so you can import a json file from any older > versions of > > > > >> Keycloak. > > > > >> > > > > >> ----- Original Message ----- > > > > >> > From: "Davide Ungari" > > > > > >> > To: keycloak-user at lists.jboss.org > > > > > >> > Sent: Monday, 12 May, 2014 7:13:53 PM > > > > >> > Subject: Re: [keycloak-user] MongoDB - Model provider > not found > > > > >> > > > > > >> > I found out that: > > > > >> > 1- the command "mvn package" does not include mongo > module and > > > driver > > > > >> > 2- there is a regression on data model, updating source > of keycloak > > > I > > > > >> must > > > > >> > drop database in order to see the admin console works again > > > > >> > -- > > > > >> > Davide > > > > >> > > > > > >> > _______________________________________________ > > > > >> > keycloak-user mailing list > > > > >> > keycloak-user at lists.jboss.org >