From stian at redhat.com  Wed Oct  1 02:41:37 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 1 Oct 2014 02:41:37 -0400 (EDT)
Subject: [keycloak-user] Integration Keycloak with phyton application
In-Reply-To: <20140930160448.519bea6d@akvo.org>
References: <CAFunZaxgrvAT7th++Sp+wiLT3Y1J4YKM8o5kfe61fS5p0Dxo1w@mail.gmail.com>
	<1766298406.58107155.1412010192999.JavaMail.zimbra@redhat.com>
	<20140930160448.519bea6d@akvo.org>
Message-ID: <1271409033.59389286.1412145697633.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Iv?n Perdomo" <ivan at akvo.org>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Pablo N" <panulab at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 30 September, 2014 4:04:48 PM
> Subject: Re: [keycloak-user] Integration Keycloak with phyton application
> 
> Hi,
> 
> On Mon, 29 Sep 2014 13:03:13 -0400 (EDT)
> Stian Thorgersen <stian at redhat.com> wrote:
> 
> > * Login: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> > NAME>/tokens/login
> > * Access token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> > NAME>/tokens/access/codes
> > * Refresh token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> > NAME>/tokens/refresh
>  
> Not sure if I'm correct, but there is an extra /tokens/ in those URLs ?
> 
> e.g. When you visit Admin Console
> 
> <KEYCLOAK-SERVER>/auth/admin/
> 
> You get redirected to the login page at:
> 
> <KEYCLOAK-SERVER>/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=<KEYCLOACK
> SERVER>SERVER>%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=some-uuid&response_type=code
> 
> So the pattern is:
> 
> <KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/login
> <KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/access/codes
> <KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/refresh

Yes, those are the correct URLs. The ones I listed did indeed have an extra /tokens/ it shouldn't have had ;)

> 
> Is this a correct assumption?
> 
> Thanks,
> 
> --
> Iv?n
> 


From rodrigopsasaki at gmail.com  Wed Oct  1 15:10:00 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 1 Oct 2014 16:10:00 -0300
Subject: [keycloak-user] Problems with Redirect URI
Message-ID: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>

Hello,

We tried to deploy our server in production today, protected with Keycloak
but we had some issues.

When we tried to access one of our resources, the redirect_uri was altered
to one we didn't have registered.

Our original uri was something like this: *http://www.domain.com/resource
<http://www.domain.com/resource>*

and it got changed to: *https://www.domain.com:8443/resource
<https://www.domain.com:8443/resource>*

changing the protocol to https and adding the 8443 port, and that specific
uri isn't registered for us, so the server returned saying it was an
invalid redirect_uri

Is this a normal behavior? Should we have configured something else?

Thanks!

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141001/b345f8b2/attachment.html 

From bburke at redhat.com  Wed Oct  1 15:57:36 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 01 Oct 2014 15:57:36 -0400
Subject: [keycloak-user] Problems with Redirect URI
In-Reply-To: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>
References: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>
Message-ID: <542C5CB0.9070601@redhat.com>

https://www.domain.com:8443 is a different uri than 
http://www.domain.com.  If you don't change the redirect uri pattern in 
the admin console for the app, then the server will not recognize the 
https uri as valid.

On 10/1/2014 3:10 PM, Rodrigo Sasaki wrote:
> Hello,
>
> We tried to deploy our server in production today, protected with
> Keycloak but we had some issues.
>
> When we tried to access one of our resources, the redirect_uri was
> altered to one we didn't have registered.
>
> Our original uri was something like this: *http://www.domain.com/resource*
>
> and it got changed to: *https://www.domain.com:8443/resource*
>
> changing the protocol to https and adding the 8443 port, and that
> specific uri isn't registered for us, so the server returned saying it
> was an invalid redirect_uri
>
> Is this a normal behavior? Should we have configured something else?
>
> Thanks!
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Thu Oct  2 01:30:15 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 2 Oct 2014 02:30:15 -0300
Subject: [keycloak-user] Problems with Redirect URI
In-Reply-To: <542C5CB0.9070601@redhat.com>
References: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>
	<542C5CB0.9070601@redhat.com>
Message-ID: <CANLOgwDr-ZDF0=xQvs86d2FhkwzKRwmVTsHFM6N5MEMKfh+FaA@mail.gmail.com>

Yes, but should I have to register that URI?

I thought that the ssl-required option was only valid for communications
with the keycloak server, not on how the keycloak server would respond to
the application.
The solution would be to register this https uri as a redirect_uri on my
keycloak application?

While we're on this topic I do have another question, that my superiors
instructed me to ask:

Is it unsafe to change my keycloak.json setting ssl-required to none?
The problem I see is someone intercepting the access code returned by the
server, is it possible for 2 requests with the same access code be
processed returning a valid access token for both? Or is this code
discarded somehow?

Thank you again for all your help

On Wed, Oct 1, 2014 at 4:57 PM, Bill Burke <bburke at redhat.com> wrote:

> https://www.domain.com:8443 is a different uri than
> http://www.domain.com.  If you don't change the redirect uri pattern in
> the admin console for the app, then the server will not recognize the
> https uri as valid.
>
> On 10/1/2014 3:10 PM, Rodrigo Sasaki wrote:
> > Hello,
> >
> > We tried to deploy our server in production today, protected with
> > Keycloak but we had some issues.
> >
> > When we tried to access one of our resources, the redirect_uri was
> > altered to one we didn't have registered.
> >
> > Our original uri was something like this: *
> http://www.domain.com/resource*
> >
> > and it got changed to: *https://www.domain.com:8443/resource*
> >
> > changing the protocol to https and adding the 8443 port, and that
> > specific uri isn't registered for us, so the server returned saying it
> > was an invalid redirect_uri
> >
> > Is this a normal behavior? Should we have configured something else?
> >
> > Thanks!
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141002/57128177/attachment.html 

From stian at redhat.com  Thu Oct  2 02:30:27 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Oct 2014 02:30:27 -0400 (EDT)
Subject: [keycloak-user] Problems with Redirect URI
In-Reply-To: <CANLOgwDr-ZDF0=xQvs86d2FhkwzKRwmVTsHFM6N5MEMKfh+FaA@mail.gmail.com>
References: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>
	<542C5CB0.9070601@redhat.com>
	<CANLOgwDr-ZDF0=xQvs86d2FhkwzKRwmVTsHFM6N5MEMKfh+FaA@mail.gmail.com>
Message-ID: <1084840520.60170099.1412231427613.JavaMail.zimbra@redhat.com>

Did you 

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 2 October, 2014 7:30:15 AM
> Subject: Re: [keycloak-user] Problems with Redirect URI
> 
> Yes, but should I have to register that URI?
> 
> I thought that the ssl-required option was only valid for communications with
> the keycloak server, not on how the keycloak server would respond to the
> application.
> The solution would be to register this https uri as a redirect_uri on my
> keycloak application?
> 
> While we're on this topic I do have another question, that my superiors
> instructed me to ask:
> 
> Is it unsafe to change my keycloak.json setting ssl-required to none?
> The problem I see is someone intercepting the access code returned by the
> server, is it possible for 2 requests with the same access code be processed
> returning a valid access token for both? Or is this code discarded somehow?
> 
> Thank you again for all your help
> 
> On Wed, Oct 1, 2014 at 4:57 PM, Bill Burke < bburke at redhat.com > wrote:
> 
> 
> https://www.domain.com:8443 is a different uri than
> http://www.domain.com . If you don't change the redirect uri pattern in
> the admin console for the app, then the server will not recognize the
> https uri as valid.
> 
> On 10/1/2014 3:10 PM, Rodrigo Sasaki wrote:
> > Hello,
> > 
> > We tried to deploy our server in production today, protected with
> > Keycloak but we had some issues.
> > 
> > When we tried to access one of our resources, the redirect_uri was
> > altered to one we didn't have registered.
> > 
> > Our original uri was something like this: * http://www.domain.com/resource*
> > 
> > and it got changed to: * https://www.domain.com:8443/resource*
> > 
> > changing the protocol to https and adding the 8443 port, and that
> > specific uri isn't registered for us, so the server returned saying it
> > was an invalid redirect_uri
> > 
> > Is this a normal behavior? Should we have configured something else?
> > 
> > Thanks!
> > 
> > --
> > Rodrigo Sasaki
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Oct  2 02:42:45 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Oct 2014 02:42:45 -0400 (EDT)
Subject: [keycloak-user] Problems with Redirect URI
In-Reply-To: <CANLOgwDr-ZDF0=xQvs86d2FhkwzKRwmVTsHFM6N5MEMKfh+FaA@mail.gmail.com>
References: <CANLOgwDQXrU7ysypurar0J2HH0NZJPmQmrja+T6zHrv5gWXoPQ@mail.gmail.com>
	<542C5CB0.9070601@redhat.com>
	<CANLOgwDr-ZDF0=xQvs86d2FhkwzKRwmVTsHFM6N5MEMKfh+FaA@mail.gmail.com>
Message-ID: <125732205.60172910.1412232165268.JavaMail.zimbra@redhat.com>

As it redirected from http to https did you edit web.xml and enable the confidential transport-guarantee?

In production you should always use ssl for all traffic, and also make sure you have a proper certificate so apps and browsers can guarantee they are indeed talking to your auth server and not some intermediary. 

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 2 October, 2014 7:30:15 AM
> Subject: Re: [keycloak-user] Problems with Redirect URI
> 
> Yes, but should I have to register that URI?
> 
> I thought that the ssl-required option was only valid for communications with
> the keycloak server, not on how the keycloak server would respond to the
> application.
> The solution would be to register this https uri as a redirect_uri on my
> keycloak application?
> 
> While we're on this topic I do have another question, that my superiors
> instructed me to ask:
> 
> Is it unsafe to change my keycloak.json setting ssl-required to none?
> The problem I see is someone intercepting the access code returned by the
> server, is it possible for 2 requests with the same access code be processed
> returning a valid access token for both? Or is this code discarded somehow?
> 
> Thank you again for all your help
> 
> On Wed, Oct 1, 2014 at 4:57 PM, Bill Burke < bburke at redhat.com > wrote:
> 
> 
> https://www.domain.com:8443 is a different uri than
> http://www.domain.com . If you don't change the redirect uri pattern in
> the admin console for the app, then the server will not recognize the
> https uri as valid.
> 
> On 10/1/2014 3:10 PM, Rodrigo Sasaki wrote:
> > Hello,
> > 
> > We tried to deploy our server in production today, protected with
> > Keycloak but we had some issues.
> > 
> > When we tried to access one of our resources, the redirect_uri was
> > altered to one we didn't have registered.
> > 
> > Our original uri was something like this: * http://www.domain.com/resource*
> > 
> > and it got changed to: * https://www.domain.com:8443/resource*
> > 
> > changing the protocol to https and adding the 8443 port, and that
> > specific uri isn't registered for us, so the server returned saying it
> > was an invalid redirect_uri
> > 
> > Is this a normal behavior? Should we have configured something else?
> > 
> > Thanks!
> > 
> > --
> > Rodrigo Sasaki
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gadnex at gmail.com  Thu Oct  2 07:40:48 2014
From: gadnex at gmail.com (Willy Gadney)
Date: Thu, 2 Oct 2014 13:40:48 +0200
Subject: [keycloak-user] FIDO Alliance
Message-ID: <CADgwE2JK=sP7WcCeyAcN1ckAWwCcf6VB3tgOEPFn2d3W=K0krg@mail.gmail.com>

Hi,

With KeyCloak version 1.0 being released, I was wondering if there are any
plans to support the new FIDO Alliance - U2F or UAF standards in a future
release of KeyCloak?

The FIDO standards are not final yet, but the draft specifications have
been out since about February and are unlikely to change much at this
stage. Hopefuly FIDO devices will also be commercially available soon.

I have been a fan of TOTP for a long time, but I think that the FIDO
standards are a nice step forward.

More info on the FIDO standard can be found here:
https://fidoalliance.org/specifications

Thanks,
Willy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141002/08d27220/attachment.html 

From stian at redhat.com  Thu Oct  2 07:54:17 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Oct 2014 07:54:17 -0400 (EDT)
Subject: [keycloak-user] FIDO Alliance
In-Reply-To: <CADgwE2JK=sP7WcCeyAcN1ckAWwCcf6VB3tgOEPFn2d3W=K0krg@mail.gmail.com>
References: <CADgwE2JK=sP7WcCeyAcN1ckAWwCcf6VB3tgOEPFn2d3W=K0krg@mail.gmail.com>
Message-ID: <1124952380.60341799.1412250857407.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Willy Gadney" <gadnex at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 2 October, 2014 1:40:48 PM
> Subject: [keycloak-user] FIDO Alliance
> 
> Hi,
> 
> With KeyCloak version 1.0 being released, I was wondering if there are any
> plans to support the new FIDO Alliance - U2F or UAF standards in a future
> release of KeyCloak?

We're planning to add an Authentication SPI that would allow plugging in additional authentication mechanisms. This was planned for second factor authentication, but it would make sense to also add support for passwordless authentication through the same mechanism.

Having an implementation for fido would be very nice as well.

> 
> The FIDO standards are not final yet, but the draft specifications have been
> out since about February and are unlikely to change much at this stage.
> Hopefuly FIDO devices will also be commercially available soon.
> 
> I have been a fan of TOTP for a long time, but I think that the FIDO
> standards are a nice step forward.
> 
> More info on the FIDO standard can be found here:
> https://fidoalliance.org/specifications
> 
> Thanks,
> Willy
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jasrodis at gmail.com  Mon Oct  6 05:40:57 2014
From: jasrodis at gmail.com (Jason Rodis)
Date: Mon, 6 Oct 2014 12:40:57 +0300
Subject: [keycloak-user] How to get online users
Message-ID: <2FCED1BA-BD28-4193-86FF-112F979F608D@gmail.com>

Good morning,

I am trying to set up an application that uses:

1. Spring 3.2.x

I used to have spring security for the authentication of the users, and I could get all the online users by a bean called SpringRegistryImpl. Here is an example how I could get all the logged in users:

In the controller class I had:

@Autowired
private SessionRegistryImpl sessionRegistry;

and then:

            List<Object> principals = sessionRegistry.getAllPrincipals();

            for (Object principal : principals) {
                if (principal instanceof UserDetails) {
           		//Add user to the list with the logged in users (in session).
                }
            }


Now, I have configured my application?s authentication with keycloak and removed spring-security.

How can I retrieve all the users in session with keycloak?

Thanks in advance,
Jason

From stian at redhat.com  Mon Oct  6 06:44:38 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 6 Oct 2014 06:44:38 -0400 (EDT)
Subject: [keycloak-user] How to get online users
In-Reply-To: <2FCED1BA-BD28-4193-86FF-112F979F608D@gmail.com>
References: <2FCED1BA-BD28-4193-86FF-112F979F608D@gmail.com>
Message-ID: <1253323998.61834660.1412592278638.JavaMail.zimbra@redhat.com>

Hi,

Active user sessions can be retrieved through the admin rest endpoints, as well as through the Keycloak admin console.

You can retrieve all applications with active sessions and number of active users with:

  http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/application-session-stats/index.html

You can retrieve a list of active users per-application with:

  http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/applications/%7Bapp-name%7D/user-sessions/index.html

For details on how to use the admin endpoints look at "examples/preconfigured-demo/admin-access-app" in the downloads. There's also a Java admin client lib, which makes it easier to call the admin endpoints, but these methods have not been added yet.



----- Original Message -----
> From: "Jason Rodis" <jasrodis at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 6 October, 2014 11:40:57 AM
> Subject: [keycloak-user] How to get online users
> 
> Good morning,
> 
> I am trying to set up an application that uses:
> 
> 1. Spring 3.2.x
> 
> I used to have spring security for the authentication of the users, and I
> could get all the online users by a bean called SpringRegistryImpl. Here is
> an example how I could get all the logged in users:
> 
> In the controller class I had:
> 
> @Autowired
> private SessionRegistryImpl sessionRegistry;
> 
> and then:
> 
>             List<Object> principals = sessionRegistry.getAllPrincipals();
> 
>             for (Object principal : principals) {
>                 if (principal instanceof UserDetails) {
>            		//Add user to the list with the logged in users (in session).
>                 }
>             }
> 
> 
> Now, I have configured my application?s authentication with keycloak and
> removed spring-security.
> 
> How can I retrieve all the users in session with keycloak?
> 
> Thanks in advance,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From traviskds at gmail.com  Mon Oct  6 20:18:41 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Tue, 7 Oct 2014 11:18:41 +1100
Subject: [keycloak-user] Pure Client Javascript Adapter - fragment problem -
	KEYCLOAK-546
Message-ID: <CACQJ6LQMO5V4+69+OFrjocErbgp8WUvXr5pR39QJGsTkXvhNQQ@mail.gmail.com>

Hi,

Not sure if anyone else has faced this issue but I don't seem to be able to
get the Pure client javascript adapter working.

I am sort of following the same style as per the
example angular-product-app but unlike the example, my application has many
routers and I use the angular ui-router to manage my routers in angular.

The Keycloak login page comes up properly and once I provide the valid
credentials, it authenticates properly as well but the issue is with the
redirect.

I tried many different things and one common issue I noticed was that the
redirect_uri and redirect_fragment query parameters does not seem to be
correct.

In fact it seems to be identical to this Jira issue raised by Bill sometime
back https://issues.jboss.org/browse/KEYCLOAK-546

I wonder if this issue is still present in the 1.0.1 final release or if
its resolved and maybe I am not doing something right.

Appreciate any help.

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141007/3a928d67/attachment.html 

From stian at redhat.com  Tue Oct  7 02:20:27 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 7 Oct 2014 02:20:27 -0400 (EDT)
Subject: [keycloak-user] Pure Client Javascript Adapter - fragment
 problem -	KEYCLOAK-546
In-Reply-To: <CACQJ6LQMO5V4+69+OFrjocErbgp8WUvXr5pR39QJGsTkXvhNQQ@mail.gmail.com>
References: <CACQJ6LQMO5V4+69+OFrjocErbgp8WUvXr5pR39QJGsTkXvhNQQ@mail.gmail.com>
Message-ID: <726319262.62752332.1412662827904.JavaMail.zimbra@redhat.com>

If you can extend angular-product-app to make the issues happen there, or point me to an app where it does, I'll fix it.

----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 7 October, 2014 2:18:41 AM
> Subject: [keycloak-user] Pure Client Javascript Adapter - fragment problem -	KEYCLOAK-546
> 
> Hi,
> 
> Not sure if anyone else has faced this issue but I don't seem to be able to
> get the Pure client javascript adapter working.
> 
> I am sort of following the same style as per the example angular-product-app
> but unlike the example, my application has many routers and I use the
> angular ui-router to manage my routers in angular.
> 
> The Keycloak login page comes up properly and once I provide the valid
> credentials, it authenticates properly as well but the issue is with the
> redirect.
> 
> I tried many different things and one common issue I noticed was that the
> redirect_uri and redirect_fragment query parameters does not seem to be
> correct.
> 
> In fact it seems to be identical to this Jira issue raised by Bill sometime
> back https://issues.jboss.org/browse/KEYCLOAK-546
> 
> I wonder if this issue is still present in the 1.0.1 final release or if its
> resolved and maybe I am not doing something right.
> 
> Appreciate any help.
> 
> Cheers
> Travis
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alexander.chriztopher at gmail.com  Tue Oct  7 12:26:17 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 7 Oct 2014 18:26:17 +0200
Subject: [keycloak-user] Still can access application after logout
Message-ID: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>

Hi,

I logout from my application either by a redirect to the logout url :
http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri
or from the Keycloak console by ending all active sessions with the "logout
all" button but i still can go and navigate in my application everytime. It
is only when i stay idle for sometime that am forced to login again in
order to access my application.

Anyone knows what this behaviour means ? I was expecting that i would be
forced to login as soon as i logout from my application.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141007/ca05b3b7/attachment.html 

From mposolda at redhat.com  Tue Oct  7 13:53:11 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 07 Oct 2014 19:53:11 +0200
Subject: [keycloak-user] Still can access application after logout
In-Reply-To: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
References: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
Message-ID: <54342887.1090704@redhat.com>

Hi,

which type of application are you using? Is it JS application or 
application deployed on AS7/Wildfly/EAP6? Is your application deployed 
in cluster?
Right now logout doesn't work correctly for apps deployed on AS7/Wildfly 
in cluster. Fix will be available in next version.

Marek

On 7.10.2014 18:26, Alexander Chriztopher wrote:
>
> Hi,
>
> I logout from my application either by a redirect to the logout url : 
> http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri 
> <http://auth-server/auth/realms/%7Brealm-name%7D/tokens/logout?redirect_uri=encodedRedirectUri> 
> or from the Keycloak console by ending all active sessions with the 
> "logout all" button but i still can go and navigate in my application 
> everytime. It is only when i stay idle for sometime that am forced to 
> login again in order to access my application.
>
> Anyone knows what this behaviour means ? I was expecting that i would 
> be forced to login as soon as i logout from my application.
>
> Regards.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141007/b0381a41/attachment.html 

From mposolda at redhat.com  Tue Oct  7 14:00:01 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 07 Oct 2014 20:00:01 +0200
Subject: [keycloak-user] Still can access application after logout
In-Reply-To: <54342887.1090704@redhat.com>
References: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
	<54342887.1090704@redhat.com>
Message-ID: <54342A21.4080803@redhat.com>

Also did you configure admin URL for your application? If your app is 
AS7/Wildfly you need to configure it for correct propagation of logout. 
It can be done in admin console in configuration of your application.

Marek

On 7.10.2014 19:53, Marek Posolda wrote:
> Hi,
>
> which type of application are you using? Is it JS application or 
> application deployed on AS7/Wildfly/EAP6? Is your application deployed 
> in cluster?
> Right now logout doesn't work correctly for apps deployed on 
> AS7/Wildfly in cluster. Fix will be available in next version.
>
> Marek
>
> On 7.10.2014 18:26, Alexander Chriztopher wrote:
>>
>> Hi,
>>
>> I logout from my application either by a redirect to the logout url : 
>> http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri 
>> <http://auth-server/auth/realms/%7Brealm-name%7D/tokens/logout?redirect_uri=encodedRedirectUri> 
>> or from the Keycloak console by ending all active sessions with the 
>> "logout all" button but i still can go and navigate in my application 
>> everytime. It is only when i stay idle for sometime that am forced to 
>> login again in order to access my application.
>>
>> Anyone knows what this behaviour means ? I was expecting that i would 
>> be forced to login as soon as i logout from my application.
>>
>> Regards.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141007/45cb71aa/attachment-0001.html 

From bburke at redhat.com  Tue Oct  7 14:47:57 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Oct 2014 14:47:57 -0400
Subject: [keycloak-user] Still can access application after logout
In-Reply-To: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
References: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
Message-ID: <5434355D.1090607@redhat.com>

 From admin console, navigating to an an application and invalidating 
all sessions for that application only doesn't log the user out of the 
SSO session.  It only invalidates all of the application's http sessions.

The logout url should work though.

On 10/7/2014 12:26 PM, Alexander Chriztopher wrote:
> Hi,
>
> I logout from my application either by a redirect to the logout url :
> http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri
> or from the Keycloak console by ending all active sessions with the
> "logout all" button but i still can go and navigate in my application
> everytime. It is only when i stay idle for sometime that am forced to
> login again in order to access my application.
>
> Anyone knows what this behaviour means ? I was expecting that i would be
> forced to login as soon as i logout from my application.
>
> Regards.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Tue Oct  7 14:48:15 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Oct 2014 14:48:15 -0400
Subject: [keycloak-user] Still can access application after logout
In-Reply-To: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
References: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
Message-ID: <5434356F.7040706@redhat.com>

Ah....maybe you didn't set a admin url?

On 10/7/2014 12:26 PM, Alexander Chriztopher wrote:
> Hi,
>
> I logout from my application either by a redirect to the logout url :
> http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri
> or from the Keycloak console by ending all active sessions with the
> "logout all" button but i still can go and navigate in my application
> everytime. It is only when i stay idle for sometime that am forced to
> login again in order to access my application.
>
> Anyone knows what this behaviour means ? I was expecting that i would be
> forced to login as soon as i logout from my application.
>
> Regards.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Wed Oct  8 04:13:02 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Wed, 8 Oct 2014 10:13:02 +0200
Subject: [keycloak-user] Still can access application after logout
In-Reply-To: <5434356F.7040706@redhat.com>
References: <CAJfT+OroK+i3cW=0rag425NNgM5HF-Nu_BmdUCvb1QEE5Y31jw@mail.gmail.com>
	<5434356F.7040706@redhat.com>
Message-ID: <CAJfT+Ort1fwLZWRAwZzcWhFDn26=xSe7VA7tLd0rRLLbAnqGOw@mail.gmail.com>

Great, i have added an admin URL and it is all sorted.

Thank you all for ur help.

On Tue, Oct 7, 2014 at 8:48 PM, Bill Burke <bburke at redhat.com> wrote:

> Ah....maybe you didn't set a admin url?
>
> On 10/7/2014 12:26 PM, Alexander Chriztopher wrote:
> > Hi,
> >
> > I logout from my application either by a redirect to the logout url :
> >
> http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri
> > or from the Keycloak console by ending all active sessions with the
> > "logout all" button but i still can go and navigate in my application
> > everytime. It is only when i stay idle for sometime that am forced to
> > login again in order to access my application.
> >
> > Anyone knows what this behaviour means ? I was expecting that i would be
> > forced to login as soon as i logout from my application.
> >
> > Regards.
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141008/39e1776b/attachment.html 

From alexander.chriztopher at gmail.com  Wed Oct  8 06:28:09 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Wed, 8 Oct 2014 12:28:09 +0200
Subject: [keycloak-user] How to get current user in my application
Message-ID: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>

Hi,

Am using Keycloak with my JEE 7 application deployed on Wildfly.

I would like to get a handle on the currently authenticated user by doing
this :

*import* javax.ejb.LocalBean;

*import* javax.faces.bean.SessionScoped;

*import* javax.inject.Named;

*import* javax.ws.rs.core.Context;

*import* javax.ws.rs.core.SecurityContext;

*import* org.keycloak.KeycloakPrincipal;

@LocalBean

@Named

@SessionScoped

*public* *class* SessionController {

 @Context

*private* SecurityContext securityContext;

 *public* *void* method() {

KeycloakPrincipal *principal* = (KeycloakPrincipal)securityContext.
*getUserPrincipal*();

}

}

Unfortunately i get a NullPointerException on the call to securityContext.

Am i doing things right ? Shouldn't i get a security context this way ?

Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141008/e8a81f68/attachment.html 

From stian at redhat.com  Wed Oct  8 09:47:29 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 8 Oct 2014 09:47:29 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.2.Final released
In-Reply-To: <1130742028.64280615.1412776029225.JavaMail.zimbra@redhat.com>
Message-ID: <342511452.64280755.1412776049544.JavaMail.zimbra@redhat.com>

This is a maintenance release and contains only bug fixes and one minor security fix.

For full details look in JIRA (https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%201.0.2.Final%20AND%20resolution%20%3D%20Done)

From kotychok at gmail.com  Wed Oct  8 15:43:10 2014
From: kotychok at gmail.com (=?UTF-8?B?0KHQtdGA0LPRltC5INCU0LfRjtCx0ZbQvQ==?=)
Date: Wed, 8 Oct 2014 22:43:10 +0300
Subject: [keycloak-user] reset password over REST request.
Message-ID: <CAEg-TvmnK6kfbFJk+VCbfELu1429SW9gzgoJiAMPH07ztS6ZEQ@mail.gmail.com>

Hello. What is the role of a user to reset a password of another user by
calling a REST request: /reset-passschord?
For example:
  $scope.setCredential = function(loginname) {
      $http.put("/admin/realms/" + auth.authz.realm +
"/users/"+loginname+"/reset-password",{PASSWORD : loginname, SECRET :
loginname, temporary : true }).success(function() {
      console.log("Reset password to temporary OK!");
      })
    };

    $scope.createUser = function() {
      $http.post("http://localhost-auth:8080/auth/admin/realms/" +
auth.authz.realm + "/users",{username:"bob", enabled: true,
firstName:"Bob",lastName:"Ivanov",emailVerified:false}).success(function() {
      $scope.setCredential("bob");
      });
    };
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141008/071b32dc/attachment.html 

From rodrigopsasaki at gmail.com  Wed Oct  8 16:08:41 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 8 Oct 2014 17:08:41 -0300
Subject: [keycloak-user] Problem Updating Account
Message-ID: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>

Hi. I'm having some trouble with the account page.

I try updating my profile at http://serverUrl/auth/realms/{realm}/account

When I try editing my account info (firstName, email...) I have a problem
when I hit save.

the processAccountUpdate method inside AccountService.java invokes a
csrfCheck method, that checks if a stateChecker variable is present on my
post, but it's always null, so I can never update my account info.

Is this a known bug?

Thanks again

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141008/42313559/attachment.html 

From rodrigopsasaki at gmail.com  Wed Oct  8 17:29:17 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 8 Oct 2014 18:29:17 -0300
Subject: [keycloak-user] Link to Account Page
Message-ID: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>

Hello,

I am trying to create a link on our application to go directly to
Keycloak's Account Page, so the user can alter his information, but it
doesn't work.

I saw that there is a validation that assures that the referrer is the same
as the server, for example: I can only access the account app inside my
localhost:8080 if the referrer is also in localhost:8080.

Is it supposed to be like this? Is there a way for me to create a hyperlink
from my application directly to Keycloak's Account Page? Given that my own
application is secured by Keycloak, I think it should be possible.

Is this the correct behavior?

Thanks again!

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141008/fcceee84/attachment-0001.html 

From stian at redhat.com  Thu Oct  9 03:23:54 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 03:23:54 -0400 (EDT)
Subject: [keycloak-user] reset password over REST request.
In-Reply-To: <CAEg-TvmnK6kfbFJk+VCbfELu1429SW9gzgoJiAMPH07ztS6ZEQ@mail.gmail.com>
References: <CAEg-TvmnK6kfbFJk+VCbfELu1429SW9gzgoJiAMPH07ztS6ZEQ@mail.gmail.com>
Message-ID: <1802570145.64704005.1412839434008.JavaMail.zimbra@redhat.com>

If the admin user is in the master realm (admin realm role or manage-user on the <realm name>-realm app):

  http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/admin-permissions.html

If the admin user is in the same realm as the user (manage-users on the realm-management app):

  http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/per-realm-admin-permissions.html

----- Original Message -----
> From: "?????? ??????" <kotychok at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 8 October, 2014 9:43:10 PM
> Subject: [keycloak-user] reset password over REST request.
> 
> Hello. What is the role of a user to reset a password of another user by
> calling a REST request: /reset-passschord?
> For example:
> $scope.setCredential = function(loginname) {
> $http.put("/admin/realms/" + auth.authz.realm +
> "/users/"+loginname+"/reset-password",{PASSWORD : loginname, SECRET :
> loginname, temporary : true }).success(function() {
> console.log("Reset password to temporary OK!");
> })
> };
> 
> $scope.createUser = function() {
> $http.post(" http://localhost-auth:8080/auth/admin/realms/ " +
> auth.authz.realm + "/users",{username:"bob", enabled: true,
> firstName:"Bob",lastName:"Ivanov",emailVerified:false}).success(function() {
> $scope.setCredential("bob");
> });
> };
> Thank you.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Oct  9 04:34:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 04:34:26 -0400 (EDT)
Subject: [keycloak-user] Problem Updating Account
In-Reply-To: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>
References: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>
Message-ID: <40325030.64750728.1412843666349.JavaMail.zimbra@redhat.com>

Not a known bug and it works fine here. I'll need more info:

* Browser
* KC version
* Is this with unmodified theme? If not can you try with the default theme and see if the problem exists there as well

Also, open http://serverUrl/auth/realms/{realm}/account. Then view source and check if it has a hidden input field with the name stateChecker. Then check if a cookie KEYCLOAK_STATE_CHECKER is set with the same value.

BTW the state checker is to prevent CSRF attack.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 8 October, 2014 10:08:41 PM
> Subject: [keycloak-user] Problem Updating Account
> 
> Hi. I'm having some trouble with the account page.
> 
> I try updating my profile at http://serverUrl/auth/realms/{realm}/account
> 
> When I try editing my account info (firstName, email...) I have a problem
> when I hit save.
> 
> the processAccountUpdate method inside AccountService.java invokes a
> csrfCheck method, that checks if a stateChecker variable is present on my
> post, but it's always null, so I can never update my account info.
> 
> Is this a known bug?
> 
> Thanks again
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Oct  9 04:45:35 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 04:45:35 -0400 (EDT)
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
Message-ID: <1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>

You can link to the account page with the following link:

  https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account

You can also have an option to get a link back to your application by adding either referrer or referrer_uri query param:

* referrer - your applications id (this requires "Default Redirect URL" to be set for your application)
* referrer_uri - the uri to return to (this requires referrer_uri to be a valid redirect uri for your application)

We do this in the admin console, so you can look at how it works there. Login to the admin console, click on your username in the top-right corner, and click on 'Manage account'. In the account management there's now in the top-right corner 'Back to security-admin-console'. If you try edit the url to remove '?referrer=security-admin-console' you'll see this link is no longer there.


I've got no idea what validation you're talking about that that checks the referrer is the same as the server. Maybe it's the fact that for an update (post) we only allow a post originating from the Keycloak server? That doesn't stop you from linking to the account page, but it stops you from posting to it. 

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 8 October, 2014 11:29:17 PM
> Subject: [keycloak-user] Link to Account Page
> 
> Hello,
> 
> I am trying to create a link on our application to go directly to Keycloak's
> Account Page, so the user can alter his information, but it doesn't work.
> 
> I saw that there is a validation that assures that the referrer is the same
> as the server, for example: I can only access the account app inside my
> localhost:8080 if the referrer is also in localhost:8080.
> 
> Is it supposed to be like this? Is there a way for me to create a hyperlink
> from my application directly to Keycloak's Account Page? Given that my own
> application is secured by Keycloak, I think it should be possible.
> 
> Is this the correct behavior?
> 
> Thanks again!
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Oct  9 04:54:24 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 04:54:24 -0400 (EDT)
Subject: [keycloak-user] How to get current user in my application
In-Reply-To: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>
References: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>
Message-ID: <767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>

See http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/ch07.html#jboss-adapter, try adding @SecurityDomain("keycloak").

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 8 October, 2014 12:28:09 PM
> Subject: [keycloak-user] How to get current user in my application
> 
> Hi,
> 
> Am using Keycloak with my JEE 7 application deployed on Wildfly.
> 
> I would like to get a handle on the currently authenticated user by doing
> this :
> 
> 
> 
> import javax.ejb.LocalBean;
> 
> import javax.faces.bean.SessionScoped;
> 
> import javax.inject.Named;
> 
> 
> 
> import javax.ws.rs.core.Context;
> 
> import javax.ws.rs.core.SecurityContext;
> 
> 
> 
> import org.keycloak.KeycloakPrincipal;
> 
> 
> 
> @LocalBean
> 
> @Named
> 
> @SessionScoped
> 
> public class SessionController {
> 
> 
> 
> @Context
> 
> private SecurityContext securityContext ;
> 
> 
> 
> public void method() {
> 
> KeycloakPrincipal principal = (KeycloakPrincipal) securityContext .
> getUserPrincipal ();
> 
> }
> 
> 
> 
> }
> 
> Unfortunately i get a NullPointerException on the call to securityContext.
> 
> Am i doing things right ? Shouldn't i get a security context this way ?
> 
> Thanks for any help.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alexander.chriztopher at gmail.com  Thu Oct  9 06:28:47 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Thu, 9 Oct 2014 12:28:47 +0200
Subject: [keycloak-user] How to get current user in my application
In-Reply-To: <767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>
References: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>
	<767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>
Message-ID: <CAJfT+Oo8CX8+G+=T5_eec-a4o3BRxFXQ7UheymBn+xF3AE8U2g@mail.gmail.com>

Added : @SecurityDomain("keycloak") without any success ! Still getting a
NullPointerException.

The security is now working effectively by adding the @SecurityDomain
annotation as i had to add the annotation : @PermitAll on my methods to be
able to access my methods.

Are my imports the right ones ? :

*import* javax.ws.rs.core.Context;

*import* javax.ws.rs.core.SecurityContext;

On Thu, Oct 9, 2014 at 10:54 AM, Stian Thorgersen <stian at redhat.com> wrote:

> See
> http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/ch07.html#jboss-adapter,
> try adding @SecurityDomain("keycloak").
>
> ----- Original Message -----
> > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 8 October, 2014 12:28:09 PM
> > Subject: [keycloak-user] How to get current user in my application
> >
> > Hi,
> >
> > Am using Keycloak with my JEE 7 application deployed on Wildfly.
> >
> > I would like to get a handle on the currently authenticated user by doing
> > this :
> >
> >
> >
> > import javax.ejb.LocalBean;
> >
> > import javax.faces.bean.SessionScoped;
> >
> > import javax.inject.Named;
> >
> >
> >
> > import javax.ws.rs.core.Context;
> >
> > import javax.ws.rs.core.SecurityContext;
> >
> >
> >
> > import org.keycloak.KeycloakPrincipal;
> >
> >
> >
> > @LocalBean
> >
> > @Named
> >
> > @SessionScoped
> >
> > public class SessionController {
> >
> >
> >
> > @Context
> >
> > private SecurityContext securityContext ;
> >
> >
> >
> > public void method() {
> >
> > KeycloakPrincipal principal = (KeycloakPrincipal) securityContext .
> > getUserPrincipal ();
> >
> > }
> >
> >
> >
> > }
> >
> > Unfortunately i get a NullPointerException on the call to
> securityContext.
> >
> > Am i doing things right ? Shouldn't i get a security context this way ?
> >
> > Thanks for any help.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/c1b9bc9f/attachment.html 

From stian at redhat.com  Thu Oct  9 06:59:22 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 06:59:22 -0400 (EDT)
Subject: [keycloak-user] How to get current user in my application
In-Reply-To: <CAJfT+Oo8CX8+G+=T5_eec-a4o3BRxFXQ7UheymBn+xF3AE8U2g@mail.gmail.com>
References: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>
	<767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>
	<CAJfT+Oo8CX8+G+=T5_eec-a4o3BRxFXQ7UheymBn+xF3AE8U2g@mail.gmail.com>
Message-ID: <949750755.64849328.1412852362846.JavaMail.zimbra@redhat.com>

Did you follow the steps in the documentation? Including creating a security-domain?

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 12:28:47 PM
> Subject: Re: [keycloak-user] How to get current user in my application
> 
> Added : @SecurityDomain("keycloak") without any success ! Still getting a
> NullPointerException.
> 
> The security is now working effectively by adding the @SecurityDomain
> annotation as i had to add the annotation : @PermitAll on my methods to be
> able to access my methods.
> 
> Are my imports the right ones ? :
> 
> *import* javax.ws.rs.core.Context;
> 
> *import* javax.ws.rs.core.SecurityContext;
> 
> On Thu, Oct 9, 2014 at 10:54 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > See
> > http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/ch07.html#jboss-adapter,
> > try adding @SecurityDomain("keycloak").
> >
> > ----- Original Message -----
> > > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 8 October, 2014 12:28:09 PM
> > > Subject: [keycloak-user] How to get current user in my application
> > >
> > > Hi,
> > >
> > > Am using Keycloak with my JEE 7 application deployed on Wildfly.
> > >
> > > I would like to get a handle on the currently authenticated user by doing
> > > this :
> > >
> > >
> > >
> > > import javax.ejb.LocalBean;
> > >
> > > import javax.faces.bean.SessionScoped;
> > >
> > > import javax.inject.Named;
> > >
> > >
> > >
> > > import javax.ws.rs.core.Context;
> > >
> > > import javax.ws.rs.core.SecurityContext;
> > >
> > >
> > >
> > > import org.keycloak.KeycloakPrincipal;
> > >
> > >
> > >
> > > @LocalBean
> > >
> > > @Named
> > >
> > > @SessionScoped
> > >
> > > public class SessionController {
> > >
> > >
> > >
> > > @Context
> > >
> > > private SecurityContext securityContext ;
> > >
> > >
> > >
> > > public void method() {
> > >
> > > KeycloakPrincipal principal = (KeycloakPrincipal) securityContext .
> > > getUserPrincipal ();
> > >
> > > }
> > >
> > >
> > >
> > > }
> > >
> > > Unfortunately i get a NullPointerException on the call to
> > securityContext.
> > >
> > > Am i doing things right ? Shouldn't i get a security context this way ?
> > >
> > > Thanks for any help.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From rodrigopsasaki at gmail.com  Thu Oct  9 09:23:42 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 9 Oct 2014 10:23:42 -0300
Subject: [keycloak-user] Problem Updating Account
In-Reply-To: <40325030.64750728.1412843666349.JavaMail.zimbra@redhat.com>
References: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>
	<40325030.64750728.1412843666349.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBkUHPvHDu+7CeT5sLAkw+NjG5jy3n_+u__FvvHhKUYuQ@mail.gmail.com>

I use Chrome on Ubuntu and version 1.1-alpha-1

I'm using the default keycloak theme, but the stateChecker never gets sent
with the form params, so it's always null and I get the error code

On Thu, Oct 9, 2014 at 5:34 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Not a known bug and it works fine here. I'll need more info:
>
> * Browser
> * KC version
> * Is this with unmodified theme? If not can you try with the default theme
> and see if the problem exists there as well
>
> Also, open http://serverUrl/auth/realms/{realm}/account. Then view source
> and check if it has a hidden input field with the name stateChecker. Then
> check if a cookie KEYCLOAK_STATE_CHECKER is set with the same value.
>
> BTW the state checker is to prevent CSRF attack.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 8 October, 2014 10:08:41 PM
> > Subject: [keycloak-user] Problem Updating Account
> >
> > Hi. I'm having some trouble with the account page.
> >
> > I try updating my profile at
> http://serverUrl/auth/realms/{realm}/account
> >
> > When I try editing my account info (firstName, email...) I have a problem
> > when I hit save.
> >
> > the processAccountUpdate method inside AccountService.java invokes a
> > csrfCheck method, that checks if a stateChecker variable is present on my
> > post, but it's always null, so I can never update my account info.
> >
> > Is this a known bug?
> >
> > Thanks again
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/01ff32bd/attachment-0001.html 

From stian at redhat.com  Thu Oct  9 09:26:35 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 09:26:35 -0400 (EDT)
Subject: [keycloak-user] Problem Updating Account
In-Reply-To: <CANLOgwBkUHPvHDu+7CeT5sLAkw+NjG5jy3n_+u__FvvHhKUYuQ@mail.gmail.com>
References: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>
	<40325030.64750728.1412843666349.JavaMail.zimbra@redhat.com>
	<CANLOgwBkUHPvHDu+7CeT5sLAkw+NjG5jy3n_+u__FvvHhKUYuQ@mail.gmail.com>
Message-ID: <1812680801.64934440.1412861195003.JavaMail.zimbra@redhat.com>

There's no 1.1-alpha-1 ;)

Can you try with 1.0.2.Final and see if you have the same issue there? Also, please have a look at the html source and make sure the stateChecker hidden input field is there.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 3:23:42 PM
> Subject: Re: [keycloak-user] Problem Updating Account
> 
> I use Chrome on Ubuntu and version 1.1-alpha-1
> 
> I'm using the default keycloak theme, but the stateChecker never gets sent
> with the form params, so it's always null and I get the error code
> 
> On Thu, Oct 9, 2014 at 5:34 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Not a known bug and it works fine here. I'll need more info:
> >
> > * Browser
> > * KC version
> > * Is this with unmodified theme? If not can you try with the default theme
> > and see if the problem exists there as well
> >
> > Also, open http://serverUrl/auth/realms/{realm}/account. Then view source
> > and check if it has a hidden input field with the name stateChecker. Then
> > check if a cookie KEYCLOAK_STATE_CHECKER is set with the same value.
> >
> > BTW the state checker is to prevent CSRF attack.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 8 October, 2014 10:08:41 PM
> > > Subject: [keycloak-user] Problem Updating Account
> > >
> > > Hi. I'm having some trouble with the account page.
> > >
> > > I try updating my profile at
> > http://serverUrl/auth/realms/{realm}/account
> > >
> > > When I try editing my account info (firstName, email...) I have a problem
> > > when I hit save.
> > >
> > > the processAccountUpdate method inside AccountService.java invokes a
> > > csrfCheck method, that checks if a stateChecker variable is present on my
> > > post, but it's always null, so I can never update my account info.
> > >
> > > Is this a known bug?
> > >
> > > Thanks again
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Thu Oct  9 09:27:12 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 9 Oct 2014 10:27:12 -0300
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>

When I invoke that URL it calles the init() method, inside
AccountService.java and inside that method there is this verification:

String referrer = headers.getRequestHeaders().getFirst("Referer");
if (referrer != null &&
!requestOrigin.equals(UriUtils.getOrigin(referrer))) {
    throw new ForbiddenException();
}

the referrer is from our server, but the requestOrigin points to the
keycloak server, so they never match

On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com> wrote:

> You can link to the account page with the following link:
>
>   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
>
> You can also have an option to get a link back to your application by
> adding either referrer or referrer_uri query param:
>
> * referrer - your applications id (this requires "Default Redirect URL" to
> be set for your application)
> * referrer_uri - the uri to return to (this requires referrer_uri to be a
> valid redirect uri for your application)
>
> We do this in the admin console, so you can look at how it works there.
> Login to the admin console, click on your username in the top-right corner,
> and click on 'Manage account'. In the account management there's now in the
> top-right corner 'Back to security-admin-console'. If you try edit the url
> to remove '?referrer=security-admin-console' you'll see this link is no
> longer there.
>
>
> I've got no idea what validation you're talking about that that checks the
> referrer is the same as the server. Maybe it's the fact that for an update
> (post) we only allow a post originating from the Keycloak server? That
> doesn't stop you from linking to the account page, but it stops you from
> posting to it.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > Subject: [keycloak-user] Link to Account Page
> >
> > Hello,
> >
> > I am trying to create a link on our application to go directly to
> Keycloak's
> > Account Page, so the user can alter his information, but it doesn't work.
> >
> > I saw that there is a validation that assures that the referrer is the
> same
> > as the server, for example: I can only access the account app inside my
> > localhost:8080 if the referrer is also in localhost:8080.
> >
> > Is it supposed to be like this? Is there a way for me to create a
> hyperlink
> > from my application directly to Keycloak's Account Page? Given that my
> own
> > application is secured by Keycloak, I think it should be possible.
> >
> > Is this the correct behavior?
> >
> > Thanks again!
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/b537a140/attachment.html 

From alexander.chriztopher at gmail.com  Thu Oct  9 09:31:54 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Thu, 9 Oct 2014 15:31:54 +0200
Subject: [keycloak-user] How to get current user in my application
In-Reply-To: <949750755.64849328.1412852362846.JavaMail.zimbra@redhat.com>
References: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>
	<767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>
	<CAJfT+Oo8CX8+G+=T5_eec-a4o3BRxFXQ7UheymBn+xF3AE8U2g@mail.gmail.com>
	<949750755.64849328.1412852362846.JavaMail.zimbra@redhat.com>
Message-ID: <CAJfT+OodY01thQpiN04yU8Qdr7oYEmPmO3rmz--m6LuG-LCVNg@mail.gmail.com>

yes i have done that in : standalone.xml :

<extensions>

<extension module=*"org.keycloak.keycloak-wildfly-subsystem"* />

</extensions>

<subsystem xmlns=*"urn:jboss:domain:security:1.2"*>

<security-domains>

<security-domain name=*"keycloak"*>

<authentication>

<login-module code=*"org.keycloak.adapters.jboss.KeycloakLoginModule"* flag=
*"required"* />

</authentication>

</security-domain>

</security-domains>

</subsystem>

<profile>

<subsystem xmlns=*"urn:jboss:domain:keycloak:1.0"* />

</profile>

On Thu, Oct 9, 2014 at 12:59 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Did you follow the steps in the documentation? Including creating a
> security-domain?
>
> ----- Original Message -----
> > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 9 October, 2014 12:28:47 PM
> > Subject: Re: [keycloak-user] How to get current user in my application
> >
> > Added : @SecurityDomain("keycloak") without any success ! Still getting a
> > NullPointerException.
> >
> > The security is now working effectively by adding the @SecurityDomain
> > annotation as i had to add the annotation : @PermitAll on my methods to
> be
> > able to access my methods.
> >
> > Are my imports the right ones ? :
> >
> > *import* javax.ws.rs.core.Context;
> >
> > *import* javax.ws.rs.core.SecurityContext;
> >
> > On Thu, Oct 9, 2014 at 10:54 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > See
> > >
> http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/ch07.html#jboss-adapter
> ,
> > > try adding @SecurityDomain("keycloak").
> > >
> > > ----- Original Message -----
> > > > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 8 October, 2014 12:28:09 PM
> > > > Subject: [keycloak-user] How to get current user in my application
> > > >
> > > > Hi,
> > > >
> > > > Am using Keycloak with my JEE 7 application deployed on Wildfly.
> > > >
> > > > I would like to get a handle on the currently authenticated user by
> doing
> > > > this :
> > > >
> > > >
> > > >
> > > > import javax.ejb.LocalBean;
> > > >
> > > > import javax.faces.bean.SessionScoped;
> > > >
> > > > import javax.inject.Named;
> > > >
> > > >
> > > >
> > > > import javax.ws.rs.core.Context;
> > > >
> > > > import javax.ws.rs.core.SecurityContext;
> > > >
> > > >
> > > >
> > > > import org.keycloak.KeycloakPrincipal;
> > > >
> > > >
> > > >
> > > > @LocalBean
> > > >
> > > > @Named
> > > >
> > > > @SessionScoped
> > > >
> > > > public class SessionController {
> > > >
> > > >
> > > >
> > > > @Context
> > > >
> > > > private SecurityContext securityContext ;
> > > >
> > > >
> > > >
> > > > public void method() {
> > > >
> > > > KeycloakPrincipal principal = (KeycloakPrincipal) securityContext .
> > > > getUserPrincipal ();
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > > }
> > > >
> > > > Unfortunately i get a NullPointerException on the call to
> > > securityContext.
> > > >
> > > > Am i doing things right ? Shouldn't i get a security context this
> way ?
> > > >
> > > > Thanks for any help.
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/2e8ac419/attachment.html 

From stian at redhat.com  Thu Oct  9 09:33:58 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 09:33:58 -0400 (EDT)
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
Message-ID: <731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>

That's a bug, it should only be checking that if it's a post. Can you create a jira please?

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 3:27:12 PM
> Subject: Re: [keycloak-user] Link to Account Page
> 
> When I invoke that URL it calles the init() method, inside
> AccountService.java and inside that method there is this verification:
> 
> String referrer = headers.getRequestHeaders().getFirst("Referer");
> if (referrer != null &&
> !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
>     throw new ForbiddenException();
> }
> 
> the referrer is from our server, but the requestOrigin points to the
> keycloak server, so they never match
> 
> On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > You can link to the account page with the following link:
> >
> >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> >
> > You can also have an option to get a link back to your application by
> > adding either referrer or referrer_uri query param:
> >
> > * referrer - your applications id (this requires "Default Redirect URL" to
> > be set for your application)
> > * referrer_uri - the uri to return to (this requires referrer_uri to be a
> > valid redirect uri for your application)
> >
> > We do this in the admin console, so you can look at how it works there.
> > Login to the admin console, click on your username in the top-right corner,
> > and click on 'Manage account'. In the account management there's now in the
> > top-right corner 'Back to security-admin-console'. If you try edit the url
> > to remove '?referrer=security-admin-console' you'll see this link is no
> > longer there.
> >
> >
> > I've got no idea what validation you're talking about that that checks the
> > referrer is the same as the server. Maybe it's the fact that for an update
> > (post) we only allow a post originating from the Keycloak server? That
> > doesn't stop you from linking to the account page, but it stops you from
> > posting to it.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > Subject: [keycloak-user] Link to Account Page
> > >
> > > Hello,
> > >
> > > I am trying to create a link on our application to go directly to
> > Keycloak's
> > > Account Page, so the user can alter his information, but it doesn't work.
> > >
> > > I saw that there is a validation that assures that the referrer is the
> > same
> > > as the server, for example: I can only access the account app inside my
> > > localhost:8080 if the referrer is also in localhost:8080.
> > >
> > > Is it supposed to be like this? Is there a way for me to create a
> > hyperlink
> > > from my application directly to Keycloak's Account Page? Given that my
> > own
> > > application is secured by Keycloak, I think it should be possible.
> > >
> > > Is this the correct behavior?
> > >
> > > Thanks again!
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Thu Oct  9 09:36:32 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 9 Oct 2014 10:36:32 -0300
Subject: [keycloak-user] Problem Updating Account
In-Reply-To: <1812680801.64934440.1412861195003.JavaMail.zimbra@redhat.com>
References: <CANLOgwBt9cfeU5NwB6sCaNfp-OyQv1GSVbDKTOJqmKi+GGczcQ@mail.gmail.com>
	<40325030.64750728.1412843666349.JavaMail.zimbra@redhat.com>
	<CANLOgwBkUHPvHDu+7CeT5sLAkw+NjG5jy3n_+u__FvvHhKUYuQ@mail.gmail.com>
	<1812680801.64934440.1412861195003.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwAhpBvK4d0TWxPX82Yk0b4cpAz=4qBhVvrXiWte5+dxTQ@mail.gmail.com>

There used to be one, we built from sources shortly after 1.0.Final was
released, maybe we had some conflicting files, we didn't have the hidden
input field on the account template. It's fixed now

Thanks, Stian!

On Thu, Oct 9, 2014 at 10:26 AM, Stian Thorgersen <stian at redhat.com> wrote:

> There's no 1.1-alpha-1 ;)
>
> Can you try with 1.0.2.Final and see if you have the same issue there?
> Also, please have a look at the html source and make sure the stateChecker
> hidden input field is there.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 9 October, 2014 3:23:42 PM
> > Subject: Re: [keycloak-user] Problem Updating Account
> >
> > I use Chrome on Ubuntu and version 1.1-alpha-1
> >
> > I'm using the default keycloak theme, but the stateChecker never gets
> sent
> > with the form params, so it's always null and I get the error code
> >
> > On Thu, Oct 9, 2014 at 5:34 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Not a known bug and it works fine here. I'll need more info:
> > >
> > > * Browser
> > > * KC version
> > > * Is this with unmodified theme? If not can you try with the default
> theme
> > > and see if the problem exists there as well
> > >
> > > Also, open http://serverUrl/auth/realms/{realm}/account. Then view
> source
> > > and check if it has a hidden input field with the name stateChecker.
> Then
> > > check if a cookie KEYCLOAK_STATE_CHECKER is set with the same value.
> > >
> > > BTW the state checker is to prevent CSRF attack.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 8 October, 2014 10:08:41 PM
> > > > Subject: [keycloak-user] Problem Updating Account
> > > >
> > > > Hi. I'm having some trouble with the account page.
> > > >
> > > > I try updating my profile at
> > > http://serverUrl/auth/realms/{realm}/account
> > > >
> > > > When I try editing my account info (firstName, email...) I have a
> problem
> > > > when I hit save.
> > > >
> > > > the processAccountUpdate method inside AccountService.java invokes a
> > > > csrfCheck method, that checks if a stateChecker variable is present
> on my
> > > > post, but it's always null, so I can never update my account info.
> > > >
> > > > Is this a known bug?
> > > >
> > > > Thanks again
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/2a1d6857/attachment.html 

From rodrigopsasaki at gmail.com  Thu Oct  9 09:54:07 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 9 Oct 2014 10:54:07 -0300
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>

JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746

Just out of curiosity, how would that be fixed? A simple test on
request.getHttpMethod? or with something a little more complex?

On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com> wrote:

> That's a bug, it should only be checking that if it's a post. Can you
> create a jira please?
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > Subject: Re: [keycloak-user] Link to Account Page
> >
> > When I invoke that URL it calles the init() method, inside
> > AccountService.java and inside that method there is this verification:
> >
> > String referrer = headers.getRequestHeaders().getFirst("Referer");
> > if (referrer != null &&
> > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> >     throw new ForbiddenException();
> > }
> >
> > the referrer is from our server, but the requestOrigin points to the
> > keycloak server, so they never match
> >
> > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > You can link to the account page with the following link:
> > >
> > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > >
> > > You can also have an option to get a link back to your application by
> > > adding either referrer or referrer_uri query param:
> > >
> > > * referrer - your applications id (this requires "Default Redirect
> URL" to
> > > be set for your application)
> > > * referrer_uri - the uri to return to (this requires referrer_uri to
> be a
> > > valid redirect uri for your application)
> > >
> > > We do this in the admin console, so you can look at how it works there.
> > > Login to the admin console, click on your username in the top-right
> corner,
> > > and click on 'Manage account'. In the account management there's now
> in the
> > > top-right corner 'Back to security-admin-console'. If you try edit the
> url
> > > to remove '?referrer=security-admin-console' you'll see this link is no
> > > longer there.
> > >
> > >
> > > I've got no idea what validation you're talking about that that checks
> the
> > > referrer is the same as the server. Maybe it's the fact that for an
> update
> > > (post) we only allow a post originating from the Keycloak server? That
> > > doesn't stop you from linking to the account page, but it stops you
> from
> > > posting to it.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > Subject: [keycloak-user] Link to Account Page
> > > >
> > > > Hello,
> > > >
> > > > I am trying to create a link on our application to go directly to
> > > Keycloak's
> > > > Account Page, so the user can alter his information, but it doesn't
> work.
> > > >
> > > > I saw that there is a validation that assures that the referrer is
> the
> > > same
> > > > as the server, for example: I can only access the account app inside
> my
> > > > localhost:8080 if the referrer is also in localhost:8080.
> > > >
> > > > Is it supposed to be like this? Is there a way for me to create a
> > > hyperlink
> > > > from my application directly to Keycloak's Account Page? Given that
> my
> > > own
> > > > application is secured by Keycloak, I think it should be possible.
> > > >
> > > > Is this the correct behavior?
> > > >
> > > > Thanks again!
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/d41568c1/attachment.html 

From juraci at kroehling.de  Thu Oct  9 09:58:23 2014
From: juraci at kroehling.de (=?windows-1252?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Thu, 09 Oct 2014 15:58:23 +0200
Subject: [keycloak-user] How to get current user in my application
In-Reply-To: <CAJfT+OodY01thQpiN04yU8Qdr7oYEmPmO3rmz--m6LuG-LCVNg@mail.gmail.com>
References: <CAJfT+OrQomPWwpSy9R0-wJhNdUKaH1H7gx962VsH8PVEWmKA0w@mail.gmail.com>	<767055758.64761926.1412844864606.JavaMail.zimbra@redhat.com>	<CAJfT+Oo8CX8+G+=T5_eec-a4o3BRxFXQ7UheymBn+xF3AE8U2g@mail.gmail.com>	<949750755.64849328.1412852362846.JavaMail.zimbra@redhat.com>
	<CAJfT+OodY01thQpiN04yU8Qdr7oYEmPmO3rmz--m6LuG-LCVNg@mail.gmail.com>
Message-ID: <5436947F.20802@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alexander,

On 10/09/2014 03:31 PM, Alexander Chriztopher wrote:
> yes i have done that in : standalone.xml :

I have a similar setup done for a pet project:

https://github.com/jpkrohling/cascaio/tree/master/backend/src/main/webapp/WEB-INF

Instead of adding SecurityDomain for each EJB, I've added a
jboss-ejb3.xml , applying the "keycloak" security domain to all EJBs
there.

And this is a sample EJB protected by Keycloak:

https://github.com/jpkrohling/cascaio/blob/master/backend/src/main/java/com/cascaio/backend/v1/boundary/admin/BatchService.java

Provided that your Wildfly is correctly configured, this is all that
should be required to get it to work.

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUNpR/AAoJEDnJtskdmzLMFvAH+wQNr33+JPpe1l7FrZYLtYlI
KY+0riZ+nrGuVZqXAZ2YJuz+3wNuNESIPw12+6GHG/gbm/vfdYwTEmSD0jDub2aW
xNGPV/QXL1PAL8OwQ0nFG8tMMI1tAgQS1HyTzk0EtOPAccfvC/uBjkVpVIvJM3vj
xIlIW3kFmnZ2rFATNGVaGNwhTknA7GfsoySPyEu0hLR+yPmo/bocxQmmSgPYLSrn
ErR67JMhDeRxbH7yutJ89i+OchkViwdVF0iTySEPPVlugqtgSvJNsRDs+e4+PMXa
NSkBMWig/8J27TKvRG6kZu89IbwP/4CZ8hnFqFNBlNTQy3lp4ZWCFFacszBVSh8=
=CFPr
-----END PGP SIGNATURE-----

From stian at redhat.com  Thu Oct  9 10:07:19 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 9 Oct 2014 10:07:19 -0400 (EDT)
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
Message-ID: <2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>

I reckon request.getHttpMethod should be what's needed

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 3:54:07 PM
> Subject: Re: [keycloak-user] Link to Account Page
> 
> JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> 
> Just out of curiosity, how would that be fixed? A simple test on
> request.getHttpMethod? or with something a little more complex?
> 
> On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > That's a bug, it should only be checking that if it's a post. Can you
> > create a jira please?
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > When I invoke that URL it calles the init() method, inside
> > > AccountService.java and inside that method there is this verification:
> > >
> > > String referrer = headers.getRequestHeaders().getFirst("Referer");
> > > if (referrer != null &&
> > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > >     throw new ForbiddenException();
> > > }
> > >
> > > the referrer is from our server, but the requestOrigin points to the
> > > keycloak server, so they never match
> > >
> > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > You can link to the account page with the following link:
> > > >
> > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > >
> > > > You can also have an option to get a link back to your application by
> > > > adding either referrer or referrer_uri query param:
> > > >
> > > > * referrer - your applications id (this requires "Default Redirect
> > URL" to
> > > > be set for your application)
> > > > * referrer_uri - the uri to return to (this requires referrer_uri to
> > be a
> > > > valid redirect uri for your application)
> > > >
> > > > We do this in the admin console, so you can look at how it works there.
> > > > Login to the admin console, click on your username in the top-right
> > corner,
> > > > and click on 'Manage account'. In the account management there's now
> > in the
> > > > top-right corner 'Back to security-admin-console'. If you try edit the
> > url
> > > > to remove '?referrer=security-admin-console' you'll see this link is no
> > > > longer there.
> > > >
> > > >
> > > > I've got no idea what validation you're talking about that that checks
> > the
> > > > referrer is the same as the server. Maybe it's the fact that for an
> > update
> > > > (post) we only allow a post originating from the Keycloak server? That
> > > > doesn't stop you from linking to the account page, but it stops you
> > from
> > > > posting to it.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > Subject: [keycloak-user] Link to Account Page
> > > > >
> > > > > Hello,
> > > > >
> > > > > I am trying to create a link on our application to go directly to
> > > > Keycloak's
> > > > > Account Page, so the user can alter his information, but it doesn't
> > work.
> > > > >
> > > > > I saw that there is a validation that assures that the referrer is
> > the
> > > > same
> > > > > as the server, for example: I can only access the account app inside
> > my
> > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > >
> > > > > Is it supposed to be like this? Is there a way for me to create a
> > > > hyperlink
> > > > > from my application directly to Keycloak's Account Page? Given that
> > my
> > > > own
> > > > > application is secured by Keycloak, I think it should be possible.
> > > > >
> > > > > Is this the correct behavior?
> > > > >
> > > > > Thanks again!
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From alarik at zwift.com  Thu Oct  9 12:18:36 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Thu, 9 Oct 2014 12:18:36 -0400
Subject: [keycloak-user] What is the point of the cancel button on the
	log-in screen?
Message-ID: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>

At least with the Wildfly adapter, clicking cancel gets you a HTTP 400 --
Bad Request on your protected resource, and doing something more graceful
would take some thinking.

It's not clear to me what *should* happen when clicking cancel.  Users in a
browser have a back button, or a button to close the tab, and they can
always use that to get out of the login screen.

Maybe the cancel button should just be removed?

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/e824cd3a/attachment.html 

From ssilvert at redhat.com  Thu Oct  9 12:46:28 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 09 Oct 2014 12:46:28 -0400
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
Message-ID: <5436BBE4.4040102@redhat.com>

I guess I'm stating the obvious, but the cancel button should take you 
back to where you were before being challenged by the login screen.  To 
the extent that is possible, the cancel button should stay.  We should 
never rely on the back button.

I just tried it on our demo and recreated the 400 error.  We should fix 
this if possible.

On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400 
> -- Bad Request on your protected resource, and doing something more 
> graceful would take some thinking.
>
> It's not clear to me what *should* happen when clicking cancel.  Users 
> in a browser have a back button, or a button to close the tab, and 
> they can always use that to get out of the login screen.
>
> Maybe the cancel button should just be removed?
>
> Alarik
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141009/a88dec3f/attachment.html 

From bburke at redhat.com  Thu Oct  9 13:02:18 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 09 Oct 2014 13:02:18 -0400
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <5436BBE4.4040102@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com>
Message-ID: <5436BF9A.7070807@redhat.com>

We would have to rememer referrer information somehow via the adapter to 
know where to redirect to.  This cancel redirection URL would be an 
extension to OIDC I think and would require to be validated so that we 
don't create an open redirector security vulnerabilities.  Maybe we 
should we just show a Keycloak rendered error page?


On 10/9/2014 12:46 PM, Stan Silvert wrote:
> I guess I'm stating the obvious, but the cancel button should take you
> back to where you were before being challenged by the login screen.  To
> the extent that is possible, the cancel button should stay.  We should
> never rely on the back button.
>
> I just tried it on our demo and recreated the 400 error.  We should fix
> this if possible.
>
> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>> -- Bad Request on your protected resource, and doing something more
>> graceful would take some thinking.
>>
>> It's not clear to me what *should* happen when clicking cancel.  Users
>> in a browser have a back button, or a button to close the tab, and
>> they can always use that to get out of the login screen.
>>
>> Maybe the cancel button should just be removed?
>>
>> Alarik
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From traviskds at gmail.com  Thu Oct  9 23:15:36 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Fri, 10 Oct 2014 14:15:36 +1100
Subject: [keycloak-user] Pure Client Javascript Adapter - fragment
 problem - KEYCLOAK-546
In-Reply-To: <726319262.62752332.1412662827904.JavaMail.zimbra@redhat.com>
References: <CACQJ6LQMO5V4+69+OFrjocErbgp8WUvXr5pR39QJGsTkXvhNQQ@mail.gmail.com>
	<726319262.62752332.1412662827904.JavaMail.zimbra@redhat.com>
Message-ID: <CACQJ6LRbyYFtYpK0uumkNjVyMHe69R8PE=Ug_+DEQEA2u4r_Sw@mail.gmail.com>

I was able to solve this issue by not bootstrapping the Angular app using
the ng-app directive on the html tag but using the manual command that you
have in app.js (i.e. angular.bootstrap(document, ["product"]);

I think previously my app was getting loaded before the Auth provider is
created and that was causing issues and now with this change, everything
works fine.

Hope if someone else has this issue it will be of use.

On Tue, Oct 7, 2014 at 5:20 PM, Stian Thorgersen <stian at redhat.com> wrote:

> If you can extend angular-product-app to make the issues happen there, or
> point me to an app where it does, I'll fix it.
>
> ----- Original Message -----
> > From: "Travis De Silva" <traviskds at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 7 October, 2014 2:18:41 AM
> > Subject: [keycloak-user] Pure Client Javascript Adapter - fragment
> problem -  KEYCLOAK-546
> >
> > Hi,
> >
> > Not sure if anyone else has faced this issue but I don't seem to be able
> to
> > get the Pure client javascript adapter working.
> >
> > I am sort of following the same style as per the example
> angular-product-app
> > but unlike the example, my application has many routers and I use the
> > angular ui-router to manage my routers in angular.
> >
> > The Keycloak login page comes up properly and once I provide the valid
> > credentials, it authenticates properly as well but the issue is with the
> > redirect.
> >
> > I tried many different things and one common issue I noticed was that the
> > redirect_uri and redirect_fragment query parameters does not seem to be
> > correct.
> >
> > In fact it seems to be identical to this Jira issue raised by Bill
> sometime
> > back https://issues.jboss.org/browse/KEYCLOAK-546
> >
> > I wonder if this issue is still present in the 1.0.1 final release or if
> its
> > resolved and maybe I am not doing something right.
> >
> > Appreciate any help.
> >
> > Cheers
> > Travis
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/7da61c7f/attachment.html 

From traviskds at gmail.com  Thu Oct  9 23:20:54 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Fri, 10 Oct 2014 14:20:54 +1100
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
	<2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
Message-ID: <CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>

How I handle this issue is by having KeyCloak behind my Apache Reverse
proxy. That way, the domain and port of my application and keycloak both
are the same so there is no issue.

Also not sure why you want to prevent a post because won't you have a use
case why an end user can go into the account page that is linked from an
application and change their info such as their credentials. I would assume
that is a post action on the keycloak account forms.

On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com> wrote:

> I reckon request.getHttpMethod should be what's needed
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > Subject: Re: [keycloak-user] Link to Account Page
> >
> > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> >
> > Just out of curiosity, how would that be fixed? A simple test on
> > request.getHttpMethod? or with something a little more complex?
> >
> > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > That's a bug, it should only be checking that if it's a post. Can you
> > > create a jira please?
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > Subject: Re: [keycloak-user] Link to Account Page
> > > >
> > > > When I invoke that URL it calles the init() method, inside
> > > > AccountService.java and inside that method there is this
> verification:
> > > >
> > > > String referrer = headers.getRequestHeaders().getFirst("Referer");
> > > > if (referrer != null &&
> > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > >     throw new ForbiddenException();
> > > > }
> > > >
> > > > the referrer is from our server, but the requestOrigin points to the
> > > > keycloak server, so they never match
> > > >
> > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > > >
> > > > > You can link to the account page with the following link:
> > > > >
> > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > > >
> > > > > You can also have an option to get a link back to your application
> by
> > > > > adding either referrer or referrer_uri query param:
> > > > >
> > > > > * referrer - your applications id (this requires "Default Redirect
> > > URL" to
> > > > > be set for your application)
> > > > > * referrer_uri - the uri to return to (this requires referrer_uri
> to
> > > be a
> > > > > valid redirect uri for your application)
> > > > >
> > > > > We do this in the admin console, so you can look at how it works
> there.
> > > > > Login to the admin console, click on your username in the top-right
> > > corner,
> > > > > and click on 'Manage account'. In the account management there's
> now
> > > in the
> > > > > top-right corner 'Back to security-admin-console'. If you try edit
> the
> > > url
> > > > > to remove '?referrer=security-admin-console' you'll see this link
> is no
> > > > > longer there.
> > > > >
> > > > >
> > > > > I've got no idea what validation you're talking about that that
> checks
> > > the
> > > > > referrer is the same as the server. Maybe it's the fact that for an
> > > update
> > > > > (post) we only allow a post originating from the Keycloak server?
> That
> > > > > doesn't stop you from linking to the account page, but it stops you
> > > from
> > > > > posting to it.
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to create a link on our application to go directly to
> > > > > Keycloak's
> > > > > > Account Page, so the user can alter his information, but it
> doesn't
> > > work.
> > > > > >
> > > > > > I saw that there is a validation that assures that the referrer
> is
> > > the
> > > > > same
> > > > > > as the server, for example: I can only access the account app
> inside
> > > my
> > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > >
> > > > > > Is it supposed to be like this? Is there a way for me to create a
> > > > > hyperlink
> > > > > > from my application directly to Keycloak's Account Page? Given
> that
> > > my
> > > > > own
> > > > > > application is secured by Keycloak, I think it should be
> possible.
> > > > > >
> > > > > > Is this the correct behavior?
> > > > > >
> > > > > > Thanks again!
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/9d6bdb35/attachment-0001.html 

From stian at redhat.com  Fri Oct 10 03:09:14 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 10 Oct 2014 03:09:14 -0400 (EDT)
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <5436BF9A.7070807@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
Message-ID: <2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>

The back button still submits the form, but the instead of processing the login redirects with error set. So it's already not an open redirect.

We should fix the adapter to show a error page though. Another thing is that the adapter needs some way of customising error pages.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 7:02:18 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
> 
> We would have to rememer referrer information somehow via the adapter to
> know where to redirect to.  This cancel redirection URL would be an
> extension to OIDC I think and would require to be validated so that we
> don't create an open redirector security vulnerabilities.  Maybe we
> should we just show a Keycloak rendered error page?
> 
> 
> On 10/9/2014 12:46 PM, Stan Silvert wrote:
> > I guess I'm stating the obvious, but the cancel button should take you
> > back to where you were before being challenged by the login screen.  To
> > the extent that is possible, the cancel button should stay.  We should
> > never rely on the back button.
> >
> > I just tried it on our demo and recreated the 400 error.  We should fix
> > this if possible.
> >
> > On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> >> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
> >> -- Bad Request on your protected resource, and doing something more
> >> graceful would take some thinking.
> >>
> >> It's not clear to me what *should* happen when clicking cancel.  Users
> >> in a browser have a back button, or a button to close the tab, and
> >> they can always use that to get out of the login screen.
> >>
> >> Maybe the cancel button should just be removed?
> >>
> >> Alarik
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Fri Oct 10 03:13:00 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 10 Oct 2014 03:13:00 -0400 (EDT)
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
	<2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
	<CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>
Message-ID: <432115492.65461698.1412925180225.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 5:20:54 AM
> Subject: Re: [keycloak-user] Link to Account Page
> 
> How I handle this issue is by having KeyCloak behind my Apache Reverse
> proxy. That way, the domain and port of my application and keycloak both
> are the same so there is no issue.

That works, but there shouldn't be a requirement that Keycloak is on the same domain as your application.

> 
> Also not sure why you want to prevent a post because won't you have a use
> case why an end user can go into the account page that is linked from an
> application and change their info such as their credentials. I would assume
> that is a post action on the keycloak account forms.

If there's no protection on post, then an external page can create a link that when clicked will change your account (if you're logged-in that is). For example to change your email address so they can then hijack your account.

> 
> On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > I reckon request.getHttpMethod should be what's needed
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> > >
> > > Just out of curiosity, how would that be fixed? A simple test on
> > > request.getHttpMethod? or with something a little more complex?
> > >
> > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > That's a bug, it should only be checking that if it's a post. Can you
> > > > create a jira please?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > >
> > > > > When I invoke that URL it calles the init() method, inside
> > > > > AccountService.java and inside that method there is this
> > verification:
> > > > >
> > > > > String referrer = headers.getRequestHeaders().getFirst("Referer");
> > > > > if (referrer != null &&
> > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > >     throw new ForbiddenException();
> > > > > }
> > > > >
> > > > > the referrer is from our server, but the requestOrigin points to the
> > > > > keycloak server, so they never match
> > > > >
> > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <stian at redhat.com>
> > > > wrote:
> > > > >
> > > > > > You can link to the account page with the following link:
> > > > > >
> > > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > > > >
> > > > > > You can also have an option to get a link back to your application
> > by
> > > > > > adding either referrer or referrer_uri query param:
> > > > > >
> > > > > > * referrer - your applications id (this requires "Default Redirect
> > > > URL" to
> > > > > > be set for your application)
> > > > > > * referrer_uri - the uri to return to (this requires referrer_uri
> > to
> > > > be a
> > > > > > valid redirect uri for your application)
> > > > > >
> > > > > > We do this in the admin console, so you can look at how it works
> > there.
> > > > > > Login to the admin console, click on your username in the top-right
> > > > corner,
> > > > > > and click on 'Manage account'. In the account management there's
> > now
> > > > in the
> > > > > > top-right corner 'Back to security-admin-console'. If you try edit
> > the
> > > > url
> > > > > > to remove '?referrer=security-admin-console' you'll see this link
> > is no
> > > > > > longer there.
> > > > > >
> > > > > >
> > > > > > I've got no idea what validation you're talking about that that
> > checks
> > > > the
> > > > > > referrer is the same as the server. Maybe it's the fact that for an
> > > > update
> > > > > > (post) we only allow a post originating from the Keycloak server?
> > That
> > > > > > doesn't stop you from linking to the account page, but it stops you
> > > > from
> > > > > > posting to it.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to create a link on our application to go directly to
> > > > > > Keycloak's
> > > > > > > Account Page, so the user can alter his information, but it
> > doesn't
> > > > work.
> > > > > > >
> > > > > > > I saw that there is a validation that assures that the referrer
> > is
> > > > the
> > > > > > same
> > > > > > > as the server, for example: I can only access the account app
> > inside
> > > > my
> > > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > > >
> > > > > > > Is it supposed to be like this? Is there a way for me to create a
> > > > > > hyperlink
> > > > > > > from my application directly to Keycloak's Account Page? Given
> > that
> > > > my
> > > > > > own
> > > > > > > application is secured by Keycloak, I think it should be
> > possible.
> > > > > > >
> > > > > > > Is this the correct behavior?
> > > > > > >
> > > > > > > Thanks again!
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From ssilvert at redhat.com  Fri Oct 10 07:40:12 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 10 Oct 2014 07:40:12 -0400
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
Message-ID: <5437C59C.4040009@redhat.com>

Does the cancel button EVER work properly?

I'm starting to side with Alarik.  In any situation where we know the 
cancel button won't work, we need to either fix it or remove it.

On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
> The back button still submits the form, but the instead of processing the login redirects with error set. So it's already not an open redirect.
>
> We should fix the adapter to show a error page though. Another thing is that the adapter needs some way of customising error pages.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 9 October, 2014 7:02:18 PM
>> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
>>
>> We would have to rememer referrer information somehow via the adapter to
>> know where to redirect to.  This cancel redirection URL would be an
>> extension to OIDC I think and would require to be validated so that we
>> don't create an open redirector security vulnerabilities.  Maybe we
>> should we just show a Keycloak rendered error page?
>>
>>
>> On 10/9/2014 12:46 PM, Stan Silvert wrote:
>>> I guess I'm stating the obvious, but the cancel button should take you
>>> back to where you were before being challenged by the login screen.  To
>>> the extent that is possible, the cancel button should stay.  We should
>>> never rely on the back button.
>>>
>>> I just tried it on our demo and recreated the 400 error.  We should fix
>>> this if possible.
>>>
>>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>>>> -- Bad Request on your protected resource, and doing something more
>>>> graceful would take some thinking.
>>>>
>>>> It's not clear to me what *should* happen when clicking cancel.  Users
>>>> in a browser have a back button, or a button to close the tab, and
>>>> they can always use that to get out of the login screen.
>>>>
>>>> Maybe the cancel button should just be removed?
>>>>
>>>> Alarik
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Fri Oct 10 07:48:32 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 10 Oct 2014 07:48:32 -0400 (EDT)
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <5437C59C.4040009@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
	<5437C59C.4040009@redhat.com>
Message-ID: <1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>

It's required, so don't remove.

If we don't have a cancel button there's no way for users to go back to the application if they don't want to login (or can't for some reason). Also, there are other situations where a login can fail, in which an error query param is returned to application instead of a code. For example oauth client grant page (a user can accept or reject giving the client the required permissions), etc.. The adapters needs to be able to handle these properly. IMO if login is cancelled there's two basic use-cases:

* User clicked on log in link - in this case application should just return to the initial page
* User clicked on a page that requires login - in this case the application should probably show a 'unauthorized access' page which needs to be customizable by the application

----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 1:40:12 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
> 
> Does the cancel button EVER work properly?
> 
> I'm starting to side with Alarik.  In any situation where we know the
> cancel button won't work, we need to either fix it or remove it.
> 
> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
> > The back button still submits the form, but the instead of processing the
> > login redirects with error set. So it's already not an open redirect.
> >
> > We should fix the adapter to show a error page though. Another thing is
> > that the adapter needs some way of customising error pages.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Thursday, 9 October, 2014 7:02:18 PM
> >> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> >> log-in screen?
> >>
> >> We would have to rememer referrer information somehow via the adapter to
> >> know where to redirect to.  This cancel redirection URL would be an
> >> extension to OIDC I think and would require to be validated so that we
> >> don't create an open redirector security vulnerabilities.  Maybe we
> >> should we just show a Keycloak rendered error page?
> >>
> >>
> >> On 10/9/2014 12:46 PM, Stan Silvert wrote:
> >>> I guess I'm stating the obvious, but the cancel button should take you
> >>> back to where you were before being challenged by the login screen.  To
> >>> the extent that is possible, the cancel button should stay.  We should
> >>> never rely on the back button.
> >>>
> >>> I just tried it on our demo and recreated the 400 error.  We should fix
> >>> this if possible.
> >>>
> >>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> >>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
> >>>> -- Bad Request on your protected resource, and doing something more
> >>>> graceful would take some thinking.
> >>>>
> >>>> It's not clear to me what *should* happen when clicking cancel.  Users
> >>>> in a browser have a back button, or a button to close the tab, and
> >>>> they can always use that to get out of the login screen.
> >>>>
> >>>> Maybe the cancel button should just be removed?
> >>>>
> >>>> Alarik
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ssilvert at redhat.com  Fri Oct 10 08:08:27 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 10 Oct 2014 08:08:27 -0400
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
	<5437C59C.4040009@redhat.com>
	<1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>
Message-ID: <5437CC3B.8090009@redhat.com>

On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
> It's required, so don't remove.
>
> If we don't have a cancel button there's no way for users to go back to the application if they don't want to login (or can't for some reason). Also, there are other situations where a login can fail, in which an error query param is returned to application instead of a code. For example oauth client grant page (a user can accept or reject giving the client the required permissions), etc.. The adapters needs to be able to handle these properly. IMO if login is cancelled there's two basic use-cases:
>
> * User clicked on log in link - in this case application should just return to the initial page
This I agree with.  Ideally, that's what the cancel button should always do.
> * User clicked on a page that requires login - in this case the application should probably show a 'unauthorized access' page which needs to be customizable by the application
In this case we should not have a button labeled "cancel".  The user 
expects a cancel button to go back.  So we shouldn't have a button that 
we know will yield unexpected results.

Perhaps we should have a help button instead that provides a friendly 
message about what is going on.
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Friday, 10 October, 2014 1:40:12 PM
>> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
>>
>> Does the cancel button EVER work properly?
>>
>> I'm starting to side with Alarik.  In any situation where we know the
>> cancel button won't work, we need to either fix it or remove it.
>>
>> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
>>> The back button still submits the form, but the instead of processing the
>>> login redirects with error set. So it's already not an open redirect.
>>>
>>> We should fix the adapter to show a error page though. Another thing is
>>> that the adapter needs some way of customising error pages.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 9 October, 2014 7:02:18 PM
>>>> Subject: Re: [keycloak-user] What is the point of the cancel button on the
>>>> log-in screen?
>>>>
>>>> We would have to rememer referrer information somehow via the adapter to
>>>> know where to redirect to.  This cancel redirection URL would be an
>>>> extension to OIDC I think and would require to be validated so that we
>>>> don't create an open redirector security vulnerabilities.  Maybe we
>>>> should we just show a Keycloak rendered error page?
>>>>
>>>>
>>>> On 10/9/2014 12:46 PM, Stan Silvert wrote:
>>>>> I guess I'm stating the obvious, but the cancel button should take you
>>>>> back to where you were before being challenged by the login screen.  To
>>>>> the extent that is possible, the cancel button should stay.  We should
>>>>> never rely on the back button.
>>>>>
>>>>> I just tried it on our demo and recreated the 400 error.  We should fix
>>>>> this if possible.
>>>>>
>>>>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>>>>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>>>>>> -- Bad Request on your protected resource, and doing something more
>>>>>> graceful would take some thinking.
>>>>>>
>>>>>> It's not clear to me what *should* happen when clicking cancel.  Users
>>>>>> in a browser have a back button, or a button to close the tab, and
>>>>>> they can always use that to get out of the login screen.
>>>>>>
>>>>>> Maybe the cancel button should just be removed?
>>>>>>
>>>>>> Alarik
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From stian at redhat.com  Fri Oct 10 08:18:55 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 10 Oct 2014 08:18:55 -0400 (EDT)
Subject: [keycloak-user] What is the point of the cancel button on the
 log-in screen?
In-Reply-To: <5437CC3B.8090009@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
	<5437C59C.4040009@redhat.com>
	<1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>
	<5437CC3B.8090009@redhat.com>
Message-ID: <2100243482.65746697.1412943535647.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 2:08:27 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
> 
> On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
> > It's required, so don't remove.
> >
> > If we don't have a cancel button there's no way for users to go back to the
> > application if they don't want to login (or can't for some reason). Also,
> > there are other situations where a login can fail, in which an error query
> > param is returned to application instead of a code. For example oauth
> > client grant page (a user can accept or reject giving the client the
> > required permissions), etc.. The adapters needs to be able to handle these
> > properly. IMO if login is cancelled there's two basic use-cases:
> >
> > * User clicked on log in link - in this case application should just return
> > to the initial page
> This I agree with.  Ideally, that's what the cancel button should always do.
> > * User clicked on a page that requires login - in this case the application
> > should probably show a 'unauthorized access' page which needs to be
> > customizable by the application
> In this case we should not have a button labeled "cancel".  The user
> expects a cancel button to go back.  So we shouldn't have a button that
> we know will yield unexpected results.
> 
> Perhaps we should have a help button instead that provides a friendly
> message about what is going on.

I think we still should have a cancel button by default. The user may still want to go back to other parts of the app that doesn't require authentication.

Also, as I mentioned there are other situations that results in similar errors that an application has to handle. Do we just throw an exception, and let the standard war error handling take care of it? Either case we should add something like it to our demo. 

We could add an option to hide the cancel button though. Could for example add an optional query param "no_cancel".

> >
> > ----- Original Message -----
> >> From: "Stan Silvert" <ssilvert at redhat.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 10 October, 2014 1:40:12 PM
> >> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> >> log-in screen?
> >>
> >> Does the cancel button EVER work properly?
> >>
> >> I'm starting to side with Alarik.  In any situation where we know the
> >> cancel button won't work, we need to either fix it or remove it.
> >>
> >> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
> >>> The back button still submits the form, but the instead of processing the
> >>> login redirects with error set. So it's already not an open redirect.
> >>>
> >>> We should fix the adapter to show a error page though. Another thing is
> >>> that the adapter needs some way of customising error pages.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Sent: Thursday, 9 October, 2014 7:02:18 PM
> >>>> Subject: Re: [keycloak-user] What is the point of the cancel button on
> >>>> the
> >>>> log-in screen?
> >>>>
> >>>> We would have to rememer referrer information somehow via the adapter to
> >>>> know where to redirect to.  This cancel redirection URL would be an
> >>>> extension to OIDC I think and would require to be validated so that we
> >>>> don't create an open redirector security vulnerabilities.  Maybe we
> >>>> should we just show a Keycloak rendered error page?
> >>>>
> >>>>
> >>>> On 10/9/2014 12:46 PM, Stan Silvert wrote:
> >>>>> I guess I'm stating the obvious, but the cancel button should take you
> >>>>> back to where you were before being challenged by the login screen.  To
> >>>>> the extent that is possible, the cancel button should stay.  We should
> >>>>> never rely on the back button.
> >>>>>
> >>>>> I just tried it on our demo and recreated the 400 error.  We should fix
> >>>>> this if possible.
> >>>>>
> >>>>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> >>>>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
> >>>>>> -- Bad Request on your protected resource, and doing something more
> >>>>>> graceful would take some thinking.
> >>>>>>
> >>>>>> It's not clear to me what *should* happen when clicking cancel.  Users
> >>>>>> in a browser have a back button, or a button to close the tab, and
> >>>>>> they can always use that to get out of the login screen.
> >>>>>>
> >>>>>> Maybe the cancel button should just be removed?
> >>>>>>
> >>>>>> Alarik
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> 
> 

From traviskds at gmail.com  Fri Oct 10 08:39:31 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Fri, 10 Oct 2014 23:39:31 +1100
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <432115492.65461698.1412925180225.JavaMail.zimbra@redhat.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<1893080597.64757326.1412844335170.JavaMail.zimbra@redhat.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
	<2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
	<CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>
	<432115492.65461698.1412925180225.JavaMail.zimbra@redhat.com>
Message-ID: <CACQJ6LRW_adyAOKsXTsZXwF2HGQAMR3uK==xF+R5gr0tjMSyPA@mail.gmail.com>

with regard to protection on post, then what is the point of having the
link on our application if the user cannot use the self serve functionality
by changing their account details themselves? We would need this to be
seamless for the end user right?

To protect the post in use cases such as what you described, shouldn't we
just check the referrer in the request with the permitted redirect_url's
for the application and then allow post based on that?

On Fri, Oct 10, 2014 at 6:13 PM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Travis De Silva" <traviskds at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>,
> keycloak-user at lists.jboss.org
> > Sent: Friday, 10 October, 2014 5:20:54 AM
> > Subject: Re: [keycloak-user] Link to Account Page
> >
> > How I handle this issue is by having KeyCloak behind my Apache Reverse
> > proxy. That way, the domain and port of my application and keycloak both
> > are the same so there is no issue.
>
> That works, but there shouldn't be a requirement that Keycloak is on the
> same domain as your application.
>
> >
> > Also not sure why you want to prevent a post because won't you have a use
> > case why an end user can go into the account page that is linked from an
> > application and change their info such as their credentials. I would
> assume
> > that is a post action on the keycloak account forms.
>
> If there's no protection on post, then an external page can create a link
> that when clicked will change your account (if you're logged-in that is).
> For example to change your email address so they can then hijack your
> account.
>
> >
> > On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > I reckon request.getHttpMethod should be what's needed
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > > Subject: Re: [keycloak-user] Link to Account Page
> > > >
> > > > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> > > >
> > > > Just out of curiosity, how would that be fixed? A simple test on
> > > > request.getHttpMethod? or with something a little more complex?
> > > >
> > > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > > >
> > > > > That's a bug, it should only be checking that if it's a post. Can
> you
> > > > > create a jira please?
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > > >
> > > > > > When I invoke that URL it calles the init() method, inside
> > > > > > AccountService.java and inside that method there is this
> > > verification:
> > > > > >
> > > > > > String referrer =
> headers.getRequestHeaders().getFirst("Referer");
> > > > > > if (referrer != null &&
> > > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > > >     throw new ForbiddenException();
> > > > > > }
> > > > > >
> > > > > > the referrer is from our server, but the requestOrigin points to
> the
> > > > > > keycloak server, so they never match
> > > > > >
> > > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <
> stian at redhat.com>
> > > > > wrote:
> > > > > >
> > > > > > > You can link to the account page with the following link:
> > > > > > >
> > > > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > > > > >
> > > > > > > You can also have an option to get a link back to your
> application
> > > by
> > > > > > > adding either referrer or referrer_uri query param:
> > > > > > >
> > > > > > > * referrer - your applications id (this requires "Default
> Redirect
> > > > > URL" to
> > > > > > > be set for your application)
> > > > > > > * referrer_uri - the uri to return to (this requires
> referrer_uri
> > > to
> > > > > be a
> > > > > > > valid redirect uri for your application)
> > > > > > >
> > > > > > > We do this in the admin console, so you can look at how it
> works
> > > there.
> > > > > > > Login to the admin console, click on your username in the
> top-right
> > > > > corner,
> > > > > > > and click on 'Manage account'. In the account management
> there's
> > > now
> > > > > in the
> > > > > > > top-right corner 'Back to security-admin-console'. If you try
> edit
> > > the
> > > > > url
> > > > > > > to remove '?referrer=security-admin-console' you'll see this
> link
> > > is no
> > > > > > > longer there.
> > > > > > >
> > > > > > >
> > > > > > > I've got no idea what validation you're talking about that that
> > > checks
> > > > > the
> > > > > > > referrer is the same as the server. Maybe it's the fact that
> for an
> > > > > update
> > > > > > > (post) we only allow a post originating from the Keycloak
> server?
> > > That
> > > > > > > doesn't stop you from linking to the account page, but it
> stops you
> > > > > from
> > > > > > > posting to it.
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I am trying to create a link on our application to go
> directly to
> > > > > > > Keycloak's
> > > > > > > > Account Page, so the user can alter his information, but it
> > > doesn't
> > > > > work.
> > > > > > > >
> > > > > > > > I saw that there is a validation that assures that the
> referrer
> > > is
> > > > > the
> > > > > > > same
> > > > > > > > as the server, for example: I can only access the account app
> > > inside
> > > > > my
> > > > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > > > >
> > > > > > > > Is it supposed to be like this? Is there a way for me to
> create a
> > > > > > > hyperlink
> > > > > > > > from my application directly to Keycloak's Account Page?
> Given
> > > that
> > > > > my
> > > > > > > own
> > > > > > > > application is secured by Keycloak, I think it should be
> > > possible.
> > > > > > > >
> > > > > > > > Is this the correct behavior?
> > > > > > > >
> > > > > > > > Thanks again!
> > > > > > > >
> > > > > > > > --
> > > > > > > > Rodrigo Sasaki
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > keycloak-user mailing list
> > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/60c487a7/attachment.html 

From stian at redhat.com  Fri Oct 10 08:47:49 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 10 Oct 2014 08:47:49 -0400 (EDT)
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <CACQJ6LRW_adyAOKsXTsZXwF2HGQAMR3uK==xF+R5gr0tjMSyPA@mail.gmail.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
	<2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
	<CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>
	<432115492.65461698.1412925180225.JavaMail.zimbra@redhat.com>
	<CACQJ6LRW_adyAOKsXTsZXwF2HGQAMR3uK==xF+R5gr0tjMSyPA@mail.gmail.com>
Message-ID: <1051064109.65768968.1412945269825.JavaMail.zimbra@redhat.com>

----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 2:39:31 PM
> Subject: Re: [keycloak-user] Link to Account Page
> 
> with regard to protection on post, then what is the point of having the
> link on our application if the user cannot use the self serve functionality
> by changing their account details themselves? We would need this to be
> seamless for the end user right?

The application is allowed to link to a page on the account management. This will be a GET with Referer set to the application url. After that posting the form works just fine, as the Referer is now the account management page, not the app.

Basically, an application can link, but not post. Post can only be done from the account management pages themselves.

> 
> To protect the post in use cases such as what you described, shouldn't we
> just check the referrer in the request with the permitted redirect_url's
> for the application and then allow post based on that?
> 
> On Fri, Oct 10, 2014 at 6:13 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Travis De Silva" <traviskds at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>,
> > keycloak-user at lists.jboss.org
> > > Sent: Friday, 10 October, 2014 5:20:54 AM
> > > Subject: Re: [keycloak-user] Link to Account Page
> > >
> > > How I handle this issue is by having KeyCloak behind my Apache Reverse
> > > proxy. That way, the domain and port of my application and keycloak both
> > > are the same so there is no issue.
> >
> > That works, but there shouldn't be a requirement that Keycloak is on the
> > same domain as your application.
> >
> > >
> > > Also not sure why you want to prevent a post because won't you have a use
> > > case why an end user can go into the account page that is linked from an
> > > application and change their info such as their credentials. I would
> > assume
> > > that is a post action on the keycloak account forms.
> >
> > If there's no protection on post, then an external page can create a link
> > that when clicked will change your account (if you're logged-in that is).
> > For example to change your email address so they can then hijack your
> > account.
> >
> > >
> > > On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > I reckon request.getHttpMethod should be what's needed
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > >
> > > > > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> > > > >
> > > > > Just out of curiosity, how would that be fixed? A simple test on
> > > > > request.getHttpMethod? or with something a little more complex?
> > > > >
> > > > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <stian at redhat.com>
> > > > wrote:
> > > > >
> > > > > > That's a bug, it should only be checking that if it's a post. Can
> > you
> > > > > > create a jira please?
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > > > >
> > > > > > > When I invoke that URL it calles the init() method, inside
> > > > > > > AccountService.java and inside that method there is this
> > > > verification:
> > > > > > >
> > > > > > > String referrer =
> > headers.getRequestHeaders().getFirst("Referer");
> > > > > > > if (referrer != null &&
> > > > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > > > >     throw new ForbiddenException();
> > > > > > > }
> > > > > > >
> > > > > > > the referrer is from our server, but the requestOrigin points to
> > the
> > > > > > > keycloak server, so they never match
> > > > > > >
> > > > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <
> > stian at redhat.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > > You can link to the account page with the following link:
> > > > > > > >
> > > > > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account
> > > > > > > >
> > > > > > > > You can also have an option to get a link back to your
> > application
> > > > by
> > > > > > > > adding either referrer or referrer_uri query param:
> > > > > > > >
> > > > > > > > * referrer - your applications id (this requires "Default
> > Redirect
> > > > > > URL" to
> > > > > > > > be set for your application)
> > > > > > > > * referrer_uri - the uri to return to (this requires
> > referrer_uri
> > > > to
> > > > > > be a
> > > > > > > > valid redirect uri for your application)
> > > > > > > >
> > > > > > > > We do this in the admin console, so you can look at how it
> > works
> > > > there.
> > > > > > > > Login to the admin console, click on your username in the
> > top-right
> > > > > > corner,
> > > > > > > > and click on 'Manage account'. In the account management
> > there's
> > > > now
> > > > > > in the
> > > > > > > > top-right corner 'Back to security-admin-console'. If you try
> > edit
> > > > the
> > > > > > url
> > > > > > > > to remove '?referrer=security-admin-console' you'll see this
> > link
> > > > is no
> > > > > > > > longer there.
> > > > > > > >
> > > > > > > >
> > > > > > > > I've got no idea what validation you're talking about that that
> > > > checks
> > > > > > the
> > > > > > > > referrer is the same as the server. Maybe it's the fact that
> > for an
> > > > > > update
> > > > > > > > (post) we only allow a post originating from the Keycloak
> > server?
> > > > That
> > > > > > > > doesn't stop you from linking to the account page, but it
> > stops you
> > > > > > from
> > > > > > > > posting to it.
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I am trying to create a link on our application to go
> > directly to
> > > > > > > > Keycloak's
> > > > > > > > > Account Page, so the user can alter his information, but it
> > > > doesn't
> > > > > > work.
> > > > > > > > >
> > > > > > > > > I saw that there is a validation that assures that the
> > referrer
> > > > is
> > > > > > the
> > > > > > > > same
> > > > > > > > > as the server, for example: I can only access the account app
> > > > inside
> > > > > > my
> > > > > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > > > > >
> > > > > > > > > Is it supposed to be like this? Is there a way for me to
> > create a
> > > > > > > > hyperlink
> > > > > > > > > from my application directly to Keycloak's Account Page?
> > Given
> > > > that
> > > > > > my
> > > > > > > > own
> > > > > > > > > application is secured by Keycloak, I think it should be
> > > > possible.
> > > > > > > > >
> > > > > > > > > Is this the correct behavior?
> > > > > > > > >
> > > > > > > > > Thanks again!
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Rodrigo Sasaki
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > keycloak-user mailing list
> > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
> 

From traviskds at gmail.com  Fri Oct 10 09:54:03 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Sat, 11 Oct 2014 00:54:03 +1100
Subject: [keycloak-user] Link to Account Page
In-Reply-To: <1051064109.65768968.1412945269825.JavaMail.zimbra@redhat.com>
References: <CANLOgwDVd8iE4rihBk83vZNR_41+jdiw5Zcq0pwgL7S4ve4=6A@mail.gmail.com>
	<CANLOgwDgZ1fVzyx7sfxc7Mfi_B=MGsROoS9XkC5_2jCsTEkMTg@mail.gmail.com>
	<731018647.64941235.1412861638535.JavaMail.zimbra@redhat.com>
	<CANLOgwDMKiBoQoH4C-srDYc6pk7ZAyCx39O49xud2k7X8zgtXA@mail.gmail.com>
	<2123119869.64977917.1412863639280.JavaMail.zimbra@redhat.com>
	<CACQJ6LSu2=JNCNeXo9jToRWA7rCWvw8JGuwK0iYatH2d2XKbaQ@mail.gmail.com>
	<432115492.65461698.1412925180225.JavaMail.zimbra@redhat.com>
	<CACQJ6LRW_adyAOKsXTsZXwF2HGQAMR3uK==xF+R5gr0tjMSyPA@mail.gmail.com>
	<1051064109.65768968.1412945269825.JavaMail.zimbra@redhat.com>
Message-ID: <CACQJ6LTNtHhOuVHHkkMAGgJhxko6mRQ6=Gm5Tq8UkVBZoOyrSQ@mail.gmail.com>

This is what actually I am going. A link on my app when clicked with take
the user to the account mgmt pages themselves where they can post and then
using the return to app link on the top right hand, they can get back to my
app. I think I misunderstood when you said you cannot post. What you are
saying is if we are  in the account mgmt page itself, then we can post.
That clears the confusion I had. Thanks Stian.


On Fri, Oct 10, 2014 at 11:47 PM, Stian Thorgersen <stian at redhat.com> wrote:

> ----- Original Message -----
> > From: "Travis De Silva" <traviskds at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>,
> keycloak-user at lists.jboss.org
> > Sent: Friday, 10 October, 2014 2:39:31 PM
> > Subject: Re: [keycloak-user] Link to Account Page
> >
> > with regard to protection on post, then what is the point of having the
> > link on our application if the user cannot use the self serve
> functionality
> > by changing their account details themselves? We would need this to be
> > seamless for the end user right?
>
> The application is allowed to link to a page on the account management.
> This will be a GET with Referer set to the application url. After that
> posting the form works just fine, as the Referer is now the account
> management page, not the app.
>
> Basically, an application can link, but not post. Post can only be done
> from the account management pages themselves.
>
> >
> > To protect the post in use cases such as what you described, shouldn't we
> > just check the referrer in the request with the permitted redirect_url's
> > for the application and then allow post based on that?
> >
> > On Fri, Oct 10, 2014 at 6:13 PM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Travis De Silva" <traviskds at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>,
> > > keycloak-user at lists.jboss.org
> > > > Sent: Friday, 10 October, 2014 5:20:54 AM
> > > > Subject: Re: [keycloak-user] Link to Account Page
> > > >
> > > > How I handle this issue is by having KeyCloak behind my Apache
> Reverse
> > > > proxy. That way, the domain and port of my application and keycloak
> both
> > > > are the same so there is no issue.
> > >
> > > That works, but there shouldn't be a requirement that Keycloak is on
> the
> > > same domain as your application.
> > >
> > > >
> > > > Also not sure why you want to prevent a post because won't you have
> a use
> > > > case why an end user can go into the account page that is linked
> from an
> > > > application and change their info such as their credentials. I would
> > > assume
> > > > that is a post action on the keycloak account forms.
> > >
> > > If there's no protection on post, then an external page can create a
> link
> > > that when clicked will change your account (if you're logged-in that
> is).
> > > For example to change your email address so they can then hijack your
> > > account.
> > >
> > > >
> > > > On Fri, Oct 10, 2014 at 1:07 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > > >
> > > > > I reckon request.getHttpMethod should be what's needed
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Thursday, 9 October, 2014 3:54:07 PM
> > > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > > >
> > > > > > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-746
> > > > > >
> > > > > > Just out of curiosity, how would that be fixed? A simple test on
> > > > > > request.getHttpMethod? or with something a little more complex?
> > > > > >
> > > > > > On Thu, Oct 9, 2014 at 10:33 AM, Stian Thorgersen <
> stian at redhat.com>
> > > > > wrote:
> > > > > >
> > > > > > > That's a bug, it should only be checking that if it's a post.
> Can
> > > you
> > > > > > > create a jira please?
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > > > Sent: Thursday, 9 October, 2014 3:27:12 PM
> > > > > > > > Subject: Re: [keycloak-user] Link to Account Page
> > > > > > > >
> > > > > > > > When I invoke that URL it calles the init() method, inside
> > > > > > > > AccountService.java and inside that method there is this
> > > > > verification:
> > > > > > > >
> > > > > > > > String referrer =
> > > headers.getRequestHeaders().getFirst("Referer");
> > > > > > > > if (referrer != null &&
> > > > > > > > !requestOrigin.equals(UriUtils.getOrigin(referrer))) {
> > > > > > > >     throw new ForbiddenException();
> > > > > > > > }
> > > > > > > >
> > > > > > > > the referrer is from our server, but the requestOrigin
> points to
> > > the
> > > > > > > > keycloak server, so they never match
> > > > > > > >
> > > > > > > > On Thu, Oct 9, 2014 at 5:45 AM, Stian Thorgersen <
> > > stian at redhat.com>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > You can link to the account page with the following link:
> > > > > > > > >
> > > > > > > > >   https://<KEYCLOAK SERVER>/auth/realms/<REALM
> NAME>/account
> > > > > > > > >
> > > > > > > > > You can also have an option to get a link back to your
> > > application
> > > > > by
> > > > > > > > > adding either referrer or referrer_uri query param:
> > > > > > > > >
> > > > > > > > > * referrer - your applications id (this requires "Default
> > > Redirect
> > > > > > > URL" to
> > > > > > > > > be set for your application)
> > > > > > > > > * referrer_uri - the uri to return to (this requires
> > > referrer_uri
> > > > > to
> > > > > > > be a
> > > > > > > > > valid redirect uri for your application)
> > > > > > > > >
> > > > > > > > > We do this in the admin console, so you can look at how it
> > > works
> > > > > there.
> > > > > > > > > Login to the admin console, click on your username in the
> > > top-right
> > > > > > > corner,
> > > > > > > > > and click on 'Manage account'. In the account management
> > > there's
> > > > > now
> > > > > > > in the
> > > > > > > > > top-right corner 'Back to security-admin-console'. If you
> try
> > > edit
> > > > > the
> > > > > > > url
> > > > > > > > > to remove '?referrer=security-admin-console' you'll see
> this
> > > link
> > > > > is no
> > > > > > > > > longer there.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I've got no idea what validation you're talking about that
> that
> > > > > checks
> > > > > > > the
> > > > > > > > > referrer is the same as the server. Maybe it's the fact
> that
> > > for an
> > > > > > > update
> > > > > > > > > (post) we only allow a post originating from the Keycloak
> > > server?
> > > > > That
> > > > > > > > > doesn't stop you from linking to the account page, but it
> > > stops you
> > > > > > > from
> > > > > > > > > posting to it.
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > > > > Sent: Wednesday, 8 October, 2014 11:29:17 PM
> > > > > > > > > > Subject: [keycloak-user] Link to Account Page
> > > > > > > > > >
> > > > > > > > > > Hello,
> > > > > > > > > >
> > > > > > > > > > I am trying to create a link on our application to go
> > > directly to
> > > > > > > > > Keycloak's
> > > > > > > > > > Account Page, so the user can alter his information, but
> it
> > > > > doesn't
> > > > > > > work.
> > > > > > > > > >
> > > > > > > > > > I saw that there is a validation that assures that the
> > > referrer
> > > > > is
> > > > > > > the
> > > > > > > > > same
> > > > > > > > > > as the server, for example: I can only access the
> account app
> > > > > inside
> > > > > > > my
> > > > > > > > > > localhost:8080 if the referrer is also in localhost:8080.
> > > > > > > > > >
> > > > > > > > > > Is it supposed to be like this? Is there a way for me to
> > > create a
> > > > > > > > > hyperlink
> > > > > > > > > > from my application directly to Keycloak's Account Page?
> > > Given
> > > > > that
> > > > > > > my
> > > > > > > > > own
> > > > > > > > > > application is secured by Keycloak, I think it should be
> > > > > possible.
> > > > > > > > > >
> > > > > > > > > > Is this the correct behavior?
> > > > > > > > > >
> > > > > > > > > > Thanks again!
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Rodrigo Sasaki
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > keycloak-user mailing list
> > > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Rodrigo Sasaki
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141011/b502faf6/attachment.html 

From alarik at zwift.com  Fri Oct 10 11:47:54 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Fri, 10 Oct 2014 11:47:54 -0400
Subject: [keycloak-user] Is there a secret maximum SSO Idle Timeout
Message-ID: <CAKTx7M7iPjtmFVpWhVxmnxmiZffA=P1FoTDEzuw5Tj4Fd+RNkg@mail.gmail.com>

A while ago I raised KEYCLOAK-686 about the fact that there is a secret
maximum SSO Session Max Lifespan that is not evident or validated by the
admin web application.

I think the same thing is probably true of SSO Idle Timeout.  If I set this
to something like 30 days, and I leave something idle overnight, I hit the
SSO Idle Timeout anyway.  I'm not sure what the real maximum is for SSO
Idle Timeout, but it seems like it is maybe measured in hours.

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/2b2a5324/attachment-0001.html 

From juraci at kroehling.de  Fri Oct 10 12:02:56 2014
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Fri, 10 Oct 2014 18:02:56 +0200
Subject: [keycloak-user] Authenticating non-interactive users
Message-ID: <54380330.3030609@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I'm assisting on a project that is about to implement Keycloak for
user auth. They also need to authenticate/authorize non-interactive
users (as in: nodes talking to a server) and are considering using
Keycloak for that as well.

My first thought was to use OAuth, performing the initial OAuth flow
during the first boot of the server and then publishing the refresh
token to the nodes, so that they can get bearer tokens whenever they
need to talk to the server.

While the above works in my PoC, it's not ideal:
- - there has to be an unprotected resource, so that the node can get
the refresh token
- - the refresh token is related to the admin that first installed the
server
- - related to the above: auditing is harder, as the requests were
appear to come from said admin
- - node and server are the same application from the user's
perspective, so, it makes no sense to have an "OAuth client" and an
"Application" on Keycloak.
- - having an extra code for the initial OAuth flow seems a bit counter
productive

There are some examples where part of this scenario could be covered,
like the "KeycloakInstalled" from the integration project, but it also
doesn't seems to quite fit into this.

So, my questions would be:

- - Would there be a better solution based on the latest Keycloak?
- - If not, is this scenario something that would be interesting
implementing?

The advantage I see in having this implemented on Keycloak instead of
baking a new solution is that the application wouldn't need to care if
the request is coming from a non-interactive user or a real user, as
long as the proper roles are set. Also, having one single auth
mechanism for both non-interactive and interactive users is far better
than mixing mechanisms based on the path.

Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUOAMvAAoJEDnJtskdmzLMf6cH/2LqY4owURTI3mMaw8n3U1Ws
XARiU+QiXHeEaQ2BiMySIxHHZCC0kmi6z3eVv2Ku28daDjVUJmS+VlqLg7ogbt6J
jUH1SHAWtEvcJu32SsxJOzKkFQcEndv/FThABBa8Z4KW91SgWJdSPYbGWKVOyc72
XICPlD73l9zmnO4oJwr1oxy79pMbeX1/eiLox3ZgDgGwCKh/r5F8+LzhzPKWRWhM
RkcGzwaIclTysBlYjx1RrFObrEs2oK4gQ2TBSvmIjurSQVs7xrwb78xzTqGOrU5a
z7cInMQh5/4FJcFwRBKFjXQ8FcbyuLWTQ2elJsnD8VC2HTxRBecPKmD3Fa98WqM=
=DWdv
-----END PGP SIGNATURE-----

From bburke at redhat.com  Fri Oct 10 13:29:24 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Oct 2014 13:29:24 -0400
Subject: [keycloak-user] Authenticating non-interactive users
In-Reply-To: <54380330.3030609@kroehling.de>
References: <54380330.3030609@kroehling.de>
Message-ID: <54381774.6050207@redhat.com>

We have a Direct grant REST API to obtain access/refresh token.  You 
have to enable it in the admin console.  Docs here:

http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/direct-access-grants.html

I don't recommend transmitting refresh tokens.  They are supposed to 
stay local to the machine that requested the login.

On 10/10/2014 12:02 PM, Juraci Paix?o Kr?hling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I'm assisting on a project that is about to implement Keycloak for
> user auth. They also need to authenticate/authorize non-interactive
> users (as in: nodes talking to a server) and are considering using
> Keycloak for that as well.
>
> My first thought was to use OAuth, performing the initial OAuth flow
> during the first boot of the server and then publishing the refresh
> token to the nodes, so that they can get bearer tokens whenever they
> need to talk to the server.
>
> While the above works in my PoC, it's not ideal:
> - - there has to be an unprotected resource, so that the node can get
> the refresh token
> - - the refresh token is related to the admin that first installed the
> server
> - - related to the above: auditing is harder, as the requests were
> appear to come from said admin
> - - node and server are the same application from the user's
> perspective, so, it makes no sense to have an "OAuth client" and an
> "Application" on Keycloak.
> - - having an extra code for the initial OAuth flow seems a bit counter
> productive
>
> There are some examples where part of this scenario could be covered,
> like the "KeycloakInstalled" from the integration project, but it also
> doesn't seems to quite fit into this.
>
> So, my questions would be:
>
> - - Would there be a better solution based on the latest Keycloak?
> - - If not, is this scenario something that would be interesting
> implementing?
>
> The advantage I see in having this implemented on Keycloak instead of
> baking a new solution is that the application wouldn't need to care if
> the request is coming from a non-interactive user or a real user, as
> long as the proper roles are set. Also, having one single auth
> mechanism for both non-interactive and interactive users is far better
> than mixing mechanisms based on the path.
>
> Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBCgAGBQJUOAMvAAoJEDnJtskdmzLMf6cH/2LqY4owURTI3mMaw8n3U1Ws
> XARiU+QiXHeEaQ2BiMySIxHHZCC0kmi6z3eVv2Ku28daDjVUJmS+VlqLg7ogbt6J
> jUH1SHAWtEvcJu32SsxJOzKkFQcEndv/FThABBa8Z4KW91SgWJdSPYbGWKVOyc72
> XICPlD73l9zmnO4oJwr1oxy79pMbeX1/eiLox3ZgDgGwCKh/r5F8+LzhzPKWRWhM
> RkcGzwaIclTysBlYjx1RrFObrEs2oK4gQ2TBSvmIjurSQVs7xrwb78xzTqGOrU5a
> z7cInMQh5/4FJcFwRBKFjXQ8FcbyuLWTQ2elJsnD8VC2HTxRBecPKmD3Fa98WqM=
> =DWdv
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Fri Oct 10 13:49:58 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 10 Oct 2014 19:49:58 +0200
Subject: [keycloak-user] org.keycloak.util.PemUtils.pemToDer Bad Base64
	input character decimal
Message-ID: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>

Hi all,

I keep on having this error when i start my application :

19:45:36,232 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./cv-web:
*org.jboss.msc.service.StartException* in service
jboss.undertow.deployment.default-server.default-host./cv-web: Failed to
start service

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(
*ServiceControllerImpl.java:1904*) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(
*ThreadPoolExecutor.java:1142*) [rt.jar:1.8.0_11]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(
*ThreadPoolExecutor.java:617*) [rt.jar:1.8.0_11]

at java.lang.Thread.run(*Thread.java:745*) [rt.jar:1.8.0_11]

Caused by: *java.lang.RuntimeException*: *java.io.IOException*: Bad Base64
input character decimal 36 in array position 0

at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(
*KeycloakDeploymentBuilder.java:37*)

at org.keycloak.adapters.KeycloakDeploymentBuilder.build(
*KeycloakDeploymentBuilder.java:84*)

at org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(
*KeycloakServletExtension.java:104*)

at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(
*DeploymentManagerImpl.java:240*)

at io.undertow.servlet.core.DeploymentManagerImpl.deploy(
*DeploymentManagerImpl.java:149*)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(
*UndertowDeploymentService.java:87*)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(
*UndertowDeploymentService.java:72*)

at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(
*ServiceControllerImpl.java:1948*) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(
*ServiceControllerImpl.java:1881*) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

... 3 more

Caused by: *java.io.IOException*: Bad Base64 input character decimal 36 in
array position 0

at net.iharder.Base64.decode(*Base64.java:1201*)

at net.iharder.Base64.decode(*Base64.java:1256*)

at net.iharder.Base64.decode(*Base64.java:1224*)

at org.keycloak.util.PemUtils.pemToDer(*PemUtils.java:91*)

at org.keycloak.util.PemUtils.decodePublicKey(*PemUtils.java:49*)

at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(
*KeycloakDeploymentBuilder.java:35*)

... 11 more

Anyone knows where does this come from.

Everything was working finely until today where i started getting this
error. When i comment out my security stuff in web.xml it disappears.

Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/1379ef35/attachment.html 

From bburke at redhat.com  Fri Oct 10 15:00:10 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Oct 2014 15:00:10 -0400
Subject: [keycloak-user] org.keycloak.util.PemUtils.pemToDer Bad Base64
 input character decimal
In-Reply-To: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>
References: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>
Message-ID: <54382CBA.8060806@redhat.com>

Your keycloak.json file is corrupted by accident.

On 10/10/2014 1:49 PM, Alexander Chriztopher wrote:
> Hi all,
>
> I keep on having this error when i start my application :
>
> 19:45:36,232 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
> MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./cv-web:
> _org.jboss.msc.service.StartException_in service
> jboss.undertow.deployment.default-server.default-host./cv-web: Failed to
> start service
>
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1904_)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(_ThreadPoolExecutor.java:1142_)
> [rt.jar:1.8.0_11]
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(_ThreadPoolExecutor.java:617_)
> [rt.jar:1.8.0_11]
>
> at java.lang.Thread.run(_Thread.java:745_) [rt.jar:1.8.0_11]
>
> Caused by: _java.lang.RuntimeException_: _java.io.IOException_: Bad
> Base64 input character decimal 36 in array position 0
>
> at
> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:37_)
>
> at
> org.keycloak.adapters.KeycloakDeploymentBuilder.build(_KeycloakDeploymentBuilder.java:84_)
>
> at
> org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(_KeycloakServletExtension.java:104_)
>
> at
> io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(_DeploymentManagerImpl.java:240_)
>
> at
> io.undertow.servlet.core.DeploymentManagerImpl.deploy(_DeploymentManagerImpl.java:149_)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(_UndertowDeploymentService.java:87_)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(_UndertowDeploymentService.java:72_)
>
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(_ServiceControllerImpl.java:1948_)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1881_)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>
> ... 3 more
>
> Caused by: _java.io.IOException_: Bad Base64 input character decimal 36
> in array position 0
>
> at net.iharder.Base64.decode(_Base64.java:1201_)
>
> at net.iharder.Base64.decode(_Base64.java:1256_)
>
> at net.iharder.Base64.decode(_Base64.java:1224_)
>
> at org.keycloak.util.PemUtils.pemToDer(_PemUtils.java:91_)
>
> at org.keycloak.util.PemUtils.decodePublicKey(_PemUtils.java:49_)
>
> at
> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:35_)
>
> ... 11 more
>
> Anyone knows where does this come from.
>
> Everything was working finely until today where i started getting this
> error. When i comment out my security stuff in web.xml it disappears.
>
> Thanks for any help.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Fri Oct 10 15:37:26 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 10 Oct 2014 21:37:26 +0200
Subject: [keycloak-user] org.keycloak.util.PemUtils.pemToDer Bad Base64
	input character decimal
In-Reply-To: <54382CBA.8060806@redhat.com>
References: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>
	<54382CBA.8060806@redhat.com>
Message-ID: <C48567AC-329C-45D0-B0FE-763DD124D928@gmail.com>

Thanks ! Just noticed that. It is because am using maven filtering to dynamically update the file for each of our environments.

What is the best practice to do this ? Have anyone tried using maven filtering successfully with this ?



> On 10 Oct 2014, at 21:00, Bill Burke <bburke at redhat.com> wrote:
> 
> Your keycloak.json file is corrupted by accident.
> 
>> On 10/10/2014 1:49 PM, Alexander Chriztopher wrote:
>> Hi all,
>> 
>> I keep on having this error when i start my application :
>> 
>> 19:45:36,232 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
>> MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./cv-web:
>> _org.jboss.msc.service.StartException_in service
>> jboss.undertow.deployment.default-server.default-host./cv-web: Failed to
>> start service
>> 
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1904_)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> 
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(_ThreadPoolExecutor.java:1142_)
>> [rt.jar:1.8.0_11]
>> 
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(_ThreadPoolExecutor.java:617_)
>> [rt.jar:1.8.0_11]
>> 
>> at java.lang.Thread.run(_Thread.java:745_) [rt.jar:1.8.0_11]
>> 
>> Caused by: _java.lang.RuntimeException_: _java.io.IOException_: Bad
>> Base64 input character decimal 36 in array position 0
>> 
>> at
>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:37_)
>> 
>> at
>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(_KeycloakDeploymentBuilder.java:84_)
>> 
>> at
>> org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(_KeycloakServletExtension.java:104_)
>> 
>> at
>> io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(_DeploymentManagerImpl.java:240_)
>> 
>> at
>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(_DeploymentManagerImpl.java:149_)
>> 
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(_UndertowDeploymentService.java:87_)
>> 
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(_UndertowDeploymentService.java:72_)
>> 
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(_ServiceControllerImpl.java:1948_)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> 
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1881_)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> 
>> ... 3 more
>> 
>> Caused by: _java.io.IOException_: Bad Base64 input character decimal 36
>> in array position 0
>> 
>> at net.iharder.Base64.decode(_Base64.java:1201_)
>> 
>> at net.iharder.Base64.decode(_Base64.java:1256_)
>> 
>> at net.iharder.Base64.decode(_Base64.java:1224_)
>> 
>> at org.keycloak.util.PemUtils.pemToDer(_PemUtils.java:91_)
>> 
>> at org.keycloak.util.PemUtils.decodePublicKey(_PemUtils.java:49_)
>> 
>> at
>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:35_)
>> 
>> ... 11 more
>> 
>> Anyone knows where does this come from.
>> 
>> Everything was working finely until today where i started getting this
>> error. When i comment out my security stuff in web.xml it disappears.
>> 
>> Thanks for any help.
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Fri Oct 10 17:00:23 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Oct 2014 17:00:23 -0400
Subject: [keycloak-user] org.keycloak.util.PemUtils.pemToDer Bad Base64
 input character decimal
In-Reply-To: <C48567AC-329C-45D0-B0FE-763DD124D928@gmail.com>
References: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>
	<54382CBA.8060806@redhat.com>
	<C48567AC-329C-45D0-B0FE-763DD124D928@gmail.com>
Message-ID: <543848E7.6070309@redhat.com>

You could just point to the admin server URL and leave out the public 
key in the keycloak.json file.  The adapter will fetch the public key 
from the server.  Let me know if that doesn't work.

On 10/10/2014 3:37 PM, Alexander Chriztopher wrote:
> Thanks ! Just noticed that. It is because am using maven filtering to dynamically update the file for each of our environments.
>
> What is the best practice to do this ? Have anyone tried using maven filtering successfully with this ?
>
>
>
>> On 10 Oct 2014, at 21:00, Bill Burke <bburke at redhat.com> wrote:
>>
>> Your keycloak.json file is corrupted by accident.
>>
>>> On 10/10/2014 1:49 PM, Alexander Chriztopher wrote:
>>> Hi all,
>>>
>>> I keep on having this error when i start my application :
>>>
>>> 19:45:36,232 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
>>> MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./cv-web:
>>> _org.jboss.msc.service.StartException_in service
>>> jboss.undertow.deployment.default-server.default-host./cv-web: Failed to
>>> start service
>>>
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1904_)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(_ThreadPoolExecutor.java:1142_)
>>> [rt.jar:1.8.0_11]
>>>
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(_ThreadPoolExecutor.java:617_)
>>> [rt.jar:1.8.0_11]
>>>
>>> at java.lang.Thread.run(_Thread.java:745_) [rt.jar:1.8.0_11]
>>>
>>> Caused by: _java.lang.RuntimeException_: _java.io.IOException_: Bad
>>> Base64 input character decimal 36 in array position 0
>>>
>>> at
>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:37_)
>>>
>>> at
>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(_KeycloakDeploymentBuilder.java:84_)
>>>
>>> at
>>> org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(_KeycloakServletExtension.java:104_)
>>>
>>> at
>>> io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(_DeploymentManagerImpl.java:240_)
>>>
>>> at
>>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(_DeploymentManagerImpl.java:149_)
>>>
>>> at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(_UndertowDeploymentService.java:87_)
>>>
>>> at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(_UndertowDeploymentService.java:72_)
>>>
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(_ServiceControllerImpl.java:1948_)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_ServiceControllerImpl.java:1881_)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>
>>> ... 3 more
>>>
>>> Caused by: _java.io.IOException_: Bad Base64 input character decimal 36
>>> in array position 0
>>>
>>> at net.iharder.Base64.decode(_Base64.java:1201_)
>>>
>>> at net.iharder.Base64.decode(_Base64.java:1256_)
>>>
>>> at net.iharder.Base64.decode(_Base64.java:1224_)
>>>
>>> at org.keycloak.util.PemUtils.pemToDer(_PemUtils.java:91_)
>>>
>>> at org.keycloak.util.PemUtils.decodePublicKey(_PemUtils.java:49_)
>>>
>>> at
>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_KeycloakDeploymentBuilder.java:35_)
>>>
>>> ... 11 more
>>>
>>> Anyone knows where does this come from.
>>>
>>> Everything was working finely until today where i started getting this
>>> error. When i comment out my security stuff in web.xml it disappears.
>>>
>>> Thanks for any help.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Fri Oct 10 17:06:08 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Fri, 10 Oct 2014 17:06:08 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
Message-ID: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>


> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak 1.0.2? If so, appreciate any input on how it can be achieved?

Sent from my iPhone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141010/381ca435/attachment.html 

From bburke at redhat.com  Fri Oct 10 17:11:46 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Oct 2014 17:11:46 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
Message-ID: <54384B92.1060209@redhat.com>

we don't support kerberos.

On 10/10/2014 5:06 PM, Raghuram wrote:
>
>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>> 1.0.2? If so, appreciate any input on how it can be achieved?
>
> Sent from my iPhone
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Fri Oct 10 17:24:33 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Fri, 10 Oct 2014 17:24:33 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <54384B92.1060209@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
Message-ID: <77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>

Can I put in an enhancement request for at least some hooks as I am not sure how a custom federation provider could be written for SPNEGO negotiation. This feature will be useful for all organizations that invested in Kerberos infrastructure.

> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com> wrote:
> 
> we don't support kerberos.
> 
>> On 10/10/2014 5:06 PM, Raghuram wrote:
>> 
>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>> 
>> Sent from my iPhone
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From juraci at kroehling.de  Sat Oct 11 03:38:57 2014
From: juraci at kroehling.de (=?windows-1252?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Sat, 11 Oct 2014 09:38:57 +0200
Subject: [keycloak-user] Authenticating non-interactive users
In-Reply-To: <54381774.6050207@redhat.com>
References: <54380330.3030609@kroehling.de> <54381774.6050207@redhat.com>
Message-ID: <5438DE91.60309@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/10/2014 07:29 PM, Bill Burke wrote:
> We have a Direct grant REST API to obtain access/refresh token.
> You have to enable it in the admin console.  Docs here:

That would require to store the admin's plain text password somewhere
(or create an user for each node), right? If so, that's a no-go :-)

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUON6RAAoJEDnJtskdmzLMfv4H/0dE8tW6RipFSIwqZuwbnKrc
cThrFv45G8fIqBSaYxz/tszsYB+lsQHzZ+xVeAJsjvJrDXHwNCjh8TIIOdfSCgLF
ZTdRIO4pgjhgorD484uuIi+sNnEZ5BBPraWsymxZrs8L6lmkOVNfRDmLqTJ3LTFl
AhBepJoLR6h7LJnFELDsvRFHYOun70tU3uGHBFczcBY0RKELI3X6czjQ2m16pJCC
QggbYG5OE/OQZ+HRyCp897fHSAj2XkvUcVnDyQpn6p3gtufF98QDUoUhWlrwV2Wp
A3W6mRZBoJ6L4hBf//Xh9Hlwl7G2qsQgXJjOHv0mNW1c0KZZBXCdWc233h3elmg=
=j4RQ
-----END PGP SIGNATURE-----

From bburke at redhat.com  Sat Oct 11 08:53:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Sat, 11 Oct 2014 08:53:25 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
Message-ID: <54392845.4020301@redhat.com>

Kerberos is on our roadmap as there's some other Red Hat kerberos 
products we need to integrate wit.  I don't understand Kerberos deep 
enough yet to know exactly what or how we would do it.  My current 
thought that the Keycloak auth server would be a secured Kerberos 
service and become a bridge between kerberos and SAML or OpenID Connect.

On 10/10/2014 5:24 PM, Raghuram wrote:
> Can I put in an enhancement request for at least some hooks as I am not sure how a custom federation provider could be written for SPNEGO negotiation. This feature will be useful for all organizations that invested in Kerberos infrastructure.
>
>> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> we don't support kerberos.
>>
>>> On 10/10/2014 5:06 PM, Raghuram wrote:
>>>
>>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>>>
>>> Sent from my iPhone
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Sat Oct 11 09:54:16 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Sat, 11 Oct 2014 06:54:16 -0700
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <54392845.4020301@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
Message-ID: <1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>

Wildfly makes a number of login modules available as a part of the Security sub system that include SPNEGO (see the link below). Since Keycloak supports defining new Realms, if you can provide some hooks to map the newly defined Realms to the Security sub system, I think it would address the issue.  Picketlink examples shed some light on how it can be done.

https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
  


On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com> wrote:
  


Kerberos is on our roadmap as there's some other Red Hat kerberos 
products we need to integrate wit.  I don't understand Kerberos deep 
enough yet to know exactly what or how we would do it.  My current 
thought that the Keycloak auth server would be a secured Kerberos 
service and become a bridge between kerberos and SAML or OpenID Connect.

On 10/10/2014 5:24 PM, Raghuram wrote:
> Can I put in an enhancement request for at least some hooks as I am not sure how a custom federation provider could be written for SPNEGO negotiation. This feature will be useful for all organizations that invested in Kerberos infrastructure.
>
>> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> we don't support kerberos.
>>
>>> On 10/10/2014 5:06 PM, Raghuram wrote:
>>>
>>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>>>
>>> Sent from my iPhone
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com/

>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141011/b4136562/attachment.html 

From bburke at redhat.com  Sat Oct 11 10:29:14 2014
From: bburke at redhat.com (Bill Burke)
Date: Sat, 11 Oct 2014 10:29:14 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
Message-ID: <54393EBA.8060404@redhat.com>

What you describe would work only if you treat Keycloak solely as an 
identity store and wrote a login module that uses Keycloak admin 
interface to obtain principal and role mapping information.  Then there 
is the issue of getting the Kerberos server and Keycloak using the same 
user database.  Then for this particular idea, you start to wonder if 
using Keycloak is any benefit.

On 10/11/2014 9:54 AM, prab rrrr wrote:
> Wildfly makes a number of login modules available as a part of the
> Security sub system that include SPNEGO (see the link below). Since
> Keycloak supports defining new Realms, if you can provide some hooks to
> map the newly defined Realms to the Security sub system, I think it
> would address the issue.  Picketlink examples shed some light on how it
> can be done.
>
> https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
>
>
> On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com> wrote:
>
>
> Kerberos is on our roadmap as there's some other Red Hat kerberos
> products we need to integrate wit.  I don't understand Kerberos deep
> enough yet to know exactly what or how we would do it.  My current
> thought that the Keycloak auth server would be a secured Kerberos
> service and become a bridge between kerberos and SAML or OpenID Connect.
>
> On 10/10/2014 5:24 PM, Raghuram wrote:
>  > Can I put in an enhancement request for at least some hooks as I am
> not sure how a custom federation provider could be written for SPNEGO
> negotiation. This feature will be useful for all organizations that
> invested in Kerberos infrastructure.
>  >
>  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>  >>
>  >> we don't support kerberos.
>  >>
>  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
>  >>>
>  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>  >>>
>  >>> Sent from my iPhone
>  >>>
>  >>>
>  >>> _______________________________________________
>  >>> keycloak-user mailing list
>  >>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>  >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>  >>
>  >> --
>  >> Bill Burke
>  >> JBoss, a division of Red Hat
>  >> http://bill.burkecentral.com/
>
>  >> _______________________________________________
>  >> keycloak-user mailing list
>  >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>  >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com/
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Sat Oct 11 11:10:06 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Sat, 11 Oct 2014 08:10:06 -0700
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <54393EBA.8060404@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
Message-ID: <1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>

Well, without support for external authentication, I am wondering how big organizations that have already invested in Kerberos/SecurID etc, would use this product? Typically, the Federation products like Ping,OpenAM etc provide hooks for multiple stores to:
1) Support Kerberos or SecureID or other authentication and retrieve the user principal 
2) Retrieve user meta data from LDAP using that principal and 
3) Use the user meta data to customize the claims or userinfo.

I was hoping to see the above features in this product, given that Keycloak already supports OpenID Connect  (along with support for CORS, javascript and future support for mobile devices) and it can act as an Identity provider (OP). Perhaps Keycloak can synchronize all the user information from stores like LDAP but it would still need a hook to plug in external authentication

BTW I suggested realm to authetication mapping because different applications in an organization have different authentication requirements (some apps require SecuriID,some Kerberos etc) and those applications can be mapped to the realm that uses an authentication mechanism that they require.



On Saturday, October 11, 2014 10:29 AM, Bill Burke <bburke at redhat.com> wrote:
 


What you describe would work only if you treat Keycloak solely as an 
identity store and wrote a login module that uses Keycloak admin 
interface to obtain principal and role mapping information.  Then there 
is the issue of getting the Kerberos server and Keycloak using the same 
user database.  Then for this particular idea, you start to wonder if 
using Keycloak is any benefit.

On 10/11/2014 9:54 AM, prab rrrr wrote:
> Wildfly makes a number of login modules available as a part of the
> Security sub system that include SPNEGO (see the link below). Since
> Keycloak supports defining new Realms, if you can provide some hooks to
> map the newly defined Realms to the Security sub system, I think it
> would address the issue.  Picketlink examples shed some light on how it
> can be done.
>
> https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
>
>
> On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com> wrote:
>
>
> Kerberos is on our roadmap as there's some other Red Hat kerberos
> products we need to integrate wit.  I don't understand Kerberos deep
> enough yet to know exactly what or how we would do it.  My current
> thought that the Keycloak auth server would be a secured Kerberos
> service and become a bridge between kerberos and SAML or OpenID Connect.
>
> On 10/10/2014 5:24 PM, Raghuram wrote:
>  > Can I put in an enhancement request for at least some hooks as I am
> not sure how a custom federation provider could be written for SPNEGO
> negotiation. This feature will be useful for all organizations that
> invested in Kerberos infrastructure.
>  >
>  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>  >>
>  >> we don't support kerberos.
>  >>
>  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
>  >>>
>  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak
>  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>  >>>
>  >>> Sent from my iPhone
>  >>>
>  >>>
>  >>> _______________________________________________
>  >>> keycloak-user mailing list
>  >>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>  >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>  >>
>  >> --
>  >> Bill Burke
>  >> JBoss, a division of Red Hat
>  >> http://bill.burkecentral.com/
>
>  >> _______________________________________________
>  >> keycloak-user mailing list
>  >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>  >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com/
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141011/928ad0e6/attachment.html 

From bburke at redhat.com  Sat Oct 11 11:29:52 2014
From: bburke at redhat.com (Bill Burke)
Date: Sat, 11 Oct 2014 11:29:52 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
Message-ID: <54394CF0.40403@redhat.com>

Keycloak is an IDP server.  It is not an adapter project for 
JBoss/Wildfly distributions.  There's already a lot of great adapters to 
integrate your JBoss/Wildfly distributions to use SPNEGO and SAML.  We 
already support federation with LDAP/AD for storage and authentication, 
OpenIDConnect and SAML as our auth protocols.  The only thing on the 
roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID 
Connect bridge.  It could be possible to poach or merge with Apache DS 
so that Keycloak could become a full Kerberos server too, but there are 
additional non-technical obstacles from us putting this option in our 
roadmap that I'd rather not discuss.

But anyways, Keycloak doesn't use JAAS login modules on the IDP server 
side.  On the client side doesn't make sense either as Keycloak only 
talks OpenIDConnect and SAML (in master).

On 10/11/2014 11:10 AM, prab rrrr wrote:
> Well, without support for external authentication, I am wondering how
> big organizations that have already invested in Kerberos/SecurID etc,
> would use this product? Typically, the Federation products like
> Ping,OpenAM etc provide hooks for multiple stores to:
> 1) Support Kerberos or SecureID or other authentication and retrieve the
> user principal
> 2) Retrieve user meta data from LDAP using that principal and
> 3) Use the user meta data to customize the claims or userinfo.
>
> I was hoping to see the above features in this product, given that
> Keycloak already supports OpenID Connect  (along with support for CORS,
> javascript and future support for mobile devices) and it can act as an
> Identity provider (OP). Perhaps Keycloak can synchronize all the user
> information from stores like LDAP but it would still need a hook to plug
> in external authentication
>
> BTW I suggested realm to authetication mapping because different
> applications in an organization have different authentication
> requirements (some apps require SecuriID,some Kerberos etc) and those
> applications can be mapped to the realm that uses an authentication
> mechanism that they require.
>
>
>
> On Saturday, October 11, 2014 10:29 AM, Bill Burke <bburke at redhat.com>
> wrote:
>
>
> What you describe would work only if you treat Keycloak solely as an
> identity store and wrote a login module that uses Keycloak admin
> interface to obtain principal and role mapping information.  Then there
> is the issue of getting the Kerberos server and Keycloak using the same
> user database.  Then for this particular idea, you start to wonder if
> using Keycloak is any benefit.
>
> On 10/11/2014 9:54 AM, prab rrrr wrote:
>  > Wildfly makes a number of login modules available as a part of the
>  > Security sub system that include SPNEGO (see the link below). Since
>  > Keycloak supports defining new Realms, if you can provide some hooks to
>  > map the newly defined Realms to the Security sub system, I think it
>  > would address the issue.  Picketlink examples shed some light on how it
>  > can be done.
>  >
>  >
> https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
>  >
>  >
>  > On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>  >
>  >
>  > Kerberos is on our roadmap as there's some other Red Hat kerberos
>  > products we need to integrate wit.  I don't understand Kerberos deep
>  > enough yet to know exactly what or how we would do it.  My current
>  > thought that the Keycloak auth server would be a secured Kerberos
>  > service and become a bridge between kerberos and SAML or OpenID Connect.
>  >
>  > On 10/10/2014 5:24 PM, Raghuram wrote:
>  >  > Can I put in an enhancement request for at least some hooks as I am
>  > not sure how a custom federation provider could be written for SPNEGO
>  > negotiation. This feature will be useful for all organizations that
>  > invested in Kerberos infrastructure.
>  >  >
>  >  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>
>  > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>  >  >>
>  >  >> we don't support kerberos.
>  >  >>
>  >  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
>  >  >>>
>  >  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key
> cloak
>  >  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>  >  >>>
>  >  >>> Sent from my iPhone
>  >  >>>
>  >  >>>
>  >  >>> _______________________________________________
>  >  >>> keycloak-user mailing list
>  >  >>> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
>  >  >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>  >  >>
>  >  >> --
>  >  >> Bill Burke
>  >  >> JBoss, a division of Red Hat
>  >  >> http://bill.burkecentral.com/
>  >
>  >  >> _______________________________________________
>  >  >> keycloak-user mailing list
>  >  >> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
>  >  >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>  >
>  > --
>  > Bill Burke
>  > JBoss, a division of Red Hat
>  > http://bill.burkecentral.com/
>  >
>  >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From robin1233 at gmail.com  Sat Oct 11 11:47:53 2014
From: robin1233 at gmail.com (robinfernandes .)
Date: Sat, 11 Oct 2014 11:47:53 -0400
Subject: [keycloak-user] Keycloak-tomcat adapter
Message-ID: <CAFOTW4bfFMQsxP8CYr474tpRvYJcpb6C18WecbumFAbBJLk0Kw@mail.gmail.com>

Hi,

I know there is a keycloak-tomcat adapter that is present but has anyone
tried to install that adapter?
I want to secure some WAR files deployed on TOMCAT 6.0
Is there a guide on how to install and configure the adapter on TOMCAT?
Any help is appreciated.

Thanks,
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141011/639bb4c0/attachment.html 

From traviskds at gmail.com  Sat Oct 11 17:43:07 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Sun, 12 Oct 2014 08:43:07 +1100
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <54394CF0.40403@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
	<54394CF0.40403@redhat.com>
Message-ID: <CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>

I thought with SPNEGO/Kerberos we can achieve true SSO. Most large
organisations are on a Windows environment and what these organisations
want is once you authenticate to the corporate desktop, you should be able
to then also access other applications without having to go through the
login process. wonder how we can achieve this with KeyCloak?

On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <bburke at redhat.com> wrote:

> Keycloak is an IDP server.  It is not an adapter project for
> JBoss/Wildfly distributions.  There's already a lot of great adapters to
> integrate your JBoss/Wildfly distributions to use SPNEGO and SAML.  We
> already support federation with LDAP/AD for storage and authentication,
> OpenIDConnect and SAML as our auth protocols.  The only thing on the
> roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID
> Connect bridge.  It could be possible to poach or merge with Apache DS
> so that Keycloak could become a full Kerberos server too, but there are
> additional non-technical obstacles from us putting this option in our
> roadmap that I'd rather not discuss.
>
> But anyways, Keycloak doesn't use JAAS login modules on the IDP server
> side.  On the client side doesn't make sense either as Keycloak only
> talks OpenIDConnect and SAML (in master).
>
> On 10/11/2014 11:10 AM, prab rrrr wrote:
> > Well, without support for external authentication, I am wondering how
> > big organizations that have already invested in Kerberos/SecurID etc,
> > would use this product? Typically, the Federation products like
> > Ping,OpenAM etc provide hooks for multiple stores to:
> > 1) Support Kerberos or SecureID or other authentication and retrieve the
> > user principal
> > 2) Retrieve user meta data from LDAP using that principal and
> > 3) Use the user meta data to customize the claims or userinfo.
> >
> > I was hoping to see the above features in this product, given that
> > Keycloak already supports OpenID Connect  (along with support for CORS,
> > javascript and future support for mobile devices) and it can act as an
> > Identity provider (OP). Perhaps Keycloak can synchronize all the user
> > information from stores like LDAP but it would still need a hook to plug
> > in external authentication
> >
> > BTW I suggested realm to authetication mapping because different
> > applications in an organization have different authentication
> > requirements (some apps require SecuriID,some Kerberos etc) and those
> > applications can be mapped to the realm that uses an authentication
> > mechanism that they require.
> >
> >
> >
> > On Saturday, October 11, 2014 10:29 AM, Bill Burke <bburke at redhat.com>
> > wrote:
> >
> >
> > What you describe would work only if you treat Keycloak solely as an
> > identity store and wrote a login module that uses Keycloak admin
> > interface to obtain principal and role mapping information.  Then there
> > is the issue of getting the Kerberos server and Keycloak using the same
> > user database.  Then for this particular idea, you start to wonder if
> > using Keycloak is any benefit.
> >
> > On 10/11/2014 9:54 AM, prab rrrr wrote:
> >  > Wildfly makes a number of login modules available as a part of the
> >  > Security sub system that include SPNEGO (see the link below). Since
> >  > Keycloak supports defining new Realms, if you can provide some hooks
> to
> >  > map the newly defined Realms to the Security sub system, I think it
> >  > would address the issue.  Picketlink examples shed some light on how
> it
> >  > can be done.
> >  >
> >  >
> >
> https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
> >  >
> >  >
> >  > On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >  >
> >  >
> >  > Kerberos is on our roadmap as there's some other Red Hat kerberos
> >  > products we need to integrate wit.  I don't understand Kerberos deep
> >  > enough yet to know exactly what or how we would do it.  My current
> >  > thought that the Keycloak auth server would be a secured Kerberos
> >  > service and become a bridge between kerberos and SAML or OpenID
> Connect.
> >  >
> >  > On 10/10/2014 5:24 PM, Raghuram wrote:
> >  >  > Can I put in an enhancement request for at least some hooks as I am
> >  > not sure how a custom federation provider could be written for SPNEGO
> >  > negotiation. This feature will be useful for all organizations that
> >  > invested in Kerberos infrastructure.
> >  >  >
> >  >  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>
> >  > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
> >  >  >>
> >  >  >> we don't support kerberos.
> >  >  >>
> >  >  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
> >  >  >>>
> >  >  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key
> > cloak
> >  >  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
> >  >  >>>
> >  >  >>> Sent from my iPhone
> >  >  >>>
> >  >  >>>
> >  >  >>> _______________________________________________
> >  >  >>> keycloak-user mailing list
> >  >  >>> keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>
> > <mailto:keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>>
> >  >  >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >  >  >>
> >  >  >> --
> >  >  >> Bill Burke
> >  >  >> JBoss, a division of Red Hat
> >  >  >> http://bill.burkecentral.com/
> >  >
> >  >  >> _______________________________________________
> >  >  >> keycloak-user mailing list
> >  >  >> keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>
> > <mailto:keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>>
> >  >  >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >  >
> >  > --
> >  > Bill Burke
> >  > JBoss, a division of Red Hat
> >  > http://bill.burkecentral.com/
> >  >
> >  >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141012/dcba1ce6/attachment-0001.html 

From bburke at redhat.com  Sun Oct 12 08:36:58 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 12 Oct 2014 08:36:58 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>	<54384B92.1060209@redhat.com>	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>	<54392845.4020301@redhat.com>	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>	<54393EBA.8060404@redhat.com>	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
Message-ID: <543A75EA.7090801@redhat.com>

JBoss/Wildfly has had SPNEGO/Kerberos support for I think like 8-9 
years?  This is the original project:

https://developer.jboss.org/wiki/JBossNegotiation

I don't know enough about it or Kerberos to know if it has single log 
out too.  As for Keycloak's relationship to Kerberos, I see 4 things 
happening:

1) You don't use Keycloak as you already have SSO with an existing 
Kerberos deployment
2) Your application servers talk SAML or OpenID Connect and Keycloak 
becomes a bridge between the Kerberos server and your applications
3) You authenticate using your existing Kerberos architecture and 
Keycloak becomes a back end identity store.
4) Keycloak becomes a Kerberos Server.

Due to non-technical reasons, #4 is the least likely to happen.  If you 
have any other ideas on integration points let me know.



On 10/11/2014 5:43 PM, Travis De Silva wrote:
> I thought with SPNEGO/Kerberos we can achieve true SSO. Most large
> organisations are on a Windows environment and what these organisations
> want is once you authenticate to the corporate desktop, you should be
> able to then also access other applications without having to go through
> the login process. wonder how we can achieve this with KeyCloak?
>
> On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Keycloak is an IDP server.  It is not an adapter project for
>     JBoss/Wildfly distributions.  There's already a lot of great adapters to
>     integrate your JBoss/Wildfly distributions to use SPNEGO and SAML.  We
>     already support federation with LDAP/AD for storage and authentication,
>     OpenIDConnect and SAML as our auth protocols.  The only thing on the
>     roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID
>     Connect bridge.  It could be possible to poach or merge with Apache DS
>     so that Keycloak could become a full Kerberos server too, but there are
>     additional non-technical obstacles from us putting this option in our
>     roadmap that I'd rather not discuss.
>
>     But anyways, Keycloak doesn't use JAAS login modules on the IDP server
>     side.  On the client side doesn't make sense either as Keycloak only
>     talks OpenIDConnect and SAML (in master).
>
>     On 10/11/2014 11:10 AM, prab rrrr wrote:
>      > Well, without support for external authentication, I am wondering how
>      > big organizations that have already invested in Kerberos/SecurID etc,
>      > would use this product? Typically, the Federation products like
>      > Ping,OpenAM etc provide hooks for multiple stores to:
>      > 1) Support Kerberos or SecureID or other authentication and
>     retrieve the
>      > user principal
>      > 2) Retrieve user meta data from LDAP using that principal and
>      > 3) Use the user meta data to customize the claims or userinfo.
>      >
>      > I was hoping to see the above features in this product, given that
>      > Keycloak already supports OpenID Connect  (along with support for
>     CORS,
>      > javascript and future support for mobile devices) and it can act
>     as an
>      > Identity provider (OP). Perhaps Keycloak can synchronize all the user
>      > information from stores like LDAP but it would still need a hook
>     to plug
>      > in external authentication
>      >
>      > BTW I suggested realm to authetication mapping because different
>      > applications in an organization have different authentication
>      > requirements (some apps require SecuriID,some Kerberos etc) and those
>      > applications can be mapped to the realm that uses an authentication
>      > mechanism that they require.
>      >
>      >
>      >
>      > On Saturday, October 11, 2014 10:29 AM, Bill Burke
>     <bburke at redhat.com <mailto:bburke at redhat.com>>
>     > wrote:
>     >
>     >
>     > What you describe would work only if you treat Keycloak solely as an
>     > identity store and wrote a login module that uses Keycloak admin
>     > interface to obtain principal and role mapping information.  Then there
>     > is the issue of getting the Kerberos server and Keycloak using the same
>     > user database.  Then for this particular idea, you start to wonder if
>     > using Keycloak is any benefit.
>     >
>     > On 10/11/2014 9:54 AM, prab rrrr wrote:
>     >  > Wildfly makes a number of login modules available as a part of the
>     >  > Security sub system that include SPNEGO (see the link below). Since
>     >  > Keycloak supports defining new Realms, if you can provide some hooks to
>     >  > map the newly defined Realms to the Security sub system, I think it
>     >  > would address the issue.  Picketlink examples shed some light on how it
>     >  > can be done.
>     >  >
>     >  >
>     >https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
>     >  >
>     >  >
>     >  > On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>
>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>     >  >
>     >  >
>     >  > Kerberos is on our roadmap as there's some other Red Hat kerberos
>     >  > products we need to integrate wit.  I don't understand Kerberos deep
>     >  > enough yet to know exactly what or how we would do it.  My current
>     >  > thought that the Keycloak auth server would be a secured Kerberos
>     >  > service and become a bridge between kerberos and SAML or OpenID Connect.
>     >  >
>     >  > On 10/10/2014 5:24 PM, Raghuram wrote:
>     >  >  > Can I put in an enhancement request for at least some hooks as I am
>     >  > not sure how a custom federation provider could be written for SPNEGO
>     >  > negotiation. This feature will be useful for all organizations that
>     >  > invested in Kerberos infrastructure.
>     >  >  >
>     >  >  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>
>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>     >  > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>     <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>     >  >  >>
>     >  >  >> we don't support kerberos.
>     >  >  >>
>     >  >  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
>     >  >  >>>
>     >  >  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key
>     > cloak
>     >  >  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>     >  >  >>>
>     >  >  >>> Sent from my iPhone
>     >  >  >>>
>     >  >  >>>
>     >  >  >>> _______________________________________________
>     >  >  >>> keycloak-user mailing list
>     >  >  >>>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>      > <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>>
>     >  >  >>>https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >  >  >>
>     >  >  >> --
>     >  >  >> Bill Burke
>     >  >  >> JBoss, a division of Red Hat
>     >  >  >>http://bill.burkecentral.com/
>     >  >
>     >  >  >> _______________________________________________
>     >  >  >> keycloak-user mailing list
>     >  >  >>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>      > <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>>
>     >  >  >>https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >  >
>     >  > --
>     >  > Bill Burke
>     >  > JBoss, a division of Red Hat
>     >  >http://bill.burkecentral.com/
>     >  >
>     >  >
>     >
>     > --
>     > Bill Burke
>     > JBoss, a division of Red Hat
>      > http://bill.burkecentral.com <http://bill.burkecentral.com/>
>      >
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Sun Oct 12 08:50:37 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 12 Oct 2014 08:50:37 -0400
Subject: [keycloak-user] Keycloak-tomcat adapter
In-Reply-To: <CAFOTW4bfFMQsxP8CYr474tpRvYJcpb6C18WecbumFAbBJLk0Kw@mail.gmail.com>
References: <CAFOTW4bfFMQsxP8CYr474tpRvYJcpb6C18WecbumFAbBJLk0Kw@mail.gmail.com>
Message-ID: <543A791D.7010708@redhat.com>

We don't support it yet.  Its on the roadmap.  Would probably only take 
a few days to get it rolling as the code is almost exactly the same as 
our JBoss adapter, but there's higher priorities at the moment like SAML 
and clustering.

On 10/11/2014 11:47 AM, robinfernandes . wrote:
> Hi,
>
> I know there is a keycloak-tomcat adapter that is present but has anyone
> tried to install that adapter?
> I want to secure some WAR files deployed on TOMCAT 6.0
> Is there a guide on how to install and configure the adapter on TOMCAT?
> Any help is appreciated.
>
> Thanks,
> Robin
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Sun Oct 12 10:15:31 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Sun, 12 Oct 2014 07:15:31 -0700
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <543A75EA.7090801@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>	<54384B92.1060209@redhat.com>	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>	<54392845.4020301@redhat.com>	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>	<54393EBA.8060404@redhat.com>	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
	<543A75EA.7090801@redhat.com>
Message-ID: <1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>

Bill - To your Point No 2) - Why limit Keycloak to be a bridge to just Kerberos Server? Extending it to other mechanisms like Radius/SecurID and providing support for Multi factor authentication would make Keycloak a true Federation product. 

Travis - As you pointed out, SPNEGO support is major requirement and even I am not clear how to make it happen. If you have other requirements then perhaps the Federation API in Keycloak can be used to make it a bridge to other authentications like SecureID and MIT Kerebros.




On Sunday, October 12, 2014 8:36 AM, Bill Burke <bburke at redhat.com> wrote:
 


JBoss/Wildfly has had SPNEGO/Kerberos support for I think like 8-9 
years?  This is the original project:

https://developer.jboss.org/wiki/JBossNegotiation

I don't know enough about it or Kerberos to know if it has single log 
out too.  As for Keycloak's relationship to Kerberos, I see 4 things 
happening:

1) You don't use Keycloak as you already have SSO with an existing 
Kerberos deployment
2) Your application servers talk SAML or OpenID Connect and Keycloak 
becomes a bridge between the Kerberos server and your applications
3) You authenticate using your existing Kerberos architecture and 
Keycloak becomes a back end identity store.
4) Keycloak becomes a Kerberos Server.

Due to non-technical reasons, #4 is the least likely to happen.  If you 
have any other ideas on integration points let me know.



On 10/11/2014 5:43 PM, Travis De Silva wrote:
> I thought with SPNEGO/Kerberos we can achieve true SSO. Most large
> organisations are on a Windows environment and what these organisations
> want is once you authenticate to the corporate desktop, you should be
> able to then also access other applications without having to go through
> the login process. wonder how we can achieve this with KeyCloak?
>
> On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Keycloak is an IDP server.  It is not an adapter project for
>     JBoss/Wildfly distributions.  There's already a lot of great adapters to
>     integrate your JBoss/Wildfly distributions to use SPNEGO and SAML.  We
>     already support federation with LDAP/AD for storage and authentication,
>     OpenIDConnect and SAML as our auth protocols.  The only thing on the
>     roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID
>     Connect bridge.  It could be possible to poach or merge with Apache DS
>     so that Keycloak could become a full Kerberos server too, but there are
>     additional non-technical obstacles from us putting this option in our
>     roadmap that I'd rather not discuss.
>
>     But anyways, Keycloak doesn't use JAAS login modules on the IDP server
>     side.  On the client side doesn't make sense either as Keycloak only
>     talks OpenIDConnect and SAML (in master).
>
>     On 10/11/2014 11:10 AM, prab rrrr wrote:
>      > Well, without support for external authentication, I am wondering how
>      > big organizations that have already invested in Kerberos/SecurID etc,
>      > would use this product? Typically, the Federation products like
>      > Ping,OpenAM etc provide hooks for multiple stores to:
>      > 1) Support Kerberos or SecureID or other authentication and
>     retrieve the
>      > user principal
>      > 2) Retrieve user meta data from LDAP using that principal and
>      > 3) Use the user meta data to customize the claims or userinfo.
>      >
>      > I was hoping to see the above features in this product, given that
>      > Keycloak already supports OpenID Connect  (along with support for
>     CORS,
>      > javascript and future support for mobile devices) and it can act
>     as an
>      > Identity provider (OP). Perhaps Keycloak can synchronize all the user
>      > information from stores like LDAP but it would still need a hook
>     to plug
>      > in external authentication
>      >
>      > BTW I suggested realm to authetication mapping because different
>      > applications in an organization have different authentication
>      > requirements (some apps require SecuriID,some Kerberos etc) and those
>      > applications can be mapped to the realm that uses an authentication
>      > mechanism that they require.
>      >
>      >
>      >
>      > On Saturday, October 11, 2014 10:29 AM, Bill Burke
>     <bburke at redhat.com <mailto:bburke at redhat.com>>
>     > wrote:
>     >
>     >
>     > What you describe would work only if you treat Keycloak solely as an
>     > identity store and wrote a login module that uses Keycloak admin
>     > interface to obtain principal and role mapping information.  Then there
>     > is the issue of getting the Kerberos server and Keycloak using the same
>     > user database.  Then for this particular idea, you start to wonder if
>     > using Keycloak is any benefit.
>     >
>     > On 10/11/2014 9:54 AM, prab rrrr wrote:
>     >  > Wildfly makes a number of login modules available as a part of the
>     >  > Security sub system that include SPNEGO (see the link below). Since
>     >  > Keycloak supports defining new Realms, if you can provide some hooks to
>     >  > map the newly defined Realms to the Security sub system, I think it
>     >  > would address the issue.  Picketlink examples shed some light on how it
>     >  > can be done.
>     >  >
>     >  >
>     >https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
>     >  >
>     >  >
>     >  > On Saturday, October 11, 2014 8:53 AM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>
>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>     >  >
>     >  >
>     >  > Kerberos is on our roadmap as there's some other Red Hat kerberos
>     >  > products we need to integrate wit.  I don't understand Kerberos deep
>     >  > enough yet to know exactly what or how we would do it.  My current
>     >  > thought that the Keycloak auth server would be a secured Kerberos
>     >  > service and become a bridge between kerberos and SAML or OpenID Connect.
>     >  >
>     >  > On 10/10/2014 5:24 PM, Raghuram wrote:
>     >  >  > Can I put in an enhancement request for at least some hooks as I am
>     >  > not sure how a custom federation provider could be written for SPNEGO
>     >  > negotiation. This feature will be useful for all organizations that
>     >  > invested in Kerberos infrastructure.
>     >  >  >
>     >  >  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>
>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>     >  > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>     <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>     >  >  >>
>     >  >  >> we don't support kerberos.
>     >  >  >>
>     >  >  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
>     >  >  >>>
>     >  >  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key
>     > cloak
>     >  >  >>>> 1.0.2? If so, appreciate any input on how it can be achieved?
>     >  >  >>>
>     >  >  >>> Sent from my iPhone
>     >  >  >>>
>     >  >  >>>
>     >  >  >>> _______________________________________________
>     >  >  >>> keycloak-user mailing list
>     >  >  >>>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>      > <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>>
>     >  >  >>>https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >  >  >>
>     >  >  >> --
>     >  >  >> Bill Burke
>     >  >  >> JBoss, a division of Red Hat
>     >  >  >>http://bill.burkecentral.com/
>     >  >
>     >  >  >> _______________________________________________
>     >  >  >> keycloak-user mailing list
>     >  >  >>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>      > <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>>
>     >  >  >>https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >  >
>     >  > --
>     >  > Bill Burke
>     >  > JBoss, a division of Red Hat
>     >  >http://bill.burkecentral.com/
>     >  >
>     >  >
>     >
>     > --
>     > Bill Burke
>     > JBoss, a division of Red Hat
>      > http://bill.burkecentral.com <http://bill.burkecentral.com/>

>      >
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>    http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>    keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>    https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141012/2a2b44e8/attachment-0001.html 

From traviskds at gmail.com  Sun Oct 12 20:53:24 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 13 Oct 2014 11:53:24 +1100
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
	<543A75EA.7090801@redhat.com>
	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
Message-ID: <CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>

Bill - How about combining option 2 and 3. We use Keycloak as a bridge
between our application and Kerberos and then we also use Keycloak as a
backend identify store. The use case that I am thinking is that we use the
bridge only for SSO authentication and for authorization we can assign
users to roles in Keycloak and get all the other goodness of Keycloak.

Also not sure why our application servers need to talk SAML or OpenID
Connect. If JBoss/Wildfly has support for Spengo.

I am thinking of something like if we configure our application in Keycloak
as requiring Spengo, then when a request is made to our application,
Keycloak will intercept it and respond with a 401 Access Denied,
WWW-Authenticate: Negotiate response. This in turn will trigger the browser
to re-send the HTTP GET request + the Negotiate SPNEGO Token in an
Authorization: Negotiate token header and Keycloak uses it to pass it via
the JBoss/Wildfly security domain.

As you can see, you don't really need to integrate all the way back to
a Kerberos
server but only to JBoss/Wildfly. Yes this does not cover all scenarios and
is dependent on JBoss/Wildfly but at least this would be a start for people
who use the entire JBoss/Wildfly stack.

BTW, there also seem to be a Jira ticket pending for Spengo support in
WildFly. https://issues.jboss.org/browse/WFLY-2553 So not sure if Wildfly
still has Spengo support.

Not sure if what I am saying makes sense as I am also not an except in
Spengo but just thought of throwing this idea out there.

Prab - Thanks for pointing out the Federation API. Will have a look to see
if this can do what I indicated above.


On Mon, Oct 13, 2014 at 1:15 AM, prab rrrr <prabhalar at yahoo.com> wrote:

> Bill - To your Point No 2) - Why limit Keycloak to be a bridge to just
> Kerberos Server? Extending it to other mechanisms like Radius/SecurID and
> providing support for Multi factor authentication would make Keycloak a
> true Federation product.
>
> Travis - As you pointed out, SPNEGO support is major requirement and even
> I am not clear how to make it happen. If you have other requirements then
> perhaps the Federation API in Keycloak can be used to make it a bridge to
> other authentications like SecureID and MIT Kerebros.
>
>
>
>
>   On Sunday, October 12, 2014 8:36 AM, Bill Burke <bburke at redhat.com>
> wrote:
>
>
> JBoss/Wildfly has had SPNEGO/Kerberos support for I think like 8-9
> years?  This is the original project:
>
> https://developer.jboss.org/wiki/JBossNegotiation
>
> I don't know enough about it or Kerberos to know if it has single log
> out too.  As for Keycloak's relationship to Kerberos, I see 4 things
> happening:
>
> 1) You don't use Keycloak as you already have SSO with an existing
> Kerberos deployment
> 2) Your application servers talk SAML or OpenID Connect and Keycloak
> becomes a bridge between the Kerberos server and your applications
> 3) You authenticate using your existing Kerberos architecture and
> Keycloak becomes a back end identity store.
> 4) Keycloak becomes a Kerberos Server.
>
> Due to non-technical reasons, #4 is the least likely to happen.  If you
> have any other ideas on integration points let me know.
>
>
>
> On 10/11/2014 5:43 PM, Travis De Silva wrote:
> > I thought with SPNEGO/Kerberos we can achieve true SSO. Most large
> > organisations are on a Windows environment and what these organisations
> > want is once you authenticate to the corporate desktop, you should be
> > able to then also access other applications without having to go through
> > the login process. wonder how we can achieve this with KeyCloak?
> >
> > On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> >    Keycloak is an IDP server.  It is not an adapter project for
> >    JBoss/Wildfly distributions.  There's already a lot of great adapters
> to
> >    integrate your JBoss/Wildfly distributions to use SPNEGO and SAML.  We
> >    already support federation with LDAP/AD for storage and
> authentication,
> >    OpenIDConnect and SAML as our auth protocols.  The only thing on the
> >    roadmap for Kerberos is to make Keycloak to be a Kerberos to
> SAML/OpenID
> >    Connect bridge.  It could be possible to poach or merge with Apache DS
> >    so that Keycloak could become a full Kerberos server too, but there
> are
> >    additional non-technical obstacles from us putting this option in our
> >    roadmap that I'd rather not discuss.
> >
> >    But anyways, Keycloak doesn't use JAAS login modules on the IDP server
> >    side.  On the client side doesn't make sense either as Keycloak only
> >    talks OpenIDConnect and SAML (in master).
> >
> >    On 10/11/2014 11:10 AM, prab rrrr wrote:
> >      > Well, without support for external authentication, I am wondering
> how
> >      > big organizations that have already invested in Kerberos/SecurID
> etc,
> >      > would use this product? Typically, the Federation products like
> >      > Ping,OpenAM etc provide hooks for multiple stores to:
> >      > 1) Support Kerberos or SecureID or other authentication and
> >    retrieve the
> >      > user principal
> >      > 2) Retrieve user meta data from LDAP using that principal and
> >      > 3) Use the user meta data to customize the claims or userinfo.
> >      >
> >      > I was hoping to see the above features in this product, given that
> >      > Keycloak already supports OpenID Connect  (along with support for
> >    CORS,
> >      > javascript and future support for mobile devices) and it can act
> >    as an
> >      > Identity provider (OP). Perhaps Keycloak can synchronize all the
> user
> >      > information from stores like LDAP but it would still need a hook
> >    to plug
> >      > in external authentication
> >      >
> >      > BTW I suggested realm to authetication mapping because different
> >      > applications in an organization have different authentication
> >      > requirements (some apps require SecuriID,some Kerberos etc) and
> those
> >      > applications can be mapped to the realm that uses an
> authentication
> >      > mechanism that they require.
> >      >
> >      >
> >      >
> >      > On Saturday, October 11, 2014 10:29 AM, Bill Burke
> >    <bburke at redhat.com <mailto:bburke at redhat.com>>
> >    > wrote:
> >    >
> >    >
> >    > What you describe would work only if you treat Keycloak solely as an
> >    > identity store and wrote a login module that uses Keycloak admin
> >    > interface to obtain principal and role mapping information.  Then
> there
> >    > is the issue of getting the Kerberos server and Keycloak using the
> same
> >    > user database.  Then for this particular idea, you start to wonder
> if
> >    > using Keycloak is any benefit.
> >    >
> >    > On 10/11/2014 9:54 AM, prab rrrr wrote:
> >    >  > Wildfly makes a number of login modules available as a part of
> the
> >    >  > Security sub system that include SPNEGO (see the link below).
> Since
> >    >  > Keycloak supports defining new Realms, if you can provide some
> hooks to
> >    >  > map the newly defined Realms to the Security sub system, I think
> it
> >    >  > would address the issue.  Picketlink examples shed some light on
> how it
> >    >  > can be done.
> >    >  >
> >    >  >
> >    >
> https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
> >    >  >
> >    >  >
> >    >  > On Saturday, October 11, 2014 8:53 AM, Bill Burke <
> bburke at redhat.com <mailto:bburke at redhat.com>
> >    > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
> >    >  >
> >    >  >
> >    >  > Kerberos is on our roadmap as there's some other Red Hat kerberos
> >    >  > products we need to integrate wit.  I don't understand Kerberos
> deep
> >    >  > enough yet to know exactly what or how we would do it.  My
> current
> >    >  > thought that the Keycloak auth server would be a secured Kerberos
> >    >  > service and become a bridge between kerberos and SAML or OpenID
> Connect.
> >    >  >
> >    >  > On 10/10/2014 5:24 PM, Raghuram wrote:
> >    >  >  > Can I put in an enhancement request for at least some hooks
> as I am
> >    >  > not sure how a custom federation provider could be written for
> SPNEGO
> >    >  > negotiation. This feature will be useful for all organizations
> that
> >    >  > invested in Kerberos infrastructure.
> >    >  >  >
> >    >  >  >> On Oct 10, 2014, at 5:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>
> >    > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
> >    >  > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
> >    <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
> >    >  >  >>
> >    >  >  >> we don't support kerberos.
> >    >  >  >>
> >    >  >  >>> On 10/10/2014 5:06 PM, Raghuram wrote:
> >    >  >  >>>
> >    >  >  >>>> Has anyone tried out SPNEGO (Kerberos) authentication with
> key
> >    > cloak
> >    >  >  >>>> 1.0.2? If so, appreciate any input on how it can be
> achieved?
> >    >  >  >>>
> >    >  >  >>> Sent from my iPhone
> >    >  >  >>>
> >    >  >  >>>
> >    >  >  >>> _______________________________________________
> >    >  >  >>> keycloak-user mailing list
> >    >  >  >>>keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >    > <mailto:keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>>
> >      > <mailto:keycloak-user at lists.jboss.org
> >    <mailto:keycloak-user at lists.jboss.org>
> >    > <mailto:keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>>>
> >    >  >  >>>https://lists.jboss.org/mailman/listinfo/keycloak-user
> >    >  >  >>
> >    >  >  >> --
> >    >  >  >> Bill Burke
> >    >  >  >> JBoss, a division of Red Hat
> >    >  >  >>http://bill.burkecentral.com/
> >    >  >
> >    >  >  >> _______________________________________________
> >    >  >  >> keycloak-user mailing list
> >    >  >  >>keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >    > <mailto:keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>>
> >      > <mailto:keycloak-user at lists.jboss.org
> >    <mailto:keycloak-user at lists.jboss.org>
> >    > <mailto:keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>>>
> >    >  >  >>https://lists.jboss.org/mailman/listinfo/keycloak-user
> >    >  >
> >    >  > --
> >    >  > Bill Burke
> >    >  > JBoss, a division of Red Hat
> >    >  >http://bill.burkecentral.com/
> >    >  >
> >    >  >
> >    >
> >    > --
> >    > Bill Burke
> >    > JBoss, a division of Red Hat
> >      > http://bill.burkecentral.com <http://bill.burkecentral.com/>
>
> >      >
> >      >
> >
> >    --
> >    Bill Burke
> >    JBoss, a division of Red Hat
> >    http://bill.burkecentral.com
> >    _______________________________________________
> >    keycloak-user mailing list
> >    keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >    https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/a008d054/attachment-0001.html 

From traviskds at gmail.com  Sun Oct 12 21:02:13 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 13 Oct 2014 12:02:13 +1100
Subject: [keycloak-user] Key Value Pair List Attributes for Realms
Message-ID: <CACQJ6LSzrP37D2kJ-gdmm=kF=yFWQHxrJHu4Wj9D8kMf-NGStQ@mail.gmail.com>

Hi,

Currently on a Keycloak realm level, we have only the realm name and if its
enabled or not as attributes.

I am throwing out the idea if its possible to add additional key/value pair
attribute lists.

My use case is that currently, the realm name is used in the login form and
also is part of the uri. I prefer the URI to be a short name without any
spaces but when I display the name in the login form or anywhere else, I
would like it to be a user friendly long name. E.g. realm name for url
could be "accounts" and the name that comes up in the login page to be
"Accounting System" I know I can customize the login page with my own theme
but if I can pull that info directly from the realm would be great as
opposed to keeping the info somewhere else.

The reason for a key/value attribute list is so that if there are other
requirements like the above, we can use it without having to add realm
level fields again.

Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/9d12753c/attachment.html 

From stian at redhat.com  Mon Oct 13 02:49:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Oct 2014 02:49:26 -0400 (EDT)
Subject: [keycloak-user] Is there a secret maximum SSO Idle Timeout
In-Reply-To: <CAKTx7M7iPjtmFVpWhVxmnxmiZffA=P1FoTDEzuw5Tj4Fd+RNkg@mail.gmail.com>
References: <CAKTx7M7iPjtmFVpWhVxmnxmiZffA=P1FoTDEzuw5Tj4Fd+RNkg@mail.gmail.com>
Message-ID: <136783858.66581175.1413182966235.JavaMail.zimbra@redhat.com>

Not quite sure what you mean about secret timeouts. It's configurable in the admin console and the way it's supposed to work is:

* Idle timeout - requires a token refresh within the specified interval otherwise the session will expire
* Max timeout - the session will expire after this amount of time no matter what

On top of that for the session to survive a browser restart the user has to check the remember-me option.

If the behaviour you observe differs from this it's a bug. What version are you using? There was some related fixes in 1.0.1.Final (KEYCLOAK-689).

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 5:47:54 PM
> Subject: [keycloak-user] Is there a secret maximum SSO Idle Timeout
> 
> A while ago I raised KEYCLOAK-686 about the fact that there is a secret
> maximum SSO Session Max Lifespan that is not evident or validated by the
> admin web application.
> 
> I think the same thing is probably true of SSO Idle Timeout. If I set this to
> something like 30 days, and I leave something idle overnight, I hit the SSO
> Idle Timeout anyway. I'm not sure what the real maximum is for SSO Idle
> Timeout, but it seems like it is maybe measured in hours.
> 
> Alarik
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Oct 13 02:55:39 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Oct 2014 02:55:39 -0400 (EDT)
Subject: [keycloak-user] Authenticating non-interactive users
In-Reply-To: <5438DE91.60309@kroehling.de>
References: <54380330.3030609@kroehling.de> <54381774.6050207@redhat.com>
	<5438DE91.60309@kroehling.de>
Message-ID: <320813717.66586762.1413183339254.JavaMail.zimbra@redhat.com>

In the future we'll add better support for non-human users, by adding better authentication mechanisms such as JWT and Cert. Quite likely we'll also add a separate account type (a non-human wants permitted IP addresses, not a first name).

However, for now you're limited to creating a standard user account for this purpose. I recommend you create a separate account with a random longish password that can be shared between the nodes. I certainly wouldn't use the admin account.

----- Original Message -----
> From: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Saturday, 11 October, 2014 9:38:57 AM
> Subject: Re: [keycloak-user] Authenticating non-interactive users
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 10/10/2014 07:29 PM, Bill Burke wrote:
> > We have a Direct grant REST API to obtain access/refresh token.
> > You have to enable it in the admin console.  Docs here:
> 
> That would require to store the admin's plain text password somewhere
> (or create an user for each node), right? If so, that's a no-go :-)
> 
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBCgAGBQJUON6RAAoJEDnJtskdmzLMfv4H/0dE8tW6RipFSIwqZuwbnKrc
> cThrFv45G8fIqBSaYxz/tszsYB+lsQHzZ+xVeAJsjvJrDXHwNCjh8TIIOdfSCgLF
> ZTdRIO4pgjhgorD484uuIi+sNnEZ5BBPraWsymxZrs8L6lmkOVNfRDmLqTJ3LTFl
> AhBepJoLR6h7LJnFELDsvRFHYOun70tU3uGHBFczcBY0RKELI3X6czjQ2m16pJCC
> QggbYG5OE/OQZ+HRyCp897fHSAj2XkvUcVnDyQpn6p3gtufF98QDUoUhWlrwV2Wp
> A3W6mRZBoJ6L4hBf//Xh9Hlwl7G2qsQgXJjOHv0mNW1c0KZZBXCdWc233h3elmg=
> =j4RQ
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From stian at redhat.com  Mon Oct 13 03:08:37 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Oct 2014 03:08:37 -0400 (EDT)
Subject: [keycloak-user] Key Value Pair List Attributes for Realms
In-Reply-To: <CACQJ6LSzrP37D2kJ-gdmm=kF=yFWQHxrJHu4Wj9D8kMf-NGStQ@mail.gmail.com>
References: <CACQJ6LSzrP37D2kJ-gdmm=kF=yFWQHxrJHu4Wj9D8kMf-NGStQ@mail.gmail.com>
Message-ID: <1204261767.66594834.1413184117189.JavaMail.zimbra@redhat.com>

With regards to a human friendly name for realms and applications that's something we should do, and it shouldn't require "custom" attributes/themes.

Adding custom attributes to a realm could be useful for custom code (including themes) so that sounds like a good idea.

By the way you could easily achieve what you want already by adding your own base theme and creating a theme per-realm that extends this.

----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 October, 2014 3:02:13 AM
> Subject: [keycloak-user] Key Value Pair List Attributes for Realms
> 
> Hi,
> 
> Currently on a Keycloak realm level, we have only the realm name and if its
> enabled or not as attributes.
> 
> I am throwing out the idea if its possible to add additional key/value pair
> attribute lists.
> 
> My use case is that currently, the realm name is used in the login form and
> also is part of the uri. I prefer the URI to be a short name without any
> spaces but when I display the name in the login form or anywhere else, I
> would like it to be a user friendly long name. E.g. realm name for url could
> be "accounts" and the name that comes up in the login page to be "Accounting
> System" I know I can customize the login page with my own theme but if I can
> pull that info directly from the realm would be great as opposed to keeping
> the info somewhere else.
> 
> The reason for a key/value attribute list is so that if there are other
> requirements like the above, we can use it without having to add realm level
> fields again.
> 
> Any thoughts?
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jasrodis at gmail.com  Mon Oct 13 07:44:48 2014
From: jasrodis at gmail.com (Jason Rodis)
Date: Mon, 13 Oct 2014 14:44:48 +0300
Subject: [keycloak-user] Session destruction listener
Message-ID: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>

Good morning,

I am trying to set up an application that uses:

1. Spring 3.2.x

I used to have spring security for the authentication of the users, and I could have a logout listener, triggering the SessionDestroyedEvent like this (whenever a session was destroyed) :

@Service
public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {

    @Autowired
    private SessionRegistryImpl sessionRegistry;

    @Override
    public void onApplicationEvent(SessionDestroyedEvent event) {
        List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
        AuthenticateUser authenticateUser;
        for (SecurityContext securityContext : lstSecurityContext) {
            authenticateUser = (AuthenticateUser) securityContext.getAuthentication().getPrincipal();
            logger.trace("Current session destroyed from user [{}]", authenticateUser.getEmail());


            //Handle the session destruction event..


        }
    }
}


Is there any way I could have that functionality with Keycloak?

Thanks in advance,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/6ea9a463/attachment.html 

From stian at redhat.com  Mon Oct 13 07:59:47 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Oct 2014 07:59:47 -0400 (EDT)
Subject: [keycloak-user] Session destruction listener
In-Reply-To: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>
References: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>
Message-ID: <1555600229.66844786.1413201587929.JavaMail.zimbra@redhat.com>

Hi,

We don't have a Spring adapter yet. If we did it would destroy the session on logout, which would fire the SessionDestroyedEvent.

----- Original Message -----
> From: "Jason Rodis" <jasrodis at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 October, 2014 1:44:48 PM
> Subject: [keycloak-user] Session destruction listener
> 
> Good morning,
> 
> I am trying to set up an application that uses:
> 
> 1. Spring 3.2.x
> 
> I used to have spring security for the authentication of the users, and I
> could have a logout listener, triggering the SessionDestroyedEvent like this
> (whenever a session was destroyed) :
> 
> @Service public class LogoutListener implements ApplicationListener <
> SessionDestroyedEvent > { @Autowired private SessionRegistryImpl
> sessionRegistry ; @Override public void onApplicationEvent (
> SessionDestroyedEvent event ) { List < SecurityContext > lstSecurityContext
> = event . getSecurityContexts (); AuthenticateUser authenticateUser ; for (
> SecurityContext securityContext : lstSecurityContext ) { authenticateUser =
> ( AuthenticateUser ) securityContext . getAuthentication (). getPrincipal
> (); logger . trace ( "Current session destroyed from user [{}]" ,
> authenticateUser . getEmail ());
> 
> //Handle the session destruction event..
> 
> } }
> }
> 
> 
> Is there any way I could have that functionality with Keycloak?
> 
> Thanks in advance,
> Jason
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jasrodis at gmail.com  Mon Oct 13 08:02:12 2014
From: jasrodis at gmail.com (Jason Rodis)
Date: Mon, 13 Oct 2014 15:02:12 +0300
Subject: [keycloak-user] Session destruction listener
In-Reply-To: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>
References: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>
Message-ID: <2143149B-F206-4F24-9593-5744530A87A2@gmail.com>

Hi,

Thanks for your quick reply!
Is it something that it?s going to be implemented? Is there any alternative with the rest API that you offer?

Thanks again,
Jason

On Oct 13, 2014, at 2:44 PM, Jason Rodis <jasrodis at gmail.com> wrote:

> Good morning,
> 
> I am trying to set up an application that uses:
> 
> 1. Spring 3.2.x
> 
> I used to have spring security for the authentication of the users, and I could have a logout listener, triggering the SessionDestroyedEvent like this (whenever a session was destroyed) :
> 
> @Service
> public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {
> 
>     @Autowired
>     private SessionRegistryImpl sessionRegistry;
> 
>     @Override
>     public void onApplicationEvent(SessionDestroyedEvent event) {
>         List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
>         AuthenticateUser authenticateUser;
>         for (SecurityContext securityContext : lstSecurityContext) {
>             authenticateUser = (AuthenticateUser) securityContext.getAuthentication().getPrincipal();
>             logger.trace("Current session destroyed from user [{}]", authenticateUser.getEmail());
> 
> 
>             //Handle the session destruction event..
> 
>         }
>     }
> }
> 
> 
> Is there any way I could have that functionality with Keycloak?
> 
> Thanks in advance,
> Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/627e17a0/attachment-0001.html 

From stian at redhat.com  Mon Oct 13 08:10:43 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Oct 2014 08:10:43 -0400 (EDT)
Subject: [keycloak-user] Session destruction listener
In-Reply-To: <2143149B-F206-4F24-9593-5744530A87A2@gmail.com>
References: <012D2F4D-0588-4E1C-9846-9D811519C887@gmail.com>
	<2143149B-F206-4F24-9593-5744530A87A2@gmail.com>
Message-ID: <2129769929.66850678.1413202243495.JavaMail.zimbra@redhat.com>

Hi,

It's planned, but it's not scheduled. I can't tell you when it'll be available other than it's most likely not going to be for a few months. Unless someone from the community wants to step up and contribute it.

We provide the core OpenID Connect protocol (with SAML comming), so you can integrate with Spring that way. For permissions you also have to decode the token to retrieve permitted roles (this is not covered by the OpenID Connect specification).

----- Original Message -----
> From: "Jason Rodis" <jasrodis at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 October, 2014 2:02:12 PM
> Subject: Re: [keycloak-user] Session destruction listener
> 
> Hi,
> 
> Thanks for your quick reply!
> Is it something that it?s going to be implemented? Is there any alternative
> with the rest API that you offer?
> 
> Thanks again,
> Jason
> 
> On Oct 13, 2014, at 2:44 PM, Jason Rodis < jasrodis at gmail.com > wrote:
> 
> 
> 
> 
> Good morning,
> 
> I am trying to set up an application that uses:
> 
> 1. Spring 3.2.x
> 
> I used to have spring security for the authentication of the users, and I
> could have a logout listener, triggering the SessionDestroyedEvent like this
> (whenever a session was destroyed) :
> 
> @Service public class LogoutListener implements ApplicationListener <
> SessionDestroyedEvent > { @Autowired private SessionRegistryImpl
> sessionRegistry ; @Override public void onApplicationEvent (
> SessionDestroyedEvent event ) { List < SecurityContext > lstSecurityContext
> = event . getSecurityContexts (); AuthenticateUser authenticateUser ; for (
> SecurityContext securityContext : lstSecurityContext ) { authenticateUser =
> ( AuthenticateUser ) securityContext . getAuthentication (). getPrincipal
> (); logger . trace ( "Current session destroyed from user [{}]" ,
> authenticateUser . getEmail ());
> 
> //Handle the session destruction event..
> 
> } }
> }
> 
> 
> Is there any way I could have that functionality with Keycloak?
> 
> Thanks in advance,
> Jason
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From alexander.chriztopher at gmail.com  Mon Oct 13 09:42:13 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Mon, 13 Oct 2014 15:42:13 +0200
Subject: [keycloak-user] org.keycloak.util.PemUtils.pemToDer Bad Base64
 input character decimal
In-Reply-To: <543848E7.6070309@redhat.com>
References: <CAJfT+OqCehrC-jOyb0kmetFj_B8VhD60UZP0KxnubJsB1O_eaA@mail.gmail.com>
	<54382CBA.8060806@redhat.com>
	<C48567AC-329C-45D0-B0FE-763DD124D928@gmail.com>
	<543848E7.6070309@redhat.com>
Message-ID: <CAJfT+OoTS6n5fxh15vP4BA-uei1iO0zqSV5tLdyvVBKMj8p+1A@mail.gmail.com>

Thank you Bill.

It works nicely by just taking off the realm-public-key parameter from the
json.

I kept maven filtering for both the URL and the application secret which
works too.

On Fri, Oct 10, 2014 at 11:00 PM, Bill Burke <bburke at redhat.com> wrote:

> You could just point to the admin server URL and leave out the public key
> in the keycloak.json file.  The adapter will fetch the public key from the
> server.  Let me know if that doesn't work.
>
>
> On 10/10/2014 3:37 PM, Alexander Chriztopher wrote:
>
>> Thanks ! Just noticed that. It is because am using maven filtering to
>> dynamically update the file for each of our environments.
>>
>> What is the best practice to do this ? Have anyone tried using maven
>> filtering successfully with this ?
>>
>>
>>
>>  On 10 Oct 2014, at 21:00, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> Your keycloak.json file is corrupted by accident.
>>>
>>>  On 10/10/2014 1:49 PM, Alexander Chriztopher wrote:
>>>> Hi all,
>>>>
>>>> I keep on having this error when i start my application :
>>>>
>>>> 19:45:36,232 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
>>>> MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./cv-web:
>>>> _org.jboss.msc.service.StartException_in service
>>>> jboss.undertow.deployment.default-server.default-host./cv-web: Failed
>>>> to
>>>> start service
>>>>
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_
>>>> ServiceControllerImpl.java:1904_)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(_
>>>> ThreadPoolExecutor.java:1142_)
>>>> [rt.jar:1.8.0_11]
>>>>
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>>> _ThreadPoolExecutor.java:617_)
>>>> [rt.jar:1.8.0_11]
>>>>
>>>> at java.lang.Thread.run(_Thread.java:745_) [rt.jar:1.8.0_11]
>>>>
>>>> Caused by: _java.lang.RuntimeException_: _java.io.IOException_: Bad
>>>> Base64 input character decimal 36 in array position 0
>>>>
>>>> at
>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_
>>>> KeycloakDeploymentBuilder.java:37_)
>>>>
>>>> at
>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(_
>>>> KeycloakDeploymentBuilder.java:84_)
>>>>
>>>> at
>>>> org.keycloak.adapters.undertow.KeycloakServletExtension.
>>>> handleDeployment(_KeycloakServletExtension.java:104_)
>>>>
>>>> at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(_
>>>> DeploymentManagerImpl.java:240_)
>>>>
>>>> at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(_
>>>> DeploymentManagerImpl.java:149_)
>>>>
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.
>>>> startContext(_UndertowDeploymentService.java:87_)
>>>>
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.
>>>> start(_UndertowDeploymentService.java:72_)
>>>>
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(_
>>>> ServiceControllerImpl.java:1948_)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(_
>>>> ServiceControllerImpl.java:1881_)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>
>>>> ... 3 more
>>>>
>>>> Caused by: _java.io.IOException_: Bad Base64 input character decimal 36
>>>> in array position 0
>>>>
>>>> at net.iharder.Base64.decode(_Base64.java:1201_)
>>>>
>>>> at net.iharder.Base64.decode(_Base64.java:1256_)
>>>>
>>>> at net.iharder.Base64.decode(_Base64.java:1224_)
>>>>
>>>> at org.keycloak.util.PemUtils.pemToDer(_PemUtils.java:91_)
>>>>
>>>> at org.keycloak.util.PemUtils.decodePublicKey(_PemUtils.java:49_)
>>>>
>>>> at
>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(_
>>>> KeycloakDeploymentBuilder.java:35_)
>>>>
>>>> ... 11 more
>>>>
>>>> Anyone knows where does this come from.
>>>>
>>>> Everything was working finely until today where i started getting this
>>>> error. When i comment out my security stuff in web.xml it disappears.
>>>>
>>>> Thanks for any help.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/e69eabeb/attachment.html 

From bburke at redhat.com  Mon Oct 13 10:30:07 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Oct 2014 10:30:07 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>	<54384B92.1060209@redhat.com>	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>	<54392845.4020301@redhat.com>	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>	<54393EBA.8060404@redhat.com>	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>	<54394CF0.40403@redhat.com>	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>	<543A75EA.7090801@redhat.com>	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
	<CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>
Message-ID: <543BE1EF.8000305@redhat.com>



On 10/12/2014 8:53 PM, Travis De Silva wrote:
> Bill - How about combining option 2 and 3. We use Keycloak as a bridge
> between our application and Kerberos and then we also use Keycloak as a
> backend identify store. The use case that I am thinking is that we use
> the bridge only for SSO authentication and for authorization we can
> assign users to roles in Keycloak and get all the other goodness of
> Keycloak.
>

That works too.

> Also not sure why our application servers need to talk SAML or OpenID
> Connect. If JBoss/Wildfly has support for Spengo.
>

Depends on if your kerberos server supports session management, single 
log out.  Again, I don't know enough about kerberos to answer that question.

> I am thinking of something like if we configure our application in
> Keycloak as requiring Spengo, then when a request is made to our
> application, Keycloak will intercept it and respond with a 401 Access
> Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
> the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
> in an Authorization: Negotiate token header and Keycloak uses it to pass
> it via the JBoss/Wildfly security domain.
>
> As you can see, you don't really need to integrate all the way back to a
> Kerberos server but only to JBoss/Wildfly. Yes this does not cover
> all scenarios and is dependent on JBoss/Wildfly but at least this would
> be a start for people who use the entire JBoss/Wildfly stack.
>

What you're describing, I think, is the bridge I want to build.  User 
get's authenticated via kerberos at the Keycloak server.  Application 
uses SAML or OpenID Connect and gets a token it can understand and use 
for REST invocations, etc.

> BTW, there also seem to be a Jira ticket pending for Spengo support in
> WildFly. https://issues.jboss.org/browse/WFLY-2553 So not sure if
> Wildfly still has Spengo support.
>

Might be true.   JBoss Negotiation might not have been ported to 
Undertow yet.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alarik at zwift.com  Mon Oct 13 10:31:54 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Mon, 13 Oct 2014 10:31:54 -0400
Subject: [keycloak-user] Is there a secret maximum SSO Idle Timeout
In-Reply-To: <136783858.66581175.1413182966235.JavaMail.zimbra@redhat.com>
References: <CAKTx7M7iPjtmFVpWhVxmnxmiZffA=P1FoTDEzuw5Tj4Fd+RNkg@mail.gmail.com>
	<136783858.66581175.1413182966235.JavaMail.zimbra@redhat.com>
Message-ID: <CAKTx7M7S07wuTkK5H-4HZpJUqW=1oKpuq6S-G2zGrRTmy2ZoMQ@mail.gmail.com>

Thanks, Stian.  I think upgrading to Keycloak 1.0.1 Final will do the trick
for me.  I have been using Keycloak 1.0 Final.



On Mon, Oct 13, 2014 at 2:49 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Not quite sure what you mean about secret timeouts. It's configurable in
> the admin console and the way it's supposed to work is:
>
> * Idle timeout - requires a token refresh within the specified interval
> otherwise the session will expire
> * Max timeout - the session will expire after this amount of time no
> matter what
>
> On top of that for the session to survive a browser restart the user has
> to check the remember-me option.
>
> If the behaviour you observe differs from this it's a bug. What version
> are you using? There was some related fixes in 1.0.1.Final (KEYCLOAK-689).
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 10 October, 2014 5:47:54 PM
> > Subject: [keycloak-user] Is there a secret maximum SSO Idle Timeout
> >
> > A while ago I raised KEYCLOAK-686 about the fact that there is a secret
> > maximum SSO Session Max Lifespan that is not evident or validated by the
> > admin web application.
> >
> > I think the same thing is probably true of SSO Idle Timeout. If I set
> this to
> > something like 30 days, and I leave something idle overnight, I hit the
> SSO
> > Idle Timeout anyway. I'm not sure what the real maximum is for SSO Idle
> > Timeout, but it seems like it is maybe measured in hours.
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/ae046973/attachment.html 

From prabhalar at yahoo.com  Mon Oct 13 11:35:46 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Mon, 13 Oct 2014 11:35:46 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <543BE1EF.8000305@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
	<543A75EA.7090801@redhat.com>
	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
	<CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>
	<543BE1EF.8000305@redhat.com>
Message-ID: <89D85AE2-6CA3-41E8-AD24-FB18BC7149DA@yahoo.com>



Sent from my iPhone

> On Oct 13, 2014, at 10:30 AM, Bill Burke <bburke at redhat.com> wrote:
> 
> 
> 
>> On 10/12/2014 8:53 PM, Travis De Silva wrote:
>> Bill - How about combining option 2 and 3. We use Keycloak as a bridge
>> between our application and Kerberos and then we also use Keycloak as a
>> backend identify store. The use case that I am thinking is that we use
>> the bridge only for SSO authentication and for authorization we can
>> assign users to roles in Keycloak and get all the other goodness of
>> Keycloak.
> 
> That works too.
> 
>> Also not sure why our application servers need to talk SAML or OpenID
>> Connect. If JBoss/Wildfly has support for Spengo.
> 
> Depends on if your kerberos server supports session management, single log out.  Again, I don't know enough about kerberos to answer that question
Session management with clustering on the key cloak side would be great
> 
>> I am thinking of something like if we configure our application in
>> Keycloak as requiring Spengo, then when a request is made to our
>> application, Keycloak will intercept it and respond with a 401 Access
>> Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
>> the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
>> in an Authorization: Negotiate token header and Keycloak uses it to pass
>> it via the JBoss/Wildfly security domain.
>> 
>> As you can see, you don't really need to integrate all the way back to a
>> Kerberos server but only to JBoss/Wildfly. Yes this does not cover
>> all scenarios and is dependent on JBoss/Wildfly but at least this would
>> be a start for people who use the entire JBoss/Wildfly stack.
> 
> What you're describing, I think, is the bridge I want to build.  User get's authenticated via kerberos at the Keycloak server.  Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.

Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO. 

Bill - how about including this request  in your queue?

>> BTW, there also seem to be a Jira ticket pending for Spengo support in
>> WildFly. https://issues.jboss.org/browse/WFLY-2553 So not sure if
>> Wildfly still has Spengo support.
> 
> Might be true.   JBoss Negotiation might not have been ported to Undertow yet.
> 
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com


From bburke at redhat.com  Mon Oct 13 12:30:52 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Oct 2014 12:30:52 -0400
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <89D85AE2-6CA3-41E8-AD24-FB18BC7149DA@yahoo.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
	<543A75EA.7090801@redhat.com>
	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
	<CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>
	<543BE1EF.8000305@redhat.com>
	<89D85AE2-6CA3-41E8-AD24-FB18BC7149DA@yahoo.com>
Message-ID: <543BFE3C.8090807@redhat.com>



On 10/13/2014 11:35 AM, Raghuram wrote:
>
>
> Sent from my iPhone
>
>> On Oct 13, 2014, at 10:30 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>
>>
>>> On 10/12/2014 8:53 PM, Travis De Silva wrote:
>>> Bill - How about combining option 2 and 3. We use Keycloak as a bridge
>>> between our application and Kerberos and then we also use Keycloak as a
>>> backend identify store. The use case that I am thinking is that we use
>>> the bridge only for SSO authentication and for authorization we can
>>> assign users to roles in Keycloak and get all the other goodness of
>>> Keycloak.
>>
>> That works too.
>>
>>> Also not sure why our application servers need to talk SAML or OpenID
>>> Connect. If JBoss/Wildfly has support for Spengo.
>>
>> Depends on if your kerberos server supports session management, single log out.  Again, I don't know enough about kerberos to answer that question
> Session management with clustering on the key cloak side would be great
>>
>>> I am thinking of something like if we configure our application in
>>> Keycloak as requiring Spengo, then when a request is made to our
>>> application, Keycloak will intercept it and respond with a 401 Access
>>> Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
>>> the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
>>> in an Authorization: Negotiate token header and Keycloak uses it to pass
>>> it via the JBoss/Wildfly security domain.
>>>
>>> As you can see, you don't really need to integrate all the way back to a
>>> Kerberos server but only to JBoss/Wildfly. Yes this does not cover
>>> all scenarios and is dependent on JBoss/Wildfly but at least this would
>>> be a start for people who use the entire JBoss/Wildfly stack.
>>
>> What you're describing, I think, is the bridge I want to build.  User get's authenticated via kerberos at the Keycloak server.  Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.
>
> Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO.
>
> Bill - how about including this request  in your queue?

You can already delegate credential validation using our User Federation 
SPI.  As far as pluggable auth mechanisms, we already have cert-auth and 
kerberos on the roadmap which would require such an SPI.  IMO, there are 
really 2 authentication mechanisms: one requiring user input processing 
(passwords, otp, etc.), those that don't require user input processing 
(cert-auth, kerberos, SAML/OIDC based federation, etc.).  There would 
end up being 2 SPIs for both.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From traviskds at gmail.com  Mon Oct 13 17:57:06 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Tue, 14 Oct 2014 08:57:06 +1100
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <543BFE3C.8090807@redhat.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>
	<54384B92.1060209@redhat.com>
	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>
	<54392845.4020301@redhat.com>
	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>
	<54393EBA.8060404@redhat.com>
	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>
	<54394CF0.40403@redhat.com>
	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>
	<543A75EA.7090801@redhat.com>
	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>
	<CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>
	<543BE1EF.8000305@redhat.com>
	<89D85AE2-6CA3-41E8-AD24-FB18BC7149DA@yahoo.com>
	<543BFE3C.8090807@redhat.com>
Message-ID: <CACQJ6LQx816Jf9CrnRc=ghsPWUtB0mZ88p=w5HV1et1AZHiK5Q@mail.gmail.com>

great discussion. Now its up to Bill and the cool Keycloak folks to
schedule this in one of their planned releases. Bill any idea which release
this might get implemented?


On Tue, Oct 14, 2014 at 3:30 AM, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 10/13/2014 11:35 AM, Raghuram wrote:
>
>>
>>
>> Sent from my iPhone
>>
>>  On Oct 13, 2014, at 10:30 AM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>
>>>
>>>  On 10/12/2014 8:53 PM, Travis De Silva wrote:
>>>> Bill - How about combining option 2 and 3. We use Keycloak as a bridge
>>>> between our application and Kerberos and then we also use Keycloak as a
>>>> backend identify store. The use case that I am thinking is that we use
>>>> the bridge only for SSO authentication and for authorization we can
>>>> assign users to roles in Keycloak and get all the other goodness of
>>>> Keycloak.
>>>>
>>>
>>> That works too.
>>>
>>>  Also not sure why our application servers need to talk SAML or OpenID
>>>> Connect. If JBoss/Wildfly has support for Spengo.
>>>>
>>>
>>> Depends on if your kerberos server supports session management, single
>>> log out.  Again, I don't know enough about kerberos to answer that question
>>>
>> Session management with clustering on the key cloak side would be great
>>
>>>
>>>  I am thinking of something like if we configure our application in
>>>> Keycloak as requiring Spengo, then when a request is made to our
>>>> application, Keycloak will intercept it and respond with a 401 Access
>>>> Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
>>>> the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
>>>> in an Authorization: Negotiate token header and Keycloak uses it to pass
>>>> it via the JBoss/Wildfly security domain.
>>>>
>>>> As you can see, you don't really need to integrate all the way back to a
>>>> Kerberos server but only to JBoss/Wildfly. Yes this does not cover
>>>> all scenarios and is dependent on JBoss/Wildfly but at least this would
>>>> be a start for people who use the entire JBoss/Wildfly stack.
>>>>
>>>
>>> What you're describing, I think, is the bridge I want to build.  User
>>> get's authenticated via kerberos at the Keycloak server.  Application uses
>>> SAML or OpenID Connect and gets a token it can understand and use for REST
>>> invocations, etc.
>>>
>>
>> Perfect. SAML and Openid connect compatibility is what even I am looking
>> for as it will take care of current as well as future requirements. The
>> only other feature that I would request is a hook (JAAS module?) to plugin
>> other authentication systems like secureid in addition to SPNEGO.
>>
>> Bill - how about including this request  in your queue?
>>
>
> You can already delegate credential validation using our User Federation
> SPI.  As far as pluggable auth mechanisms, we already have cert-auth and
> kerberos on the roadmap which would require such an SPI.  IMO, there are
> really 2 authentication mechanisms: one requiring user input processing
> (passwords, otp, etc.), those that don't require user input processing
> (cert-auth, kerberos, SAML/OIDC based federation, etc.).  There would end
> up being 2 SPIs for both.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/7af74d6b/attachment.html 

From traviskds at gmail.com  Mon Oct 13 18:03:43 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Tue, 14 Oct 2014 09:03:43 +1100
Subject: [keycloak-user] Key Value Pair List Attributes for Realms
In-Reply-To: <1204261767.66594834.1413184117189.JavaMail.zimbra@redhat.com>
References: <CACQJ6LSzrP37D2kJ-gdmm=kF=yFWQHxrJHu4Wj9D8kMf-NGStQ@mail.gmail.com>
	<1204261767.66594834.1413184117189.JavaMail.zimbra@redhat.com>
Message-ID: <CACQJ6LRJONAWycZzmnJ7Xxmd5aMW0xnbp1B6Xb1VPfNyM-wxxQ@mail.gmail.com>

Didn't think of custom attributes for custom code. But that is also an
awesome idea and in fact better than my one as we can then use that to
achieve not only my use case but a lot more.

On Mon, Oct 13, 2014 at 6:08 PM, Stian Thorgersen <stian at redhat.com> wrote:

> With regards to a human friendly name for realms and applications that's
> something we should do, and it shouldn't require "custom" attributes/themes.
>
> Adding custom attributes to a realm could be useful for custom code
> (including themes) so that sounds like a good idea.
>
> By the way you could easily achieve what you want already by adding your
> own base theme and creating a theme per-realm that extends this.
>
> ----- Original Message -----
> > From: "Travis De Silva" <traviskds at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 13 October, 2014 3:02:13 AM
> > Subject: [keycloak-user] Key Value Pair List Attributes for Realms
> >
> > Hi,
> >
> > Currently on a Keycloak realm level, we have only the realm name and if
> its
> > enabled or not as attributes.
> >
> > I am throwing out the idea if its possible to add additional key/value
> pair
> > attribute lists.
> >
> > My use case is that currently, the realm name is used in the login form
> and
> > also is part of the uri. I prefer the URI to be a short name without any
> > spaces but when I display the name in the login form or anywhere else, I
> > would like it to be a user friendly long name. E.g. realm name for url
> could
> > be "accounts" and the name that comes up in the login page to be
> "Accounting
> > System" I know I can customize the login page with my own theme but if I
> can
> > pull that info directly from the realm would be great as opposed to
> keeping
> > the info somewhere else.
> >
> > The reason for a key/value attribute list is so that if there are other
> > requirements like the above, we can use it without having to add realm
> level
> > fields again.
> >
> > Any thoughts?
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/2160439f/attachment.html 

From prabhalar at yahoo.com  Mon Oct 13 22:12:59 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Mon, 13 Oct 2014 19:12:59 -0700
Subject: [keycloak-user] SPNEGO with Keycloak
In-Reply-To: <CACQJ6LQx816Jf9CrnRc=ghsPWUtB0mZ88p=w5HV1et1AZHiK5Q@mail.gmail.com>
References: <AEB9A91C-DE55-43D1-84A4-8ABC740DB5BE@yahoo.com>	<54384B92.1060209@redhat.com>	<77BD4279-02DD-46F5-8365-119376263E5C@yahoo.com>	<54392845.4020301@redhat.com>	<1413035656.17607.YahooMailNeo@web121804.mail.ne1.yahoo.com>	<54393EBA.8060404@redhat.com>	<1413040206.16501.YahooMailNeo@web121802.mail.ne1.yahoo.com>	<54394CF0.40403@redhat.com>	<CACQJ6LQ3rKaKqJ-TH97Vh-mZ_Zcnp7GguxKaU0Nvs_XeLr=kVw@mail.gmail.com>	<543A75EA.7090801@redhat.com>	<1413123331.74097.YahooMailNeo@web121805.mail.ne1.yahoo.com>	<CACQJ6LSCc72enUKKDbt4bGwSurVCWvRbvqQH5zs5bEsEUDu7LA@mail.gmail.com>	<543BE1EF.8000305@redhat.com>	<89D85AE2-6CA3-41E8-AD24-FB18BC7149DA@yahoo.com>	<543BFE3C.8090807@redhat.com>
	<CACQJ6LQx816Jf9CrnRc=ghsPWUtB0mZ88p=w5HV1et1AZHiK5Q@mail.gmail.com>
Message-ID: <1413252779.1590.YahooMailNeo@web121802.mail.ne1.yahoo.com>

Great. Thanks Bill. Deviating from the topic a bit, I found the below websites very useful in understanding spnego/Kerberos authentication.

How to obtain and authenticate Kerberos and SPNEGO tokens with JGSS
https://github.com/spring-projects/spring-security-kerberos
 


On Monday, October 13, 2014 5:57 PM, Travis De Silva <traviskds at gmail.com> wrote:
  


great discussion. Now its up to Bill and the cool Keycloak folks to schedule this in one of their planned releases. Bill any idea which release this might get implemented?



On Tue, Oct 14, 2014 at 3:30 AM, Bill Burke <bburke at redhat.com> wrote:


>
>On 10/13/2014 11:35 AM, Raghuram wrote:
>
>
>>
>>Sent from my iPhone
>>
>>
>>On Oct 13, 2014, at 10:30 AM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>
>>>
>>>
>>>On 10/12/2014 8:53 PM, Travis De Silva wrote:
>>>>Bill - How about combining option 2 and 3. We use Keycloak as a bridge
>>>>between our application and Kerberos and then we also use Keycloak as a
>>>>backend identify store. The use case that I am thinking is that we use
>>>>the bridge only for SSO authentication and for authorization we can
>>>>assign users to roles in Keycloak and get all the other goodness of
>>>>Keycloak.
>>>> 
>>>That works too.
>>>
>>>
>>>Also not sure why our application servers need to talk SAML or OpenID
>>>>Connect. If JBoss/Wildfly has support for Spengo.
>>>> 
>>>Depends on if your kerberos server supports session management, single log out.  Again, I don't know enough about kerberos to answer that question
>>>
Session management with clustering on the key cloak side would be great
>>
>>
>>>
>>>I am thinking of something like if we configure our application in
>>>>Keycloak as requiring Spengo, then when a request is made to our
>>>>application, Keycloak will intercept it and respond with a 401 Access
>>>>Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
>>>>the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
>>>>in an Authorization: Negotiate token header and Keycloak uses it to pass
>>>>it via the JBoss/Wildfly security domain.
>>>>
>>>>As you can see, you don't really need to integrate all the way back to a
>>>>Kerberos server but only to JBoss/Wildfly. Yes this does not cover
>>>>all scenarios and is dependent on JBoss/Wildfly but at least this would
>>>>be a start for people who use the entire JBoss/Wildfly stack.
>>>> 
>>>What you're describing, I think, is the bridge I want to build.  User get's authenticated via kerberos at the Keycloak server.  Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.
>>> 
>>Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO.
>>
>>Bill - how about including this request  in your queue?
>> 
>
You can already delegate credential validation using our User Federation SPI.  As far as pluggable auth mechanisms, we already have cert-auth and kerberos on the roadmap which would require such an SPI.  IMO, there are really 2 authentication mechanisms: one requiring user input processing (passwords, otp, etc.), those that don't require user input processing (cert-auth, kerberos, SAML/OIDC based federation, etc.).  There would end up being 2 SPIs for both.
>
>
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141013/8187a215/attachment-0001.html 

From rodrigopsasaki at gmail.com  Tue Oct 14 09:35:57 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 14 Oct 2014 10:35:57 -0300
Subject: [keycloak-user] Find out if user has a password
Message-ID: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>

Hello,

I was wondering if there's a way to know if the user has a password
associated with it, I don't need to know the password, I just want to know
if one exists.

Is it possible within the existent API? I didn't see a method to give me
that information. Maybe I missed something.

Thanks!


-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/13cc6afc/attachment.html 

From stian at redhat.com  Tue Oct 14 09:44:35 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 14 Oct 2014 09:44:35 -0400 (EDT)
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
Message-ID: <1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>

Depends on what API you're talking about. It's not available on the admin rest api.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 October, 2014 3:35:57 PM
> Subject: [keycloak-user] Find out if user has a password
> 
> Hello,
> 
> I was wondering if there's a way to know if the user has a password
> associated with it, I don't need to know the password, I just want to know
> if one exists.
> 
> Is it possible within the existent API? I didn't see a method to give me that
> information. Maybe I missed something.
> 
> Thanks!
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Tue Oct 14 09:45:25 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 14 Oct 2014 10:45:25 -0300
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
	<1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>

Is there a way for me to get that information? Even from within the
keycloak server, the admin console perhaps?

On Tue, Oct 14, 2014 at 10:44 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Depends on what API you're talking about. It's not available on the admin
> rest api.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 14 October, 2014 3:35:57 PM
> > Subject: [keycloak-user] Find out if user has a password
> >
> > Hello,
> >
> > I was wondering if there's a way to know if the user has a password
> > associated with it, I don't need to know the password, I just want to
> know
> > if one exists.
> >
> > Is it possible within the existent API? I didn't see a method to give me
> that
> > information. Maybe I missed something.
> >
> > Thanks!
> >
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/0cd35146/attachment.html 

From stian at redhat.com  Tue Oct 14 09:55:24 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 14 Oct 2014 09:55:24 -0400 (EDT)
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
	<1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
	<CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>
Message-ID: <1905443038.68106161.1413294924495.JavaMail.zimbra@redhat.com>

It's only available on the internal UserModel API.

If you can explain what you're trying to achieve we can certainly look at adding it. IMO it should be possible to see if a user has a password set through admin console and rest endpoints.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 October, 2014 3:45:25 PM
> Subject: Re: [keycloak-user] Find out if user has a password
> 
> Is there a way for me to get that information? Even from within the
> keycloak server, the admin console perhaps?
> 
> On Tue, Oct 14, 2014 at 10:44 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Depends on what API you're talking about. It's not available on the admin
> > rest api.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 14 October, 2014 3:35:57 PM
> > > Subject: [keycloak-user] Find out if user has a password
> > >
> > > Hello,
> > >
> > > I was wondering if there's a way to know if the user has a password
> > > associated with it, I don't need to know the password, I just want to
> > know
> > > if one exists.
> > >
> > > Is it possible within the existent API? I didn't see a method to give me
> > that
> > > information. Maybe I missed something.
> > >
> > > Thanks!
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Tue Oct 14 10:01:15 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 14 Oct 2014 11:01:15 -0300
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <1905443038.68106161.1413294924495.JavaMail.zimbra@redhat.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
	<1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
	<CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>
	<1905443038.68106161.1413294924495.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwAtkjr9FpB7D5ipSox4pEqs+rye0C5v1e-xKXL9BfrCOw@mail.gmail.com>

Well, we have users that don't use any password, mostly the ones that sign
up for our newsletter, they're registered as users too, and the application
behaves a little different for them at some points than it does for users
with passwords.

So it would be really nice to have a simple way to have that information if
possible.

On Tue, Oct 14, 2014 at 10:55 AM, Stian Thorgersen <stian at redhat.com> wrote:

> It's only available on the internal UserModel API.
>
> If you can explain what you're trying to achieve we can certainly look at
> adding it. IMO it should be possible to see if a user has a password set
> through admin console and rest endpoints.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 14 October, 2014 3:45:25 PM
> > Subject: Re: [keycloak-user] Find out if user has a password
> >
> > Is there a way for me to get that information? Even from within the
> > keycloak server, the admin console perhaps?
> >
> > On Tue, Oct 14, 2014 at 10:44 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Depends on what API you're talking about. It's not available on the
> admin
> > > rest api.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 14 October, 2014 3:35:57 PM
> > > > Subject: [keycloak-user] Find out if user has a password
> > > >
> > > > Hello,
> > > >
> > > > I was wondering if there's a way to know if the user has a password
> > > > associated with it, I don't need to know the password, I just want to
> > > know
> > > > if one exists.
> > > >
> > > > Is it possible within the existent API? I didn't see a method to
> give me
> > > that
> > > > information. Maybe I missed something.
> > > >
> > > > Thanks!
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/3f835910/attachment.html 

From stian at redhat.com  Tue Oct 14 13:16:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 14 Oct 2014 13:16:21 -0400 (EDT)
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <CANLOgwAtkjr9FpB7D5ipSox4pEqs+rye0C5v1e-xKXL9BfrCOw@mail.gmail.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
	<1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
	<CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>
	<1905443038.68106161.1413294924495.JavaMail.zimbra@redhat.com>
	<CANLOgwAtkjr9FpB7D5ipSox4pEqs+rye0C5v1e-xKXL9BfrCOw@mail.gmail.com>
Message-ID: <1272449918.68377620.1413306981726.JavaMail.zimbra@redhat.com>

I assume you register those users with the admin rest endpoints then? If so it should be trivial to add and it would make sense to make it visible in admin console as well.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 October, 2014 4:01:15 PM
> Subject: Re: [keycloak-user] Find out if user has a password
> 
> Well, we have users that don't use any password, mostly the ones that sign
> up for our newsletter, they're registered as users too, and the application
> behaves a little different for them at some points than it does for users
> with passwords.
> 
> So it would be really nice to have a simple way to have that information if
> possible.
> 
> On Tue, Oct 14, 2014 at 10:55 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > It's only available on the internal UserModel API.
> >
> > If you can explain what you're trying to achieve we can certainly look at
> > adding it. IMO it should be possible to see if a user has a password set
> > through admin console and rest endpoints.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 14 October, 2014 3:45:25 PM
> > > Subject: Re: [keycloak-user] Find out if user has a password
> > >
> > > Is there a way for me to get that information? Even from within the
> > > keycloak server, the admin console perhaps?
> > >
> > > On Tue, Oct 14, 2014 at 10:44 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > Depends on what API you're talking about. It's not available on the
> > admin
> > > > rest api.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, 14 October, 2014 3:35:57 PM
> > > > > Subject: [keycloak-user] Find out if user has a password
> > > > >
> > > > > Hello,
> > > > >
> > > > > I was wondering if there's a way to know if the user has a password
> > > > > associated with it, I don't need to know the password, I just want to
> > > > know
> > > > > if one exists.
> > > > >
> > > > > Is it possible within the existent API? I didn't see a method to
> > give me
> > > > that
> > > > > information. Maybe I missed something.
> > > > >
> > > > > Thanks!
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Tue Oct 14 13:42:07 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 14 Oct 2014 14:42:07 -0300
Subject: [keycloak-user] Find out if user has a password
In-Reply-To: <1272449918.68377620.1413306981726.JavaMail.zimbra@redhat.com>
References: <CANLOgwDT6oRiFJhCikykpkxaafLLgQpaVsgQLoRDhBTxnODbHQ@mail.gmail.com>
	<1066948201.68072648.1413294275974.JavaMail.zimbra@redhat.com>
	<CANLOgwBtz067DJ8Z5Z_JHUqJRm9mxqgivxRitosSHh-=rRmX3w@mail.gmail.com>
	<1905443038.68106161.1413294924495.JavaMail.zimbra@redhat.com>
	<CANLOgwAtkjr9FpB7D5ipSox4pEqs+rye0C5v1e-xKXL9BfrCOw@mail.gmail.com>
	<1272449918.68377620.1413306981726.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwCvxAciV-6V-LWOHZSAPQu3g7snnGfujECRcewkqFB1rw@mail.gmail.com>

Yes, that's exactly right. After we migrated to Keycloak we create those
users using the endpoints.

And yes, I think it could be useful for some people to have this
information.

On Tue, Oct 14, 2014 at 2:16 PM, Stian Thorgersen <stian at redhat.com> wrote:

> I assume you register those users with the admin rest endpoints then? If
> so it should be trivial to add and it would make sense to make it visible
> in admin console as well.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 14 October, 2014 4:01:15 PM
> > Subject: Re: [keycloak-user] Find out if user has a password
> >
> > Well, we have users that don't use any password, mostly the ones that
> sign
> > up for our newsletter, they're registered as users too, and the
> application
> > behaves a little different for them at some points than it does for users
> > with passwords.
> >
> > So it would be really nice to have a simple way to have that information
> if
> > possible.
> >
> > On Tue, Oct 14, 2014 at 10:55 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > It's only available on the internal UserModel API.
> > >
> > > If you can explain what you're trying to achieve we can certainly look
> at
> > > adding it. IMO it should be possible to see if a user has a password
> set
> > > through admin console and rest endpoints.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 14 October, 2014 3:45:25 PM
> > > > Subject: Re: [keycloak-user] Find out if user has a password
> > > >
> > > > Is there a way for me to get that information? Even from within the
> > > > keycloak server, the admin console perhaps?
> > > >
> > > > On Tue, Oct 14, 2014 at 10:44 AM, Stian Thorgersen <stian at redhat.com
> >
> > > wrote:
> > > >
> > > > > Depends on what API you're talking about. It's not available on the
> > > admin
> > > > > rest api.
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Sent: Tuesday, 14 October, 2014 3:35:57 PM
> > > > > > Subject: [keycloak-user] Find out if user has a password
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I was wondering if there's a way to know if the user has a
> password
> > > > > > associated with it, I don't need to know the password, I just
> want to
> > > > > know
> > > > > > if one exists.
> > > > > >
> > > > > > Is it possible within the existent API? I didn't see a method to
> > > give me
> > > > > that
> > > > > > information. Maybe I missed something.
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141014/4f34d8a4/attachment-0001.html 

From prabhalar at yahoo.com  Wed Oct 15 10:37:19 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Wed, 15 Oct 2014 10:37:19 -0400
Subject: [keycloak-user] SAML functionality
Message-ID: <06A22EF4-8F48-4EF5-A492-48395C6F7C08@yahoo.com>

Bill - in your blog you mentioned that you will provide SAML functionality in the future versions of key cloak. Can you provide more information about that? Will key cloak be a full fledged IDP like picketlink or does it act as a STS throwing either openid connect or SAML tokens?

Thanks

From bburke at redhat.com  Wed Oct 15 10:52:24 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Oct 2014 10:52:24 -0400
Subject: [keycloak-user] SAML functionality
In-Reply-To: <06A22EF4-8F48-4EF5-A492-48395C6F7C08@yahoo.com>
References: <06A22EF4-8F48-4EF5-A492-48395C6F7C08@yahoo.com>
Message-ID: <543E8A28.8090506@redhat.com>

Keycloak is already a full-fledged IDP except is uses OpenID Connect as 
a protocol instead of SAML.  OpenID Connect was written and targeted for 
Web applications and REST services.  SAML, on the other hand, was 
written for SOAP and web app support retrofitted on as an after thought....

That being said, SAML integration is coming in a week or two.  I have 
basic SAML working in master, I'm currently adding support for 
signed/encrypted SAML requests.  All of this code is leveraging the 
picketlink-federation module that Picketlink IDP is built on.

On 10/15/2014 10:37 AM, Raghuram wrote:
> Bill - in your blog you mentioned that you will provide SAML functionality in the future versions of key cloak. Can you provide more information about that? Will key cloak be a full fledged IDP like picketlink or does it act as a STS throwing either openid connect or SAML tokens?
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From pablo.m.gore at gmail.com  Wed Oct 15 12:06:21 2014
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Wed, 15 Oct 2014 13:06:21 -0300
Subject: [keycloak-user] Registration
Message-ID: <CANkqDNxfsZCTR_k-vvSbUyC-xoaG3EYt548px_hShttAmq6BSw@mail.gmail.com>

Hi
I want to know if it is possible to add more information into the
registration process .
I saw a table USER_ATTRIBUTES , could I used it for this purpose and how I
could change the registration page layout?

Thanks
Pablo Gore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141015/09a95a4a/attachment.html 

From bburke at redhat.com  Wed Oct 15 12:10:53 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Oct 2014 12:10:53 -0400
Subject: [keycloak-user] Registration
In-Reply-To: <CANkqDNxfsZCTR_k-vvSbUyC-xoaG3EYt548px_hShttAmq6BSw@mail.gmail.com>
References: <CANkqDNxfsZCTR_k-vvSbUyC-xoaG3EYt548px_hShttAmq6BSw@mail.gmail.com>
Message-ID: <543E9C8D.7030902@redhat.com>

Not yet on adding additional registration fields, wouldn't be too hard 
to implement this feature though, but we have higher priorities at the 
moment.

You can change the layout of any keycloak page (admin, login, etc.):

http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/themes.html

There's some example themes in the examples/ directory that comes with 
the distro.

On 10/15/2014 12:06 PM, Pablo Martin Gore wrote:
> Hi
> I want to know if it is possible to add more information into the
> registration process .
> I saw a table USER_ATTRIBUTES , could I used it for this purpose and how
> I could change the registration page layout?
>
> Thanks
> Pablo Gore
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From pablo.m.gore at gmail.com  Wed Oct 15 12:17:28 2014
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Wed, 15 Oct 2014 13:17:28 -0300
Subject: [keycloak-user] Registration
In-Reply-To: <543E9C8D.7030902@redhat.com>
References: <CANkqDNxfsZCTR_k-vvSbUyC-xoaG3EYt548px_hShttAmq6BSw@mail.gmail.com>
	<543E9C8D.7030902@redhat.com>
Message-ID: <CANkqDNyCCNhPzWyUV3FsZbRgk=X8EV5+J9EoHGtFvdiVDpgEFw@mail.gmail.com>

Bill it is possible to share user between the realm ,  I mean
pablo is admin in realm 1 and in the realm 2  should be a single user.
My app have to work in a multi-company environments
Thanks again.


2014-10-15 13:10 GMT-03:00 Bill Burke <bburke at redhat.com>:

> Not yet on adding additional registration fields, wouldn't be too hard
> to implement this feature though, but we have higher priorities at the
> moment.
>
> You can change the layout of any keycloak page (admin, login, etc.):
>
> http://docs.jboss.org/keycloak/docs/1.0.2.Final/userguide/html/themes.html
>
> There's some example themes in the examples/ directory that comes with
> the distro.
>
> On 10/15/2014 12:06 PM, Pablo Martin Gore wrote:
> > Hi
> > I want to know if it is possible to add more information into the
> > registration process .
> > I saw a table USER_ATTRIBUTES , could I used it for this purpose and how
> > I could change the registration page layout?
> >
> > Thanks
> > Pablo Gore
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141015/34c3ff47/attachment.html 

From pablo.m.gore at gmail.com  Wed Oct 15 12:20:24 2014
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Wed, 15 Oct 2014 13:20:24 -0300
Subject: [keycloak-user] multi-company
Message-ID: <CANkqDNwNULKvg3ntNDMUVTzoE9Q2gEm8+6rj=ShAJrA3v5pEZA@mail.gmail.com>

Hi
It is possible to share user between the realm ,  I mean
pablo is admin in realm 1 and in the realm 2  should be a single user.
My app have to work in a multi-company environments
Thanks again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141015/7d886f2a/attachment.html 

From bburke at redhat.com  Wed Oct 15 12:34:43 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Oct 2014 12:34:43 -0400
Subject: [keycloak-user] multi-company
In-Reply-To: <CANkqDNwNULKvg3ntNDMUVTzoE9Q2gEm8+6rj=ShAJrA3v5pEZA@mail.gmail.com>
References: <CANkqDNwNULKvg3ntNDMUVTzoE9Q2gEm8+6rj=ShAJrA3v5pEZA@mail.gmail.com>
Message-ID: <543EA223.5030203@redhat.com>

No, but you'll have to define what "multi-company" means to you.  We 
support user federation within a realm, but out of the box, only through 
LDAP/AD.

On 10/15/2014 12:20 PM, Pablo Martin Gore wrote:
> Hi
> It is possible to share user between the realm ,  I mean
> pablo is admin in realm 1 and in the realm 2  should be a single user.
> My app have to work in a multi-company environments
> Thanks again.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Wed Oct 15 15:02:50 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Wed, 15 Oct 2014 21:02:50 +0200
Subject: [keycloak-user] Limit users to 3 password trials
Message-ID: <69CECF1D-4BEB-4668-87A8-CB8B5C2B814E@gmail.com>

Hi,

Was just wondering wether this is possible natively in Keycloak.

Thanks for any help.



From bburke at redhat.com  Wed Oct 15 16:49:43 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Oct 2014 16:49:43 -0400
Subject: [keycloak-user] Limit users to 3 password trials
In-Reply-To: <69CECF1D-4BEB-4668-87A8-CB8B5C2B814E@gmail.com>
References: <69CECF1D-4BEB-4668-87A8-CB8B5C2B814E@gmail.com>
Message-ID: <543EDDE7.80605@redhat.com>

No.  Log a jira please.

On 10/15/2014 3:02 PM, Alexander Chriztopher wrote:
> Hi,
>
> Was just wondering wether this is possible natively in Keycloak.
>
> Thanks for any help.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From pablo.m.gore at gmail.com  Thu Oct 16 09:01:15 2014
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Thu, 16 Oct 2014 10:01:15 -0300
Subject: [keycloak-user] keycloak multi tenant
Message-ID: <CANkqDNzL8Nr54bosOD53dC+dyBBPFL4JsNoKCz=KCCC2TQMUrw@mail.gmail.com>

Just one question , does keycloak supports or will support in a future
multi tenant behavior.?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/3737b254/attachment.html 

From stian at redhat.com  Thu Oct 16 09:11:57 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Oct 2014 09:11:57 -0400 (EDT)
Subject: [keycloak-user] keycloak multi tenant
In-Reply-To: <CANkqDNzL8Nr54bosOD53dC+dyBBPFL4JsNoKCz=KCCC2TQMUrw@mail.gmail.com>
References: <CANkqDNzL8Nr54bosOD53dC+dyBBPFL4JsNoKCz=KCCC2TQMUrw@mail.gmail.com>
Message-ID: <2120061895.69831129.1413465117351.JavaMail.zimbra@redhat.com>

On the server-side we already do support multi-tenancy in the form of isolated realms and per-realm admin access.

On the adapter-side we have had requests for this in the past, and we plan to provide some support for it. However, exactly what and when is yet to be defined.

Can you elaborate on specifically what you're after?

----- Original Message -----
> From: "Pablo Martin Gore" <pablo.m.gore at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 October, 2014 3:01:15 PM
> Subject: [keycloak-user] keycloak multi tenant
> 
> Just one question , does keycloak supports or will support in a future multi
> tenant behavior.?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alarik at zwift.com  Thu Oct 16 12:50:43 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Thu, 16 Oct 2014 12:50:43 -0400
Subject: [keycloak-user] (no subject)
Message-ID: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>

I am having a strange situation, which might be arising from a bug in
Keycloak.

I have a direct grants only OAuth client which makes invocations against a
bearer-only REST interface, running on Wildfly 8.0.0 Final with Keycloak
1.0 final.

A side effect of making one of the invocations is that the user is added to
a realm role. So far so good.  The access token used to make that
invocation though does not contain the new realm role so he cannot, yet,
make invocations against another endpoint (call it endpoint B) without
getting a 403 Forbidden. This is expected.

So, the client has to refresh the access token
(realms/{realm}/tokens/refresh), in order to get a new access token with
the realm role.  The refresh goes OK, but when he tries to make invocations
against endpoint B, he still gets a 403 Forbidden.

What is maybe even stranger is that if instead of refreshing the access
token, he just requests a brand new access token using the direct grant
keycloak stuff (realms/{realm}/tokens/grants/access) then he gets an access
token which allows him to access endpoint B successfully.

So, in short, refreshing the access token does not yield an access token
with the new realm role, but asking for a brand new access token does yield
an access token with the new realm role.

I can reproduce this in my automated tests 100% of the times that I have
tried it, but I don't have a nice little test case for you...

Does that sound like a bug, or am I missing something about how this is
supposed to work?

Thank you in advance for taking the time to read this long e-mail,

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/f93ff8b5/attachment.html 

From bburke at redhat.com  Thu Oct 16 13:17:28 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 16 Oct 2014 13:17:28 -0400
Subject: [keycloak-user] (no subject)
In-Reply-To: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>
References: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>
Message-ID: <543FFDA8.9030806@redhat.com>



On 10/16/2014 12:50 PM, Alarik Myrin wrote:
> I am having a strange situation, which might be arising from a bug in
> Keycloak.
>
> I have a direct grants only OAuth client which makes invocations against
> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
> Keycloak 1.0 final.
>
> A side effect of making one of the invocations is that the user is added
> to a realm role. So far so good.  The access token used to make that
> invocation though does not contain the new realm role so he cannot, yet,
> make invocations against another endpoint (call it endpoint B) without
> getting a 403 Forbidden. This is expected.
>
> So, the client has to refresh the access token
> (realms/{realm}/tokens/refresh), in order to get a new access token with
> the realm role.  The refresh goes OK, but when he tries to make
> invocations against endpoint B, he still gets a 403 Forbidden.
>

Keycloak will only populate the refreshed token with the original 
granted roles.  The idea is that there may have been consent involved 
and the user can't consent to any newly added roles.

I guess we could change it in that if the client is an application and 
not an oauth client, it would get the new roles.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From corinnekrych at gmail.com  Thu Oct 16 13:47:29 2014
From: corinnekrych at gmail.com (Corinne Krych)
Date: Thu, 16 Oct 2014 19:47:29 +0200
Subject: [keycloak-user] (no subject)
In-Reply-To: <543FFDA8.9030806@redhat.com>
References: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>
	<543FFDA8.9030806@redhat.com>
Message-ID: <CE8418B4-8CFE-4D57-B1F1-74A7103BFB3F@gmail.com>

Hello Alarik,

Interesting use case, I would I thought like you that the newly refreshed access token would contain the new role grant, but reading the spec:
http://tools.ietf.org/html/rfc6749#section-1.5

   refresh tokens are issued to the client by the authorization server and are
   used to obtain a new access token when the current access token
   becomes invalid or expires, or to obtain additional access tokens
   with identical or narrower scope (access tokens may have a shorter
   lifetime and fewer permissions than authorized by the resource
   owner). 

Some how makes sense to have to approved the new grants.
I need to check how it behaves with OAuth2 providers like Google?
 
++
Corinne
??????
AeroGear iOS team

On 16 Oct 2014, at 19:17, Bill Burke <bburke at redhat.com> wrote:

> 
> 
> On 10/16/2014 12:50 PM, Alarik Myrin wrote:
>> I am having a strange situation, which might be arising from a bug in
>> Keycloak.
>> 
>> I have a direct grants only OAuth client which makes invocations against
>> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
>> Keycloak 1.0 final.
>> 
>> A side effect of making one of the invocations is that the user is added
>> to a realm role. So far so good.  The access token used to make that
>> invocation though does not contain the new realm role so he cannot, yet,
>> make invocations against another endpoint (call it endpoint B) without
>> getting a 403 Forbidden. This is expected.
>> 
>> So, the client has to refresh the access token
>> (realms/{realm}/tokens/refresh), in order to get a new access token with
>> the realm role.  The refresh goes OK, but when he tries to make
>> invocations against endpoint B, he still gets a 403 Forbidden.
>> 
> 
> Keycloak will only populate the refreshed token with the original 
> granted roles.  The idea is that there may have been consent involved 
> and the user can't consent to any newly added roles.
> 
> I guess we could change it in that if the client is an application and 
> not an oauth client, it would get the new roles.
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/9463baab/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/9463baab/attachment.bin 

From bburke at redhat.com  Thu Oct 16 14:04:50 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 16 Oct 2014 14:04:50 -0400
Subject: [keycloak-user] (no subject)
In-Reply-To: <CE8418B4-8CFE-4D57-B1F1-74A7103BFB3F@gmail.com>
References: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>	<543FFDA8.9030806@redhat.com>
	<CE8418B4-8CFE-4D57-B1F1-74A7103BFB3F@gmail.com>
Message-ID: <544008C2.2050001@redhat.com>

Applications are "trusted" in Keycloak and don't require the consent 
screen.  So, I think we should allow roles to be updated on a request.

On 10/16/2014 1:47 PM, Corinne Krych wrote:
> Hello Alarik,
>
> Interesting use case, I would I thought like you that the newly
> refreshed access token would contain the new role grant, but reading the
> spec:
> http://tools.ietf.org/html/rfc6749#section-1.5
>
>     refresh tokens are issued to the client by the authorization server
> and are
>     used to obtain a new access token when the current access token
>     becomes invalid or expires, or to obtain additional access tokens
> *with identical or narrower scope* (access tokens may have a shorter
>     lifetime and fewer permissions than authorized by the resource
>     owner).
>
> Some how makes sense to have to approved the new grants.
> I need to check how it behaves with OAuth2 providers like Google?
>
> ++
> Corinne
> ??????
> AeroGear iOS team
>
> On 16 Oct 2014, at 19:17, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>>
>>
>> On 10/16/2014 12:50 PM, Alarik Myrin wrote:
>>> I am having a strange situation, which might be arising from a bug in
>>> Keycloak.
>>>
>>> I have a direct grants only OAuth client which makes invocations against
>>> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
>>> Keycloak 1.0 final.
>>>
>>> A side effect of making one of the invocations is that the user is added
>>> to a realm role. So far so good.  The access token used to make that
>>> invocation though does not contain the new realm role so he cannot, yet,
>>> make invocations against another endpoint (call it endpoint B) without
>>> getting a 403 Forbidden. This is expected.
>>>
>>> So, the client has to refresh the access token
>>> (realms/{realm}/tokens/refresh), in order to get a new access token with
>>> the realm role.  The refresh goes OK, but when he tries to make
>>> invocations against endpoint B, he still gets a 403 Forbidden.
>>>
>>
>> Keycloak will only populate the refreshed token with the original
>> granted roles.  The idea is that there may have been consent involved
>> and the user can't consent to any newly added roles.
>>
>> I guess we could change it in that if the client is an application and
>> not an oauth client, it would get the new roles.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From corinnekrych at gmail.com  Thu Oct 16 14:54:15 2014
From: corinnekrych at gmail.com (Corinne Krych)
Date: Thu, 16 Oct 2014 20:54:15 +0200
Subject: [keycloak-user] (no subject)
In-Reply-To: <544008C2.2050001@redhat.com>
References: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>	<543FFDA8.9030806@redhat.com>
	<CE8418B4-8CFE-4D57-B1F1-74A7103BFB3F@gmail.com>
	<544008C2.2050001@redhat.com>
Message-ID: <406119D7-7199-4EA3-AF3B-005053D62E2A@gmail.com>

I missed the ?direct grants only OAuth client? mentioned in original mail.
Isn?t a direct grant oauth client as trusted as application?

++
Corinne
On 16 Oct 2014, at 20:04, Bill Burke <bburke at redhat.com> wrote:

> Applications are "trusted" in Keycloak and don't require the consent 
> screen.  So, I think we should allow roles to be updated on a request.
> 
> On 10/16/2014 1:47 PM, Corinne Krych wrote:
>> Hello Alarik,
>> 
>> Interesting use case, I would I thought like you that the newly
>> refreshed access token would contain the new role grant, but reading the
>> spec:
>> http://tools.ietf.org/html/rfc6749#section-1.5
>> 
>>    refresh tokens are issued to the client by the authorization server
>> and are
>>    used to obtain a new access token when the current access token
>>    becomes invalid or expires, or to obtain additional access tokens
>> *with identical or narrower scope* (access tokens may have a shorter
>>    lifetime and fewer permissions than authorized by the resource
>>    owner).
>> 
>> Some how makes sense to have to approved the new grants.
>> I need to check how it behaves with OAuth2 providers like Google?
>> 
>> ++
>> Corinne
>> ??????
>> AeroGear iOS team
>> 
>> On 16 Oct 2014, at 19:17, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>> 
>>> 
>>> 
>>> On 10/16/2014 12:50 PM, Alarik Myrin wrote:
>>>> I am having a strange situation, which might be arising from a bug in
>>>> Keycloak.
>>>> 
>>>> I have a direct grants only OAuth client which makes invocations against
>>>> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
>>>> Keycloak 1.0 final.
>>>> 
>>>> A side effect of making one of the invocations is that the user is added
>>>> to a realm role. So far so good.  The access token used to make that
>>>> invocation though does not contain the new realm role so he cannot, yet,
>>>> make invocations against another endpoint (call it endpoint B) without
>>>> getting a 403 Forbidden. This is expected.
>>>> 
>>>> So, the client has to refresh the access token
>>>> (realms/{realm}/tokens/refresh), in order to get a new access token with
>>>> the realm role.  The refresh goes OK, but when he tries to make
>>>> invocations against endpoint B, he still gets a 403 Forbidden.
>>>> 
>>> 
>>> Keycloak will only populate the refreshed token with the original
>>> granted roles.  The idea is that there may have been consent involved
>>> and the user can't consent to any newly added roles.
>>> 
>>> I guess we could change it in that if the client is an application and
>>> not an oauth client, it would get the new roles.
>>> 
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/073d8cb3/attachment.bin 

From peterson.dean at gmail.com  Thu Oct 16 16:35:29 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 16 Oct 2014 15:35:29 -0500
Subject: [keycloak-user] CORS / Cross Domain Javascript calls
Message-ID: <CAFGzvP=+6AZUgyDU5q5+AWWJ24n_cKbpD1wFFioPLpq_BJ62hQ@mail.gmail.com>

I had this working with previous versions of keycloak.  Now I am not able
to figure it out.  I have one confidential javascript application with the
following config:

{
  "realm": "abecorn",
  "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
  "auth-server-url": "http://fnb-dean-vm2:8080/auth",
  "ssl-required": "external",
  "resource": "item_repository",
  "enable-cors": true,
  "cors-max-age": 1000,
  "credentials": {
    "secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
  }
}

I have another for REST services that is bearer only:
{
  "realm": "abecorn",
  "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
  "bearer-only": true,
  "enable-cors": true,
  "cors-max-age": 1000,
  "ssl-required": "external",
  "resource": "itemreposervices"
}

No matter what web origins I add to the first "confidential" application, I
continue to get the error: XMLHttpRequest cannot load
http://localhost:8080/itemrepository-rs/rest/items. The request was
redirected to '
http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login??s%2Frest%2Fitems&state=0%2F025e3003-59a5-43d3-9927-396d966d7e5a&login=true',
which is disallowed for cross-origin requests that require preflight.

I also tried making the bearer only application into a confidential
application and gave it the appropriate web origins.  Still no luck.
Shouldn't the bearer only applications have a place to enter web origins
like the admin console had a while back?  How do you make the white list
for a bearer only application to allow cross domain javascript?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/e865bbaf/attachment-0001.html 

From peterson.dean at gmail.com  Thu Oct 16 16:46:20 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 16 Oct 2014 15:46:20 -0500
Subject: [keycloak-user] CORS / Cross Domain Javascript calls
In-Reply-To: <CAFGzvP=+6AZUgyDU5q5+AWWJ24n_cKbpD1wFFioPLpq_BJ62hQ@mail.gmail.com>
References: <CAFGzvP=+6AZUgyDU5q5+AWWJ24n_cKbpD1wFFioPLpq_BJ62hQ@mail.gmail.com>
Message-ID: <CAFGzvPmwmP6Hu7rUSxgoFrGUpvs38U9QeBrzukLwh58q5qCoTQ@mail.gmail.com>

Actually the error I included before is the error I get when I switch the
bearer only application to a confidential one.  This is the error I get for
the bearer only configuration:
XMLHttpRequest cannot load
http://localhost:8080/itemrepository-rs/rest/items. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:9000' is therefore not allowed access.

On Thu, Oct 16, 2014 at 3:35 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I had this working with previous versions of keycloak.  Now I am not able
> to figure it out.  I have one confidential javascript application with the
> following config:
>
> {
>   "realm": "abecorn",
>   "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
>   "auth-server-url": "http://fnb-dean-vm2:8080/auth",
>   "ssl-required": "external",
>   "resource": "item_repository",
>   "enable-cors": true,
>   "cors-max-age": 1000,
>   "credentials": {
>     "secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
>   }
> }
>
> I have another for REST services that is bearer only:
> {
>   "realm": "abecorn",
>   "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
>   "bearer-only": true,
>   "enable-cors": true,
>   "cors-max-age": 1000,
>   "ssl-required": "external",
>   "resource": "itemreposervices"
> }
>
> No matter what web origins I add to the first "confidential" application,
> I continue to get the error: XMLHttpRequest cannot load
> http://localhost:8080/itemrepository-rs/rest/items. The request was
> redirected to '
> http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login??s%2Frest%2Fitems&state=0%2F025e3003-59a5-43d3-9927-396d966d7e5a&login=true',
> which is disallowed for cross-origin requests that require preflight.
>
> I also tried making the bearer only application into a confidential
> application and gave it the appropriate web origins.  Still no luck.
> Shouldn't the bearer only applications have a place to enter web origins
> like the admin console had a while back?  How do you make the white list
> for a bearer only application to allow cross domain javascript?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/cab71dbc/attachment.html 

From alarik at zwift.com  Thu Oct 16 18:02:07 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Thu, 16 Oct 2014 18:02:07 -0400
Subject: [keycloak-user] Refreshing token with increased realm scope
Message-ID: <CAKTx7M64Zak9aGmDE3QqHS_nZhDd1ds5ZX648wrw6uE7Coq-QA@mail.gmail.com>

Thanks for the replies everyone.  It is probably a rare use case, and one
that I don't think I'll have long term.  I can certainly live with the
behavior the way that it is now -- I was just surprised to see it.

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/a1697ac1/attachment.html 

From peterson.dean at gmail.com  Thu Oct 16 18:50:10 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 16 Oct 2014 17:50:10 -0500
Subject: [keycloak-user] CORS / Cross Domain Javascript calls
In-Reply-To: <CAFGzvP=+6AZUgyDU5q5+AWWJ24n_cKbpD1wFFioPLpq_BJ62hQ@mail.gmail.com>
References: <CAFGzvP=+6AZUgyDU5q5+AWWJ24n_cKbpD1wFFioPLpq_BJ62hQ@mail.gmail.com>
Message-ID: <CAFGzvP=sw7YewV4Cy4_r-bPF9Hbv5kdUJb1dq3PqRnOzLB2wdg@mail.gmail.com>

Figured it out.  I was using angularjs' $resource to send the request.  I
followed the instructions on how to set custom headers to include the
Authorization header.  I must be doing something wrong.  When I switched to
using JQuery $.ajax, I include the Authorization header and it works.

On Thu, Oct 16, 2014 at 3:35 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I had this working with previous versions of keycloak.  Now I am not able
> to figure it out.  I have one confidential javascript application with the
> following config:
>
> {
>   "realm": "abecorn",
>   "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
>   "auth-server-url": "http://fnb-dean-vm2:8080/auth",
>   "ssl-required": "external",
>   "resource": "item_repository",
>   "enable-cors": true,
>   "cors-max-age": 1000,
>   "credentials": {
>     "secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
>   }
> }
>
> I have another for REST services that is bearer only:
> {
>   "realm": "abecorn",
>   "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
>   "bearer-only": true,
>   "enable-cors": true,
>   "cors-max-age": 1000,
>   "ssl-required": "external",
>   "resource": "itemreposervices"
> }
>
> No matter what web origins I add to the first "confidential" application,
> I continue to get the error: XMLHttpRequest cannot load
> http://localhost:8080/itemrepository-rs/rest/items. The request was
> redirected to '
> http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login??s%2Frest%2Fitems&state=0%2F025e3003-59a5-43d3-9927-396d966d7e5a&login=true',
> which is disallowed for cross-origin requests that require preflight.
>
> I also tried making the bearer only application into a confidential
> application and gave it the appropriate web origins.  Still no luck.
> Shouldn't the bearer only applications have a place to enter web origins
> like the admin console had a while back?  How do you make the white list
> for a bearer only application to allow cross domain javascript?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/2994e1f0/attachment.html 

From stian at redhat.com  Fri Oct 17 02:50:55 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 17 Oct 2014 02:50:55 -0400 (EDT)
Subject: [keycloak-user] (no subject)
In-Reply-To: <406119D7-7199-4EA3-AF3B-005053D62E2A@gmail.com>
References: <CAKTx7M7HOxbH8fo0KoR5qnfmt+H1dEXpnnuzhJ1+wW9E2W0igA@mail.gmail.com>
	<543FFDA8.9030806@redhat.com>
	<CE8418B4-8CFE-4D57-B1F1-74A7103BFB3F@gmail.com>
	<544008C2.2050001@redhat.com>
	<406119D7-7199-4EA3-AF3B-005053D62E2A@gmail.com>
Message-ID: <525328148.70412497.1413528655298.JavaMail.zimbra@redhat.com>

Makes sense to add new roles granted to the user. I don't think we should add more roles if added to the scope of the application. Also, in the future if/when we add support for scope query param, we need to remember that so we don't add roles the application didn't request. This would also fix the similar issue we have with the admin console, and allow us to use the token directly instead of whoAmI to get permitted roles.

What should happen if a role is removed from the user? For consistency it should just remove the role from the token, but if an application doesn't recheck the roles in the refreshed token it may potentially miss the revocation of the role and still provide access to it.

----- Original Message -----
> From: "Corinne Krych" <corinnekrych at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 October, 2014 8:54:15 PM
> Subject: Re: [keycloak-user] (no subject)
> 
> I missed the ?direct grants only OAuth client? mentioned in original mail.
> Isn?t a direct grant oauth client as trusted as application?
> 
> ++
> Corinne
> On 16 Oct 2014, at 20:04, Bill Burke <bburke at redhat.com> wrote:
> 
> > Applications are "trusted" in Keycloak and don't require the consent
> > screen.  So, I think we should allow roles to be updated on a request.
> > 
> > On 10/16/2014 1:47 PM, Corinne Krych wrote:
> >> Hello Alarik,
> >> 
> >> Interesting use case, I would I thought like you that the newly
> >> refreshed access token would contain the new role grant, but reading the
> >> spec:
> >> http://tools.ietf.org/html/rfc6749#section-1.5
> >> 
> >>    refresh tokens are issued to the client by the authorization server
> >> and are
> >>    used to obtain a new access token when the current access token
> >>    becomes invalid or expires, or to obtain additional access tokens
> >> *with identical or narrower scope* (access tokens may have a shorter
> >>    lifetime and fewer permissions than authorized by the resource
> >>    owner).
> >> 
> >> Some how makes sense to have to approved the new grants.
> >> I need to check how it behaves with OAuth2 providers like Google?
> >> 
> >> ++
> >> Corinne
> >> ??????
> >> AeroGear iOS team
> >> 
> >> On 16 Oct 2014, at 19:17, Bill Burke <bburke at redhat.com
> >> <mailto:bburke at redhat.com>> wrote:
> >> 
> >>> 
> >>> 
> >>> On 10/16/2014 12:50 PM, Alarik Myrin wrote:
> >>>> I am having a strange situation, which might be arising from a bug in
> >>>> Keycloak.
> >>>> 
> >>>> I have a direct grants only OAuth client which makes invocations against
> >>>> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
> >>>> Keycloak 1.0 final.
> >>>> 
> >>>> A side effect of making one of the invocations is that the user is added
> >>>> to a realm role. So far so good.  The access token used to make that
> >>>> invocation though does not contain the new realm role so he cannot, yet,
> >>>> make invocations against another endpoint (call it endpoint B) without
> >>>> getting a 403 Forbidden. This is expected.
> >>>> 
> >>>> So, the client has to refresh the access token
> >>>> (realms/{realm}/tokens/refresh), in order to get a new access token with
> >>>> the realm role.  The refresh goes OK, but when he tries to make
> >>>> invocations against endpoint B, he still gets a 403 Forbidden.
> >>>> 
> >>> 
> >>> Keycloak will only populate the refreshed token with the original
> >>> granted roles.  The idea is that there may have been consent involved
> >>> and the user can't consent to any newly added roles.
> >>> 
> >>> I guess we could change it in that if the client is an application and
> >>> not an oauth client, it would get the new roles.
> >>> 
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From alexander.chriztopher at gmail.com  Fri Oct 17 04:31:47 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 17 Oct 2014 10:31:47 +0200
Subject: [keycloak-user] Limit users to 3 password trials
In-Reply-To: <543EDDE7.80605@redhat.com>
References: <69CECF1D-4BEB-4668-87A8-CB8B5C2B814E@gmail.com>
	<543EDDE7.80605@redhat.com>
Message-ID: <CAJfT+OoCD=VKVifmED1BZHPhBNG_kdwjyxaJssEwV4usqj6gQg@mail.gmail.com>

Hi Bill and thanks for the answer.

I have created the following JIRA issue :
https://issues.jboss.org/browse/KEYCLOAK-764

Hope to see this feature implemented in a near release as it is used by a
lot of companies right now.

On Wed, Oct 15, 2014 at 10:49 PM, Bill Burke <bburke at redhat.com> wrote:

> No.  Log a jira please.
>
> On 10/15/2014 3:02 PM, Alexander Chriztopher wrote:
> > Hi,
> >
> > Was just wondering wether this is possible natively in Keycloak.
> >
> > Thanks for any help.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/7b4aff66/attachment-0001.html 

From bburke at redhat.com  Fri Oct 17 08:37:34 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 17 Oct 2014 08:37:34 -0400
Subject: [keycloak-user] Limit users to 3 password trials
In-Reply-To: <CAJfT+OoCD=VKVifmED1BZHPhBNG_kdwjyxaJssEwV4usqj6gQg@mail.gmail.com>
References: <69CECF1D-4BEB-4668-87A8-CB8B5C2B814E@gmail.com>	<543EDDE7.80605@redhat.com>
	<CAJfT+OoCD=VKVifmED1BZHPhBNG_kdwjyxaJssEwV4usqj6gQg@mail.gmail.com>
Message-ID: <54410D8E.4060305@redhat.com>

Actually, we do have brute force attack prevention.  DOn't see any 
reason why you couldn't lower the threshold to 3 instead of the default 
of 30.

On 10/17/2014 4:31 AM, Alexander Chriztopher wrote:
> Hi Bill and thanks for the answer.
>
> I have created the following JIRA issue :
> https://issues.jboss.org/browse/KEYCLOAK-764
>
> Hope to see this feature implemented in a near release as it is used by
> a lot of companies right now.
>
> On Wed, Oct 15, 2014 at 10:49 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     No.  Log a jira please.
>
>     On 10/15/2014 3:02 PM, Alexander Chriztopher wrote:
>      > Hi,
>      >
>      > Was just wondering wether this is possible natively in Keycloak.
>      >
>      > Thanks for any help.
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Fri Oct 17 11:00:17 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 17 Oct 2014 17:00:17 +0200
Subject: [keycloak-user] Connect as another user
Message-ID: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>

Hi,

I would like to know if there is a way to let a connected user -an admin-
reconnect as another user -with less privilegies- without providing a
password.

The idea is to be able for a super user to see how exactly an application
behaves with another user without knowing that user credentials.

Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/0723e30a/attachment.html 

From gcardoso at redhat.com  Fri Oct 17 11:33:57 2014
From: gcardoso at redhat.com (Gabriel Cardoso)
Date: Fri, 17 Oct 2014 12:33:57 -0300
Subject: [keycloak-user] What is the point of the cancel button on the
	log-in screen?
In-Reply-To: <2100243482.65746697.1412943535647.JavaMail.zimbra@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BBE4.4040102@redhat.com> <5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
	<5437C59C.4040009@redhat.com>
	<1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>
	<5437CC3B.8090009@redhat.com>
	<2100243482.65746697.1412943535647.JavaMail.zimbra@redhat.com>
Message-ID: <7C60171F-F72F-41A0-9024-4D5F7760A9EB@redhat.com>

Since the goal of the Cancel button is to go back, how about presenting a ?Back to application? link instead of a Cancel button? If that?s the only purpose of the button, a explicit label is better.

Gabriel

On Oct 10, 2014, at 9:18 AM, Stian Thorgersen <stian at redhat.com> wrote:

> 
> 
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Friday, 10 October, 2014 2:08:27 PM
>> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
>> 
>> On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
>>> It's required, so don't remove.
>>> 
>>> If we don't have a cancel button there's no way for users to go back to the
>>> application if they don't want to login (or can't for some reason). Also,
>>> there are other situations where a login can fail, in which an error query
>>> param is returned to application instead of a code. For example oauth
>>> client grant page (a user can accept or reject giving the client the
>>> required permissions), etc.. The adapters needs to be able to handle these
>>> properly. IMO if login is cancelled there's two basic use-cases:
>>> 
>>> * User clicked on log in link - in this case application should just return
>>> to the initial page
>> This I agree with.  Ideally, that's what the cancel button should always do.
>>> * User clicked on a page that requires login - in this case the application
>>> should probably show a 'unauthorized access' page which needs to be
>>> customizable by the application
>> In this case we should not have a button labeled "cancel".  The user
>> expects a cancel button to go back.  So we shouldn't have a button that
>> we know will yield unexpected results.
>> 
>> Perhaps we should have a help button instead that provides a friendly
>> message about what is going on.
> 
> I think we still should have a cancel button by default. The user may still want to go back to other parts of the app that doesn't require authentication.
> 
> Also, as I mentioned there are other situations that results in similar errors that an application has to handle. Do we just throw an exception, and let the standard war error handling take care of it? Either case we should add something like it to our demo. 
> 
> We could add an option to hide the cancel button though. Could for example add an optional query param "no_cancel".
> 
>>> 
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Friday, 10 October, 2014 1:40:12 PM
>>>> Subject: Re: [keycloak-user] What is the point of the cancel button on the
>>>> log-in screen?
>>>> 
>>>> Does the cancel button EVER work properly?
>>>> 
>>>> I'm starting to side with Alarik.  In any situation where we know the
>>>> cancel button won't work, we need to either fix it or remove it.
>>>> 
>>>> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
>>>>> The back button still submits the form, but the instead of processing the
>>>>> login redirects with error set. So it's already not an open redirect.
>>>>> 
>>>>> We should fix the adapter to show a error page though. Another thing is
>>>>> that the adapter needs some way of customising error pages.
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 9 October, 2014 7:02:18 PM
>>>>>> Subject: Re: [keycloak-user] What is the point of the cancel button on
>>>>>> the
>>>>>> log-in screen?
>>>>>> 
>>>>>> We would have to rememer referrer information somehow via the adapter to
>>>>>> know where to redirect to.  This cancel redirection URL would be an
>>>>>> extension to OIDC I think and would require to be validated so that we
>>>>>> don't create an open redirector security vulnerabilities.  Maybe we
>>>>>> should we just show a Keycloak rendered error page?
>>>>>> 
>>>>>> 
>>>>>> On 10/9/2014 12:46 PM, Stan Silvert wrote:
>>>>>>> I guess I'm stating the obvious, but the cancel button should take you
>>>>>>> back to where you were before being challenged by the login screen.  To
>>>>>>> the extent that is possible, the cancel button should stay.  We should
>>>>>>> never rely on the back button.
>>>>>>> 
>>>>>>> I just tried it on our demo and recreated the 400 error.  We should fix
>>>>>>> this if possible.
>>>>>>> 
>>>>>>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>>>>>>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>>>>>>>> -- Bad Request on your protected resource, and doing something more
>>>>>>>> graceful would take some thinking.
>>>>>>>> 
>>>>>>>> It's not clear to me what *should* happen when clicking cancel.  Users
>>>>>>>> in a browser have a back button, or a button to close the tab, and
>>>>>>>> they can always use that to get out of the login screen.
>>>>>>>> 
>>>>>>>> Maybe the cancel button should just be removed?
>>>>>>>> 
>>>>>>>> Alarik
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> 
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

---
Gabriel Cardoso
User Experience Designer @ Red Hat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/8ee83417/attachment.html 

From stian at redhat.com  Fri Oct 17 11:46:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 17 Oct 2014 11:46:26 -0400 (EDT)
Subject: [keycloak-user] What is the point of the cancel button on
	the	log-in screen?
In-Reply-To: <7C60171F-F72F-41A0-9024-4D5F7760A9EB@redhat.com>
References: <CAKTx7M6Kv16gop0-OTjFic9Kzhy=D6CPDN1XgLWxVqmQO1U4Lw@mail.gmail.com>
	<5436BF9A.7070807@redhat.com>
	<2125276250.65460778.1412924954755.JavaMail.zimbra@redhat.com>
	<5437C59C.4040009@redhat.com>
	<1723087161.65732715.1412941712282.JavaMail.zimbra@redhat.com>
	<5437CC3B.8090009@redhat.com>
	<2100243482.65746697.1412943535647.JavaMail.zimbra@redhat.com>
	<7C60171F-F72F-41A0-9024-4D5F7760A9EB@redhat.com>
Message-ID: <1949685172.70927922.1413560786724.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Gabriel Cardoso" <gcardoso at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 17 October, 2014 5:33:57 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the	log-in screen?
> 
> Since the goal of the Cancel button is to go back, how about presenting a
> ?Back to application? link instead of a Cancel button? If that?s the only
> purpose of the button, a explicit label is better.

The problem isn't the label, it's what the app does when you return to it

> 
> Gabriel
> 
> On Oct 10, 2014, at 9:18 AM, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Stan Silvert" < ssilvert at redhat.com >
> To: "Stian Thorgersen" < stian at redhat.com >
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 2:08:27 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> log-in screen?
> 
> On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
> 
> 
> It's required, so don't remove.
> 
> If we don't have a cancel button there's no way for users to go back to the
> application if they don't want to login (or can't for some reason). Also,
> there are other situations where a login can fail, in which an error query
> param is returned to application instead of a code. For example oauth
> client grant page (a user can accept or reject giving the client the
> required permissions), etc.. The adapters needs to be able to handle these
> properly. IMO if login is cancelled there's two basic use-cases:
> 
> * User clicked on log in link - in this case application should just return
> to the initial page
> This I agree with. Ideally, that's what the cancel button should always do.
> 
> 
> * User clicked on a page that requires login - in this case the application
> should probably show a 'unauthorized access' page which needs to be
> customizable by the application
> In this case we should not have a button labeled "cancel". The user
> expects a cancel button to go back. So we shouldn't have a button that
> we know will yield unexpected results.
> 
> Perhaps we should have a help button instead that provides a friendly
> message about what is going on.
> 
> I think we still should have a cancel button by default. The user may still
> want to go back to other parts of the app that doesn't require
> authentication.
> 
> Also, as I mentioned there are other situations that results in similar
> errors that an application has to handle. Do we just throw an exception, and
> let the standard war error handling take care of it? Either case we should
> add something like it to our demo.
> 
> We could add an option to hide the cancel button though. Could for example
> add an optional query param "no_cancel".
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Stan Silvert" < ssilvert at redhat.com >
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 1:40:12 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> log-in screen?
> 
> Does the cancel button EVER work properly?
> 
> I'm starting to side with Alarik. In any situation where we know the
> cancel button won't work, we need to either fix it or remove it.
> 
> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
> 
> 
> The back button still submits the form, but the instead of processing the
> login redirects with error set. So it's already not an open redirect.
> 
> We should fix the adapter to show a error page though. Another thing is
> that the adapter needs some way of customising error pages.
> 
> ----- Original Message -----
> 
> 
> From: "Bill Burke" < bburke at redhat.com >
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 7:02:18 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on
> the
> log-in screen?
> 
> We would have to rememer referrer information somehow via the adapter to
> know where to redirect to. This cancel redirection URL would be an
> extension to OIDC I think and would require to be validated so that we
> don't create an open redirector security vulnerabilities. Maybe we
> should we just show a Keycloak rendered error page?
> 
> 
> On 10/9/2014 12:46 PM, Stan Silvert wrote:
> 
> 
> I guess I'm stating the obvious, but the cancel button should take you
> back to where you were before being challenged by the login screen. To
> the extent that is possible, the cancel button should stay. We should
> never rely on the back button.
> 
> I just tried it on our demo and recreated the 400 error. We should fix
> this if possible.
> 
> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> 
> 
> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
> -- Bad Request on your protected resource, and doing something more
> graceful would take some thinking.
> 
> It's not clear to me what *should* happen when clicking cancel. Users
> in a browser have a back button, or a button to close the tab, and
> they can always use that to get out of the login screen.
> 
> Maybe the cancel button should just be removed?
> 
> Alarik
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> ---
> Gabriel Cardoso
> User Experience Designer @ Red Hat
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ssilvert at redhat.com  Fri Oct 17 13:07:52 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 17 Oct 2014 13:07:52 -0400
Subject: [keycloak-user] Connect as another user
In-Reply-To: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
Message-ID: <54414CE8.8070606@redhat.com>

I see how that would be very useful but it would also be very, very 
dangerous.  You can't give the admin rights to just waltz into someone's 
bank account.

At the very least we would need a way for the user to give consent.

On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
> Hi,
>
> I would like to know if there is a way to let a connected user -an 
> admin- reconnect as another user -with less privilegies- without 
> providing a password.
>
> The idea is to be able for a super user to see how exactly an 
> application behaves with another user without knowing that user 
> credentials.
>
> Thanks for any help.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/02c2c1e4/attachment.html 

From alexander.chriztopher at gmail.com  Fri Oct 17 13:53:39 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 17 Oct 2014 19:53:39 +0200
Subject: [keycloak-user] Connect as another user
In-Reply-To: <54414CE8.8070606@redhat.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
	<54414CE8.8070606@redhat.com>
Message-ID: <8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>

This is not an issue in our context as it is just to secure an application where admins are publishing data to users and they would like to make sure they are publishing the right thing and nothing more which otherwise would be a big security hole. Users on the other hand will upload documents for admins. 

There is nothing as such as bank accounts issues or private data issues as you mentioned.



> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com> wrote:
> 
> I see how that would be very useful but it would also be very, very dangerous.  You can't give the admin rights to just waltz into someone's bank account.
> 
> At the very least we would need a way for the user to give consent.
> 
>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
>> Hi,
>> 
>> I would like to know if there is a way to let a connected user -an admin- reconnect as another user -with less privilegies- without providing a password.
>> 
>> The idea is to be able for a super user to see how exactly an application behaves with another user without knowing that user credentials.
>> 
>> Thanks for any help.
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/5eae3fa5/attachment.html 

From alexander.chriztopher at gmail.com  Fri Oct 17 13:53:39 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 17 Oct 2014 19:53:39 +0200
Subject: [keycloak-user] Connect as another user
In-Reply-To: <54414CE8.8070606@redhat.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
	<54414CE8.8070606@redhat.com>
Message-ID: <8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>

This is not an issue in our context as it is just to secure an application where admins are publishing data to users and they would like to make sure they are publishing the right thing and nothing more which otherwise would be a big security hole. Users on the other hand will upload documents for admins. 

There is nothing as such as bank accounts issues or private data issues as you mentioned.



> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com> wrote:
> 
> I see how that would be very useful but it would also be very, very dangerous.  You can't give the admin rights to just waltz into someone's bank account.
> 
> At the very least we would need a way for the user to give consent.
> 
>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
>> Hi,
>> 
>> I would like to know if there is a way to let a connected user -an admin- reconnect as another user -with less privilegies- without providing a password.
>> 
>> The idea is to be able for a super user to see how exactly an application behaves with another user without knowing that user credentials.
>> 
>> Thanks for any help.
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/5eae3fa5/attachment-0001.html 

From ssilvert at redhat.com  Fri Oct 17 14:36:04 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 17 Oct 2014 14:36:04 -0400
Subject: [keycloak-user] Connect as another user
In-Reply-To: <8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
	<54414CE8.8070606@redhat.com>
	<8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>
Message-ID: <54416194.20705@redhat.com>

On 10/17/2014 1:53 PM, Alexander Chriztopher wrote:
> This is not an issue in our context as it is just to secure an 
> application where admins are publishing data to users and they would 
> like to make sure they are publishing the right thing and nothing more 
> which otherwise would be a big security hole. Users on the other hand 
> will upload documents for admins.
>
> There is nothing as such as bank accounts issues or private data 
> issues as you mentioned.
I understand.  But Keycloak is also used by applications where those 
issues do exist.
>
>
>
> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>> I see how that would be very useful but it would also be very, very 
>> dangerous.  You can't give the admin rights to just waltz into 
>> someone's bank account.
>>
>> At the very least we would need a way for the user to give consent.
>>
>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
>>> Hi,
>>>
>>> I would like to know if there is a way to let a connected user -an 
>>> admin- reconnect as another user -with less privilegies- without 
>>> providing a password.
>>>
>>> The idea is to be able for a super user to see how exactly an 
>>> application behaves with another user without knowing that user 
>>> credentials.
>>>
>>> Thanks for any help.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/3f745182/attachment.html 

From alexander.chriztopher at gmail.com  Sat Oct 18 13:25:22 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Sat, 18 Oct 2014 19:25:22 +0200
Subject: [keycloak-user] Connect as another user
In-Reply-To: <54416194.20705@redhat.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
	<54414CE8.8070606@redhat.com>
	<8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>
	<54416194.20705@redhat.com>
Message-ID: <02C2B2D9-8944-403D-8EDC-9C506F6FF469@gmail.com>

At the end of the day any customer data is at the tip of a finger of an admin or other people who can see all they want with an sql statement or even easier sometimes. I've seen a big bank who had this feature implemented on their online banking website and it's been validated by all the security audits out there and it was really helpful.

Is there is a nice way to get this done with Keycloak ? 

Anyone has an idea !



> On 17 Oct 2014, at 20:36, Stan Silvert <ssilvert at redhat.com> wrote:
> 
>> On 10/17/2014 1:53 PM, Alexander Chriztopher wrote:
>> This is not an issue in our context as it is just to secure an application where admins are publishing data to users and they would like to make sure they are publishing the right thing and nothing more which otherwise would be a big security hole. Users on the other hand will upload documents for admins. 
>> 
>> There is nothing as such as bank accounts issues or private data issues as you mentioned.
> I understand.  But Keycloak is also used by applications where those issues do exist.   
>> 
>> 
>> 
>> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com> wrote:
>> 
>>> I see how that would be very useful but it would also be very, very dangerous.  You can't give the admin rights to just waltz into someone's bank account.
>>> 
>>> At the very least we would need a way for the user to give consent.
>>> 
>>>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
>>>> Hi,
>>>> 
>>>> I would like to know if there is a way to let a connected user -an admin- reconnect as another user -with less privilegies- without providing a password.
>>>> 
>>>> The idea is to be able for a super user to see how exactly an application behaves with another user without knowing that user credentials.
>>>> 
>>>> Thanks for any help.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141018/4acca103/attachment-0001.html 

From bburke at redhat.com  Sun Oct 19 09:05:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 19 Oct 2014 09:05:25 -0400
Subject: [keycloak-user] Connect as another user
In-Reply-To: <02C2B2D9-8944-403D-8EDC-9C506F6FF469@gmail.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>	<54414CE8.8070606@redhat.com>	<8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>	<54416194.20705@redhat.com>
	<02C2B2D9-8944-403D-8EDC-9C506F6FF469@gmail.com>
Message-ID: <5443B715.7050901@redhat.com>

No easy way to do this.  Our roadmap is pretty full at the moment so 
we'd need the community to help out.

On 10/18/2014 1:25 PM, Alexander Chriztopher wrote:
> At the end of the day any customer data is at the tip of a finger of an
> admin or other people who can see all they want with an sql statement or
> even easier sometimes. I've seen a big bank who had this feature
> implemented on their online banking website and it's been validated by
> all the security audits out there and it was really helpful.
>
> Is there is a nice way to get this done with Keycloak ?
>
> Anyone has an idea !
>
>
>
> On 17 Oct 2014, at 20:36, Stan Silvert <ssilvert at redhat.com
> <mailto:ssilvert at redhat.com>> wrote:
>
>> On 10/17/2014 1:53 PM, Alexander Chriztopher wrote:
>>> This is not an issue in our context as it is just to secure an
>>> application where admins are publishing data to users and they would
>>> like to make sure they are publishing the right thing and nothing
>>> more which otherwise would be a big security hole. Users on the other
>>> hand will upload documents for admins.
>>>
>>> There is nothing as such as bank accounts issues or private data
>>> issues as you mentioned.
>> I understand.  But Keycloak is also used by applications where those
>> issues do exist.
>>>
>>>
>>>
>>> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com
>>> <mailto:ssilvert at redhat.com>> wrote:
>>>
>>>> I see how that would be very useful but it would also be very, very
>>>> dangerous.  You can't give the admin rights to just waltz into
>>>> someone's bank account.
>>>>
>>>> At the very least we would need a way for the user to give consent.
>>>>
>>>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
>>>>> Hi,
>>>>>
>>>>> I would like to know if there is a way to let a connected user -an
>>>>> admin- reconnect as another user -with less privilegies- without
>>>>> providing a password.
>>>>>
>>>>> The idea is to be able for a super user to see how exactly an
>>>>> application behaves with another user without knowing that user
>>>>> credentials.
>>>>>
>>>>> Thanks for any help.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexander.chriztopher at gmail.com  Mon Oct 20 04:51:49 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Mon, 20 Oct 2014 10:51:49 +0200
Subject: [keycloak-user] Connect as another user
In-Reply-To: <5443B715.7050901@redhat.com>
References: <CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com>
	<54414CE8.8070606@redhat.com>
	<8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com>
	<54416194.20705@redhat.com>
	<02C2B2D9-8944-403D-8EDC-9C506F6FF469@gmail.com>
	<5443B715.7050901@redhat.com>
Message-ID: <CAJfT+OqETBJWwUK_busd1YwX-RAfRisec7Zc8+afGmES+uP=Tw@mail.gmail.com>

thanks for your help.

On Sun, Oct 19, 2014 at 3:05 PM, Bill Burke <bburke at redhat.com> wrote:

> No easy way to do this.  Our roadmap is pretty full at the moment so
> we'd need the community to help out.
>
> On 10/18/2014 1:25 PM, Alexander Chriztopher wrote:
> > At the end of the day any customer data is at the tip of a finger of an
> > admin or other people who can see all they want with an sql statement or
> > even easier sometimes. I've seen a big bank who had this feature
> > implemented on their online banking website and it's been validated by
> > all the security audits out there and it was really helpful.
> >
> > Is there is a nice way to get this done with Keycloak ?
> >
> > Anyone has an idea !
> >
> >
> >
> > On 17 Oct 2014, at 20:36, Stan Silvert <ssilvert at redhat.com
> > <mailto:ssilvert at redhat.com>> wrote:
> >
> >> On 10/17/2014 1:53 PM, Alexander Chriztopher wrote:
> >>> This is not an issue in our context as it is just to secure an
> >>> application where admins are publishing data to users and they would
> >>> like to make sure they are publishing the right thing and nothing
> >>> more which otherwise would be a big security hole. Users on the other
> >>> hand will upload documents for admins.
> >>>
> >>> There is nothing as such as bank accounts issues or private data
> >>> issues as you mentioned.
> >> I understand.  But Keycloak is also used by applications where those
> >> issues do exist.
> >>>
> >>>
> >>>
> >>> On 17 Oct 2014, at 19:07, Stan Silvert <ssilvert at redhat.com
> >>> <mailto:ssilvert at redhat.com>> wrote:
> >>>
> >>>> I see how that would be very useful but it would also be very, very
> >>>> dangerous.  You can't give the admin rights to just waltz into
> >>>> someone's bank account.
> >>>>
> >>>> At the very least we would need a way for the user to give consent.
> >>>>
> >>>> On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I would like to know if there is a way to let a connected user -an
> >>>>> admin- reconnect as another user -with less privilegies- without
> >>>>> providing a password.
> >>>>>
> >>>>> The idea is to be able for a super user to see how exactly an
> >>>>> application behaves with another user without knowing that user
> >>>>> credentials.
> >>>>>
> >>>>> Thanks for any help.
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141020/95373d1c/attachment.html 

From ivan at akvo.org  Mon Oct 20 11:28:08 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Mon, 20 Oct 2014 17:28:08 +0200
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20140925145304.4ba311e0@akvo.org>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
Message-ID: <20141020172808.0c9ec9e9@akvo.org>

Hi again,


On Thu, 25 Sep 2014 14:53:04 +0200
Iv?n Perdomo <ivan at akvo.org> wrote:

> I'll do some testing using third-party libs/clients and will share my
> findings.

I'm testing a simple OIDC Android app [1] and Keycloack (1.0.1.Final)

Some minor configuration settings are required on this sample app [2]:

authorizationServerUrl = https://host/auth/name/rname/tokens/login
tokenServerUrl = https://host/auth/realms/name/tokens/access/codes
userInfoUrl = https://host/auth/realms/name/account

After making a build and test in in my mobile, I'm able to:

* get redirected to the login
* Successfully login
* get redirected to the grant options

After granting access to the application, I should get a new account on
my mobile, but I'm getting an exception: "Invalid ID token returned" [3]

The whole adb logcat log is a bit verbose, but you can see the
following:

java.io.IOException: Invalid ID token returned.
at
com.lnikkila.oidcsample.oidc.OIDCUtils.requestTokens(OIDCUtils.java:123)
(...)
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad
Request
{
"error": "invalid_grant",
"error_description": "Code not found"
}


I can discard the idea of a bug in the sample code because I managed to
successfully login using Mitre's Open ID connect Spring implementation
[4]

Any ideas how to know what's going wrong? I would love to get
Keycloak and this sample code working.

Thanks for your support.

[1] https://github.com/learning-layers/android-openid-connect-sample
[2]
https://github.com/learning-layers/android-openid-connect-sample/blob/8155f0f7c0579441c567d3e5f31355363dfb4c92/app/src/main/java/com/lnikkila/oidcsample/Config.java#L10-L12
[3]
https://gist.githubusercontent.com/iperdomo/023d166629ece47a5de2/raw/70c06ebb2a99cf28e40ad97dc6c8c8dadb501ac1/adb.log
[4] https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server


-- 
Iv?n


From bburke at redhat.com  Mon Oct 20 12:04:44 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 20 Oct 2014 12:04:44 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20141020172808.0c9ec9e9@akvo.org>
References: <20140918105929.14b478d9@akvo.org>	<20140924124430.49a41efc@akvo.org>	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org>
Message-ID: <5445329C.2030808@redhat.com>

Can't really tell, but maybe your library doesn't like the token format 
we send back?  Just looking at the 1st exception in the log...

Log a jira and we can look into it.  Our queue is pretty full at the 
moment though.

On 10/20/2014 11:28 AM, Iv?n Perdomo wrote:
> Hi again,
>
>
> On Thu, 25 Sep 2014 14:53:04 +0200
> Iv?n Perdomo <ivan at akvo.org> wrote:
>
>> I'll do some testing using third-party libs/clients and will share my
>> findings.
>
> I'm testing a simple OIDC Android app [1] and Keycloack (1.0.1.Final)
>
> Some minor configuration settings are required on this sample app [2]:
>
> authorizationServerUrl = https://host/auth/name/rname/tokens/login
> tokenServerUrl = https://host/auth/realms/name/tokens/access/codes
> userInfoUrl = https://host/auth/realms/name/account
>
> After making a build and test in in my mobile, I'm able to:
>
> * get redirected to the login
> * Successfully login
> * get redirected to the grant options
>
> After granting access to the application, I should get a new account on
> my mobile, but I'm getting an exception: "Invalid ID token returned" [3]
>
> The whole adb logcat log is a bit verbose, but you can see the
> following:
>
> java.io.IOException: Invalid ID token returned.
> at
> com.lnikkila.oidcsample.oidc.OIDCUtils.requestTokens(OIDCUtils.java:123)
> (...)
> com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad
> Request
> {
> "error": "invalid_grant",
> "error_description": "Code not found"
> }
>
>
> I can discard the idea of a bug in the sample code because I managed to
> successfully login using Mitre's Open ID connect Spring implementation
> [4]
>
> Any ideas how to know what's going wrong? I would love to get
> Keycloak and this sample code working.
>
> Thanks for your support.
>
> [1] https://github.com/learning-layers/android-openid-connect-sample
> [2]
> https://github.com/learning-layers/android-openid-connect-sample/blob/8155f0f7c0579441c567d3e5f31355363dfb4c92/app/src/main/java/com/lnikkila/oidcsample/Config.java#L10-L12
> [3]
> https://gist.githubusercontent.com/iperdomo/023d166629ece47a5de2/raw/70c06ebb2a99cf28e40ad97dc6c8c8dadb501ac1/adb.log
> [4] https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ivan at akvo.org  Mon Oct 20 13:22:24 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Mon, 20 Oct 2014 19:22:24 +0200
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <5445329C.2030808@redhat.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
Message-ID: <20141020192224.62d09a63@akvo.org>

Hi,

On Mon, 20 Oct 2014 12:04:44 -0400
Bill Burke <bburke at redhat.com> wrote:

> Can't really tell, but maybe your library doesn't like the token
> format we send back?  Just looking at the 1st exception in the log...
> 
> Log a jira and we can look into it.  Our queue is pretty full at the 
> moment though.

I made some more logging, and I think i can identify some wrong values
in the ID Token returned by Keycloak

This is a sample token by MITREid Connect:

{header={"alg":"RS256"},
payload={"aud":["foobar"],"exp":1413824459,"iat":1413823859,"iss":"https://login.akvotest.org/mitreid/","sub":"01921.FLANRJQW"}}

This is a sample token returned by Keycloak:

{header={"alg":"RS256"},
payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User
Akvo","email":"user at akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}}

There are wrong values in the Keycloak [1]:

* iss - in Keycloak is returning the Realm name, while needs to be the
  URL of the issuer [2]
* aud - this value must contain the client_id "foobar" in our case, but
  Keycloak is returning the Realm name.

If you you provide some guidance I would like to help on fixing this
issue.

[1]
http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation
[2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token

Cheers,

-- 
Iv?n


From bburke at redhat.com  Mon Oct 20 13:57:44 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 20 Oct 2014 13:57:44 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20141020192224.62d09a63@akvo.org>
References: <20140918105929.14b478d9@akvo.org>	<20140924124430.49a41efc@akvo.org>	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>	<20140925145304.4ba311e0@akvo.org>	<20141020172808.0c9ec9e9@akvo.org>	<5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org>
Message-ID: <54454D18.1080608@redhat.com>

I thought the issuer was the realm.  I guess its not....Also looks like 
we'll need to have one URL to process all realm oidc requests as the ISS 
is validated.

Does this library offer any encryption/signature options for the ID Token?

On 10/20/2014 1:22 PM, Iv?n Perdomo wrote:
> Hi,
>
> On Mon, 20 Oct 2014 12:04:44 -0400
> Bill Burke <bburke at redhat.com> wrote:
>
>> Can't really tell, but maybe your library doesn't like the token
>> format we send back?  Just looking at the 1st exception in the log...
>>
>> Log a jira and we can look into it.  Our queue is pretty full at the
>> moment though.
>
> I made some more logging, and I think i can identify some wrong values
> in the ID Token returned by Keycloak
>
> This is a sample token by MITREid Connect:
>
> {header={"alg":"RS256"},
> payload={"aud":["foobar"],"exp":1413824459,"iat":1413823859,"iss":"https://login.akvotest.org/mitreid/","sub":"01921.FLANRJQW"}}
>
> This is a sample token returned by Keycloak:
>
> {header={"alg":"RS256"},
> payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User
> Akvo","email":"user at akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}}
>
> There are wrong values in the Keycloak [1]:
>
> * iss - in Keycloak is returning the Realm name, while needs to be the
>    URL of the issuer [2]
> * aud - this value must contain the client_id "foobar" in our case, but
>    Keycloak is returning the Realm name.
>
> If you you provide some guidance I would like to help on fixing this
> issue.
>
> [1]
> http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation
> [2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token
>
> Cheers,
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ivan at akvo.org  Mon Oct 20 14:24:16 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Mon, 20 Oct 2014 20:24:16 +0200
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <54454D18.1080608@redhat.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org> <54454D18.1080608@redhat.com>
Message-ID: <20141020202416.4dbbcf88@akvo.org>

On Mon, 20 Oct 2014 13:57:44 -0400
Bill Burke <bburke at redhat.com> wrote:

> I thought the issuer was the realm.  I guess its not....Also looks
> like we'll need to have one URL to process all realm oidc requests as
> the ISS is validated.
> 
> Does this library offer any encryption/signature options for the ID
> Token?

The library validating the token is Google's OAuth Client Library
[1][2], the piece of code calling that library [3]

[1] https://code.google.com/p/google-oauth-java-client/
[2]
http://javadoc.google-oauth-java-client.googlecode.com/hg/1.19.0/com/google/api/client/auth/openidconnect/IdTokenVerifier.html
[3]
https://github.com/iperdomo/android-openid-connect-sample/blob/master/app/src/main/java/com/lnikkila/oidcsample/oidc/OIDCUtils.java#L156-L164

-- 
Iv?n


From kotychok at gmail.com  Mon Oct 20 16:32:04 2014
From: kotychok at gmail.com (=?UTF-8?B?0KHQtdGA0LPRltC5INCU0LfRjtCx0ZbQvQ==?=)
Date: Mon, 20 Oct 2014 23:32:04 +0300
Subject: [keycloak-user] Allow access to REST without authorisation
Message-ID: <CAEg-Tv=i7oCK=jR-OcouNw99p3hyMp2fi7VGeVcdohjKcLY-mA@mail.gmail.com>

Hello.
Is it possible to have access without authorisation to one of many REST
resources? For example that embedded small device would be able to send
data to this resource.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141020/f01d136e/attachment.html 

From bburke at redhat.com  Mon Oct 20 18:43:20 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 20 Oct 2014 18:43:20 -0400
Subject: [keycloak-user] Allow access to REST without authorisation
In-Reply-To: <CAEg-Tv=i7oCK=jR-OcouNw99p3hyMp2fi7VGeVcdohjKcLY-mA@mail.gmail.com>
References: <CAEg-Tv=i7oCK=jR-OcouNw99p3hyMp2fi7VGeVcdohjKcLY-mA@mail.gmail.com>
Message-ID: <54459008.5010100@redhat.com>

Up to you how you want to configure your REST service.  If the REST 
service wants to ignore the role mappings, it can.  The servlet examples 
all use web.xml security constraints.

On 10/20/2014 4:32 PM, ?????? ?????? wrote:
> Hello.
> Is it possible to have access without authorisation to one of many REST
> resources? For example that embedded small device would be able to send
> data to this resource.
> Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From robin1233 at gmail.com  Thu Oct 23 11:13:16 2014
From: robin1233 at gmail.com (robinfernandes .)
Date: Thu, 23 Oct 2014 11:13:16 -0400
Subject: [keycloak-user] Problems Authenticating with OpenLDAP
Message-ID: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>

Hi guys,

I am using *Keycloak 1.0.1* final and I have integrated it with *OpenLDAP*.
When I try to authenticate the user which is in LDAP, it is not able to
authenticate it and the exception that comes up is "
*org.h2.jdbc.JdbcSQLException: Timeout trying to lock table "USER_ENTITY" ;
"*
Is there anyone who has faced this problem? Is there a way to set the lock
table timeout to be more than what it is by default?

The other thing is, I tried authenticating with *Active Directory *and it
works just fine. So I am guessing the problem is limited to OpenLDAP.

Any help would be appreciated.

Thanks,
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141023/5daa92a4/attachment.html 

From mposolda at redhat.com  Fri Oct 24 02:52:42 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 24 Oct 2014 08:52:42 +0200
Subject: [keycloak-user] Problems Authenticating with OpenLDAP
In-Reply-To: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>
References: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>
Message-ID: <5449F73A.1090306@redhat.com>

Hi,

we are testing with OpenLDAP 2.4 and works fine. Are you using different 
version?

Also can't be problem in the slow connection to LDAP server? On LDAP 
configuration screen in Keycloak admin console, you can try "Test 
Connection" or "Test Authentication" . Works this well for you?

If connection is not a problem, maybe you can send exception stacktrace 
and your LDAP configuration (Once you configure LDAP, there should be 
message in server.log like "INFO 
[org.keycloak.picketlink.ldap.PartitionManagerRegistry] Creating new 
LDAP based partition manager for the Federation provider...." with 
details about LDAP configuration. It may help if you send it here as well)

Thanks,
Marek

On 23.10.2014 17:13, robinfernandes . wrote:
> Hi guys,
>
> I am using *Keycloak 1.0.1* final and I have integrated it with 
> *OpenLDAP*.
> When I try to authenticate the user which is in LDAP, it is not able 
> to authenticate it and the exception that comes up is 
> "*/org.h2.jdbc.JdbcSQLException: Timeout trying to lock table 
> "USER_ENTITY" ; "
> /*
> Is there anyone who has faced this problem? Is there a way to set the 
> lock table timeout to be more than what it is by default?
>
> The other thing is, I tried authenticating with *Active Directory *and 
> it works just fine. So I am guessing the problem is limited to OpenLDAP.
>
> Any help would be appreciated.
>
> Thanks,
> Robin
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141024/5d876220/attachment.html 

From alexander.chriztopher at gmail.com  Fri Oct 24 13:34:22 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 24 Oct 2014 19:34:22 +0200
Subject: [keycloak-user] Example of a remote REST authentication
Message-ID: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>

Hi all,

On one of our applications we need to have very customisable login page
-works with an online customisation facility- and hence we need to have the
login page built in our application and be able to authenticate users
remotely via the java rest api.

Are there any examples to do this ? Otherwise any tips would be great.

Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141024/749c4f5d/attachment.html 

From alexander.chriztopher at gmail.com  Mon Oct 27 11:45:15 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Mon, 27 Oct 2014 16:45:15 +0100
Subject: [keycloak-user] Java API documentation
Message-ID: <CAJfT+Or0AV6N+SyHEqCS+V12RGy5k5Q-1QtX8p45mEWQ6ohjSg@mail.gmail.com>

Hi All,

Am using Keycloak 1.0.2.Final and am getting this error when using the rest
API :


Caused by:
*com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException*:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(7 known properties: "tokenType", "notBeforePolicy", "token", "expiresIn",
"sessionState", "refreshToken", "idToken"])

at [Source: org.apache.http.conn.EofSensorInputStream at 11b8a95d; line: 1,
column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])

at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(
*UnrecognizedPropertyException.java:51*) [jackson-databind-2.3.2.jar:2.3.2]

at
com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(
*DeserializationContext.java:671*) [jackson-databind-2.3.2.jar:2.3.2]

at
com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(
*StdDeserializer.java:771*) [jackson-databind-2.3.2.jar:2.3.2]

at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(
*BeanDeserializerBase.java:1297*) [jackson-databind-2.3.2.jar:2.3.2]

at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(
*BeanDeserializerBase.java:1275*) [jackson-databind-2.3.2.jar:2.3.2]

at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(
*BeanDeserializer.java:247*) [jackson-databind-2.3.2.jar:2.3.2]

at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(
*BeanDeserializer.java:118*) [jackson-databind-2.3.2.jar:2.3.2]

at com.fasterxml.jackson.databind.ObjectReader._bind(
*ObjectReader.java:1233*) [jackson-databind-2.3.2.jar:2.3.2]

at com.fasterxml.jackson.databind.ObjectReader.readValue(
*ObjectReader.java:677*) [jackson-databind-2.3.2.jar:2.3.2]

at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(
*ResteasyJackson2Provider.java:120*)
[resteasy-jackson2-provider-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(
*AbstractReaderInterceptorContext.java:59*)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
*AbstractReaderInterceptorContext.java:51*)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(
*DigitalVerificationInterceptor.java:32*) [resteasy-crypto-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
*AbstractReaderInterceptorContext.java:53*)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(
*GZIPDecodingInterceptor.java:59*) [resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
*AbstractReaderInterceptorContext.java:53*)
[resteasy-jaxrs-3.0.8.Final.jar:]

at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(
*ClientResponse.java:248*) [resteasy-client-3.0.8.Final.jar:]

... 164 more

Was wondering where this comes from as am using the 1.0.2.Final admin api
and have updated my Wildfly Server accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141027/19b420c0/attachment-0001.html 

From j.kamal at ymail.com  Mon Oct 27 11:54:56 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Mon, 27 Oct 2014 15:54:56 +0000 (UTC)
Subject: [keycloak-user] Java API documentation
In-Reply-To: <CAJfT+Or0AV6N+SyHEqCS+V12RGy5k5Q-1QtX8p45mEWQ6ohjSg@mail.gmail.com>
References: <CAJfT+Or0AV6N+SyHEqCS+V12RGy5k5Q-1QtX8p45mEWQ6ohjSg@mail.gmail.com>
Message-ID: <621045818.639316.1414425296877.JavaMail.yahoo@jws100112.mail.ne1.yahoo.com>

Hi Alexander,?? I had faced the same problem few days back it is because of the mismatch between JSONProperty and POJO variable name(getter method) that too with fasterxml jackson parser.If you use codehaus jackson parser you wouldnt get any problem. One work around to this problem is to update the POJO variable name to reflect the JSONProperty name.Similar problem is observed in multiple places where deserialization kicks in..

Specifically it is because of this
??? @JsonProperty("access_token")
??? protected String token;

Hi Bill,??? Do you have any other ideas besides updating POJOs member variable name matching the JSON property? Please advise.
ThanksKamal
? 

      From: Alexander Chriztopher <alexander.chriztopher at gmail.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 27, 2014 11:45 AM
 Subject: [keycloak-user] Java API documentation
   
Hi All,?Am using Keycloak 1.0.2.Final and am getting this error when using the rest API :?Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (7 known properties: "tokenType", "notBeforePolicy", "token", "expiresIn", "sessionState", "refreshToken", "idToken"]) at [Source: org.apache.http.conn.EofSensorInputStream at 11b8a95d; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:51) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(DeserializationContext.java:671) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:771) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1297) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1275) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:247) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:118) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1233) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:677) [jackson-databind-2.3.2.jar:2.3.2] at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:120) [resteasy-jackson2-provider-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:51) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:32) [resteasy-crypto-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:248) [resteasy-client-3.0.8.Final.jar:] ... 164 more
Was wondering where this comes from as am using the 1.0.2.Final admin api and have updated my Wildfly Server accordingly.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141027/5c1cc5b8/attachment.html 

From alexander.chriztopher at gmail.com  Mon Oct 27 12:54:11 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Mon, 27 Oct 2014 17:54:11 +0100
Subject: [keycloak-user] Java API documentation
In-Reply-To: <621045818.639316.1414425296877.JavaMail.yahoo@jws100112.mail.ne1.yahoo.com>
References: <CAJfT+Or0AV6N+SyHEqCS+V12RGy5k5Q-1QtX8p45mEWQ6ohjSg@mail.gmail.com>
	<621045818.639316.1414425296877.JavaMail.yahoo@jws100112.mail.ne1.yahoo.com>
Message-ID: <CAJfT+OoDB80f7nvcbeE+uxjTaXNBuxQf2L3yxgKvHuFYuCsxCg@mail.gmail.com>

Hi Kamal and thanks.

Am using the keycloak admin client which brings the following Jackson
dependency : jackson-core-asl:1.9.9 and can not override this. I also don't
have the option to change the property mapping as it comes with the
Keycloak distribution am using :-(

On Mon, Oct 27, 2014 at 4:54 PM, Kamal Jagadevan <j.kamal at ymail.com> wrote:

> Hi Alexander,
>    I had faced the same problem few days back it is because of the
> mismatch between JSONProperty and POJO variable name(getter method) that
> too with fasterxml jackson parser.
> If you use codehaus jackson parser you wouldnt get any problem. One work
> around to this problem is to update the POJO variable name to reflect the
> JSONProperty name.
> Similar problem is observed in multiple places where deserialization kicks
> in..
>
> Specifically it is because of this
>
>     @JsonProperty("*access_token*")
>     protected String *token*;
>
> Hi Bill,
>     Do you have any other ideas besides updating POJOs member variable
> name matching the JSON property? Please advise.
>
> Thanks
> Kamal
>
>
>   ------------------------------
>  *From:* Alexander Chriztopher <alexander.chriztopher at gmail.com>
> *To:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, October 27, 2014 11:45 AM
> *Subject:* [keycloak-user] Java API documentation
>
> Hi All,
>
> Am using Keycloak 1.0.2.Final and am getting this error when using the
> rest API :
>
> Caused by:
> *com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException*:
> Unrecognized field "access_token" (class
> org.keycloak.representations.AccessTokenResponse), not marked as ignorable
> (7 known properties: "tokenType", "notBeforePolicy", "token", "expiresIn",
> "sessionState", "refreshToken", "idToken"])
>  at [Source: org.apache.http.conn.EofSensorInputStream at 11b8a95d; line: 1,
> column: 18] (through reference chain:
> org.keycloak.representations.AccessTokenResponse["access_token"])
>  at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(
> *UnrecognizedPropertyException.java:51*)
> [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(
> *DeserializationContext.java:671*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(
> *StdDeserializer.java:771*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(
> *BeanDeserializerBase.java:1297*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(
> *BeanDeserializerBase.java:1275*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(
> *BeanDeserializer.java:247*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(
> *BeanDeserializer.java:118*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.ObjectReader._bind(
> *ObjectReader.java:1233*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.ObjectReader.readValue(
> *ObjectReader.java:677*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(
> *ResteasyJackson2Provider.java:120*)
> [resteasy-jackson2-provider-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(
> *AbstractReaderInterceptorContext.java:59*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:51*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(
> *DigitalVerificationInterceptor.java:32*)
> [resteasy-crypto-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:53*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(
> *GZIPDecodingInterceptor.java:59*) [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:53*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(
> *ClientResponse.java:248*) [resteasy-client-3.0.8.Final.jar:]
>  ... 164 more
>
> Was wondering where this comes from as am using the 1.0.2.Final admin api
> and have updated my Wildfly Server accordingly.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141027/a9161782/attachment-0001.html 

From traviskds at gmail.com  Mon Oct 27 21:57:52 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Tue, 28 Oct 2014 12:57:52 +1100
Subject: [keycloak-user] Query Parameters in redirect url goes missing
Message-ID: <CACQJ6LT=KiMH6_=5N27WH4y5ovWEgyH4OAmYRMOEH-NjvJxLPA@mail.gmail.com>

Hi,

Has anyone faced this issue where when we have a url with query parameters
and after the keycloak login, it redirects back to the original url but the
query parameters are no longer in the url?

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141028/4af1c086/attachment.html 

From stian at redhat.com  Tue Oct 28 03:10:33 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Oct 2014 03:10:33 -0400 (EDT)
Subject: [keycloak-user] Query Parameters in redirect url goes missing
In-Reply-To: <CACQJ6LT=KiMH6_=5N27WH4y5ovWEgyH4OAmYRMOEH-NjvJxLPA@mail.gmail.com>
References: <CACQJ6LT=KiMH6_=5N27WH4y5ovWEgyH4OAmYRMOEH-NjvJxLPA@mail.gmail.com>
Message-ID: <5874027.1390927.1414480233075.JavaMail.zimbra@redhat.com>

If you can give us instructions on how to reproduce, it should be an easy fix.

----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 28 October, 2014 2:57:52 AM
> Subject: [keycloak-user] Query Parameters in redirect url goes missing
> 
> Hi,
> 
> Has anyone faced this issue where when we have a url with query parameters
> and after the keycloak login, it redirects back to the original url but the
> query parameters are no longer in the url?
> 
> Cheers
> Travis
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Oct 28 08:49:32 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Oct 2014 08:49:32 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.3.Final released
In-Reply-To: <4452794.1620122.1414500547828.JavaMail.zimbra@redhat.com>
Message-ID: <420032169.1620303.1414500572845.JavaMail.zimbra@redhat.com>

Another security and bug fix release in the 1.0 series.

For full details look in JIRA (https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%201.0.3.Final%20AND%20resolution%20%3D%20Done).

From stian at redhat.com  Tue Oct 28 10:58:28 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Oct 2014 10:58:28 -0400 (EDT)
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
Message-ID: <673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>

You can use direct grant to authenticate users. Have a look at the admin-access-app example it uses this approach.

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 24 October, 2014 7:34:22 PM
> Subject: [keycloak-user] Example of a remote REST authentication
> 
> Hi all,
> 
> On one of our applications we need to have very customisable login page
> -works with an online customisation facility- and hence we need to have the
> login page built in our application and be able to authenticate users
> remotely via the java rest api.
> 
> Are there any examples to do this ? Otherwise any tips would be great.
> 
> Thanks for any help.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alexander.chriztopher at gmail.com  Tue Oct 28 14:16:44 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 28 Oct 2014 19:16:44 +0100
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
	<673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
Message-ID: <8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>

Hi Stian wins thanks !

That app is using http client and am looking for an example that uses the Java API unfortunately :-(

By the way is the Java Api documented somewhere ? 



> On 28 Oct 2014, at 15:58, Stian Thorgersen <stian at redhat.com> wrote:
> 
> You can use direct grant to authenticate users. Have a look at the admin-access-app example it uses this approach.
> 
> ----- Original Message -----
>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Friday, 24 October, 2014 7:34:22 PM
>> Subject: [keycloak-user] Example of a remote REST authentication
>> 
>> Hi all,
>> 
>> On one of our applications we need to have very customisable login page
>> -works with an online customisation facility- and hence we need to have the
>> login page built in our application and be able to authenticate users
>> remotely via the java rest api.
>> 
>> Are there any examples to do this ? Otherwise any tips would be great.
>> 
>> Thanks for any help.
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Oct 28 14:21:39 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Oct 2014 14:21:39 -0400 (EDT)
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
	<673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
	<8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>
Message-ID: <632575302.2040688.1414520499369.JavaMail.zimbra@redhat.com>

We don't have a Java API for this

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 28 October, 2014 7:16:44 PM
> Subject: Re: [keycloak-user] Example of a remote REST authentication
> 
> Hi Stian wins thanks !
> 
> That app is using http client and am looking for an example that uses the
> Java API unfortunately :-(
> 
> By the way is the Java Api documented somewhere ?
> 
> 
> 
> > On 28 Oct 2014, at 15:58, Stian Thorgersen <stian at redhat.com> wrote:
> > 
> > You can use direct grant to authenticate users. Have a look at the
> > admin-access-app example it uses this approach.
> > 
> > ----- Original Message -----
> >> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 24 October, 2014 7:34:22 PM
> >> Subject: [keycloak-user] Example of a remote REST authentication
> >> 
> >> Hi all,
> >> 
> >> On one of our applications we need to have very customisable login page
> >> -works with an online customisation facility- and hence we need to have
> >> the
> >> login page built in our application and be able to authenticate users
> >> remotely via the java rest api.
> >> 
> >> Are there any examples to do this ? Otherwise any tips would be great.
> >> 
> >> Thanks for any help.
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From alexander.chriztopher at gmail.com  Tue Oct 28 14:40:35 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 28 Oct 2014 19:40:35 +0100
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <632575302.2040688.1414520499369.JavaMail.zimbra@redhat.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
	<673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
	<8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>
	<632575302.2040688.1414520499369.JavaMail.zimbra@redhat.com>
Message-ID: <89145270-1F7F-40A1-8767-BA44963CDC31@gmail.com>

Ok ! 

- Is there a documentation for the rest of the Java rest Api ? 
- Should i log a Jira to have the login feature supported within the Java Api ?



> On 28 Oct 2014, at 19:21, Stian Thorgersen <stian at redhat.com> wrote:
> 
> We don't have a Java API for this
> 
> ----- Original Message -----
>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 28 October, 2014 7:16:44 PM
>> Subject: Re: [keycloak-user] Example of a remote REST authentication
>> 
>> Hi Stian wins thanks !
>> 
>> That app is using http client and am looking for an example that uses the
>> Java API unfortunately :-(
>> 
>> By the way is the Java Api documented somewhere ?
>> 
>> 
>> 
>>> On 28 Oct 2014, at 15:58, Stian Thorgersen <stian at redhat.com> wrote:
>>> 
>>> You can use direct grant to authenticate users. Have a look at the
>>> admin-access-app example it uses this approach.
>>> 
>>> ----- Original Message -----
>>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Friday, 24 October, 2014 7:34:22 PM
>>>> Subject: [keycloak-user] Example of a remote REST authentication
>>>> 
>>>> Hi all,
>>>> 
>>>> On one of our applications we need to have very customisable login page
>>>> -works with an online customisation facility- and hence we need to have
>>>> the
>>>> login page built in our application and be able to authenticate users
>>>> remotely via the java rest api.
>>>> 
>>>> Are there any examples to do this ? Otherwise any tips would be great.
>>>> 
>>>> Thanks for any help.
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 


From stian at redhat.com  Tue Oct 28 14:45:46 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Oct 2014 14:45:46 -0400 (EDT)
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <89145270-1F7F-40A1-8767-BA44963CDC31@gmail.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
	<673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
	<8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>
	<632575302.2040688.1414520499369.JavaMail.zimbra@redhat.com>
	<89145270-1F7F-40A1-8767-BA44963CDC31@gmail.com>
Message-ID: <345947054.2061029.1414521946285.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 28 October, 2014 7:40:35 PM
> Subject: Re: [keycloak-user] Example of a remote REST authentication
> 
> Ok !
> 
> - Is there a documentation for the rest of the Java rest Api ?

It's OpenID Connect - we could probably add more docs around it though

> - Should i log a Jira to have the login feature supported within the Java Api

What Java API are you referring to?

> ?
> 
> 
> 
> > On 28 Oct 2014, at 19:21, Stian Thorgersen <stian at redhat.com> wrote:
> > 
> > We don't have a Java API for this
> > 
> > ----- Original Message -----
> >> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-user at lists.jboss.org
> >> Sent: Tuesday, 28 October, 2014 7:16:44 PM
> >> Subject: Re: [keycloak-user] Example of a remote REST authentication
> >> 
> >> Hi Stian wins thanks !
> >> 
> >> That app is using http client and am looking for an example that uses the
> >> Java API unfortunately :-(
> >> 
> >> By the way is the Java Api documented somewhere ?
> >> 
> >> 
> >> 
> >>> On 28 Oct 2014, at 15:58, Stian Thorgersen <stian at redhat.com> wrote:
> >>> 
> >>> You can use direct grant to authenticate users. Have a look at the
> >>> admin-access-app example it uses this approach.
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Sent: Friday, 24 October, 2014 7:34:22 PM
> >>>> Subject: [keycloak-user] Example of a remote REST authentication
> >>>> 
> >>>> Hi all,
> >>>> 
> >>>> On one of our applications we need to have very customisable login page
> >>>> -works with an online customisation facility- and hence we need to have
> >>>> the
> >>>> login page built in our application and be able to authenticate users
> >>>> remotely via the java rest api.
> >>>> 
> >>>> Are there any examples to do this ? Otherwise any tips would be great.
> >>>> 
> >>>> Thanks for any help.
> >>>> 
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> 

From alexander.chriztopher at gmail.com  Tue Oct 28 16:55:49 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 28 Oct 2014 21:55:49 +0100
Subject: [keycloak-user] Example of a remote REST authentication
In-Reply-To: <345947054.2061029.1414521946285.JavaMail.zimbra@redhat.com>
References: <CAJfT+OqzFHf2=Vtcs2ShNbf-H=WnnfrxvuB0UR=jCwFieB6upg@mail.gmail.com>
	<673857422.1777032.1414508308836.JavaMail.zimbra@redhat.com>
	<8B880F0C-1C04-409C-B50F-04DA2D70E26B@gmail.com>
	<632575302.2040688.1414520499369.JavaMail.zimbra@redhat.com>
	<89145270-1F7F-40A1-8767-BA44963CDC31@gmail.com>
	<345947054.2061029.1414521946285.JavaMail.zimbra@redhat.com>
Message-ID: <24CC0874-D381-4669-B80F-FFC4F61B5CEF@gmail.com>

The Java rest api actually ! In order to be able to log a user in ..



> On 28 Oct 2014, at 19:45, Stian Thorgersen <stian at redhat.com> wrote:
> 
> 
> 
> ----- Original Message -----
>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 28 October, 2014 7:40:35 PM
>> Subject: Re: [keycloak-user] Example of a remote REST authentication
>> 
>> Ok !
>> 
>> - Is there a documentation for the rest of the Java rest Api ?
> 
> It's OpenID Connect - we could probably add more docs around it though
> 
>> - Should i log a Jira to have the login feature supported within the Java Api
> 
> What Java API are you referring to?
> 
>> ?
>> 
>> 
>> 
>>> On 28 Oct 2014, at 19:21, Stian Thorgersen <stian at redhat.com> wrote:
>>> 
>>> We don't have a Java API for this
>>> 
>>> ----- Original Message -----
>>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Tuesday, 28 October, 2014 7:16:44 PM
>>>> Subject: Re: [keycloak-user] Example of a remote REST authentication
>>>> 
>>>> Hi Stian wins thanks !
>>>> 
>>>> That app is using http client and am looking for an example that uses the
>>>> Java API unfortunately :-(
>>>> 
>>>> By the way is the Java Api documented somewhere ?
>>>> 
>>>> 
>>>> 
>>>>> On 28 Oct 2014, at 15:58, Stian Thorgersen <stian at redhat.com> wrote:
>>>>> 
>>>>> You can use direct grant to authenticate users. Have a look at the
>>>>> admin-access-app example it uses this approach.
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Friday, 24 October, 2014 7:34:22 PM
>>>>>> Subject: [keycloak-user] Example of a remote REST authentication
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> On one of our applications we need to have very customisable login page
>>>>>> -works with an online customisation facility- and hence we need to have
>>>>>> the
>>>>>> login page built in our application and be able to authenticate users
>>>>>> remotely via the java rest api.
>>>>>> 
>>>>>> Are there any examples to do this ? Otherwise any tips would be great.
>>>>>> 
>>>>>> Thanks for any help.
>>>>>> 
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 


From Abhijit.Vikash.ap at nielsen.com  Wed Oct 29 05:35:22 2014
From: Abhijit.Vikash.ap at nielsen.com (Vikash, Abhijit)
Date: Wed, 29 Oct 2014 09:35:22 +0000
Subject: [keycloak-user] CORPS support enabled for JBoss EAP- Version
	6.1.1.GA
Message-ID: <1414575320206.87002@nielsen.com>

??

Hi,


We need CORPS support enabled for JBoss Enterprise Application Platform - Version 6.1.1.GA
environment.

Please let know from where we can get the latest version of keycloak-eap6-adapter-dist.zip file.

Tried to configure from the below instructions but unable to make the call to the server.
http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/ch06.html#adapter-config.

Please let know what we need to configure in standalone-full.xml


Also, we need to build CLI script to enable CORPS support from a command line.


Thanks,
Abhijit

Regards
Abhijit Vikash
Tata Consultancy Services
No 42, Think campus
Electronic City phase II
Bangalore - 560100,Karnataka
India

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141029/14b35fbe/attachment-0001.html 

From stian at redhat.com  Wed Oct 29 14:19:08 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 29 Oct 2014 14:19:08 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.4.Final released
Message-ID: <1672606176.2966600.1414606748490.JavaMail.zimbra@redhat.com>

Fixes a bug introduced in 1.0.3.Final that causes problems if your domain includes a hypen.

From robin1233 at gmail.com  Wed Oct 29 14:54:14 2014
From: robin1233 at gmail.com (robinfernandes .)
Date: Wed, 29 Oct 2014 14:54:14 -0400
Subject: [keycloak-user] Problems Authenticating with OpenLDAP
In-Reply-To: <5449F73A.1090306@redhat.com>
References: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>
	<5449F73A.1090306@redhat.com>
Message-ID: <CAFOTW4bmjpiEzftYjFkXPSnWAx97c0LuszeGAp8+4FCXCoXvqw@mail.gmail.com>

Hi,

We are also testing with the same OpenLDAP version and the connection is
not a problem. The "Test Authentication" and the "Test Connection" works
just fine.
Below are the screenshots of my configuration. In the LDAP Provider
Settings in Keycloak if we use "*Username LDAP attribute = uid*" it works
well. However if we use "*Username LDAP attribute = cn*" it fails to
authenticate. Have u faced a similar problem?

[image: Inline image 1]



[image: Inline image 2]

On Fri, Oct 24, 2014 at 2:52 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> we are testing with OpenLDAP 2.4 and works fine. Are you using different
> version?
>
> Also can't be problem in the slow connection to LDAP server? On LDAP
> configuration screen in Keycloak admin console, you can try "Test
> Connection" or "Test Authentication" . Works this well for you?
>
> If connection is not a problem, maybe you can send exception stacktrace
> and your LDAP configuration (Once you configure LDAP, there should be
> message in server.log like "INFO
> [org.keycloak.picketlink.ldap.PartitionManagerRegistry] Creating new LDAP
> based partition manager for the Federation provider...." with details about
> LDAP configuration. It may help if you send it here as well)
>
> Thanks,
> Marek
>
>
> On 23.10.2014 17:13, robinfernandes . wrote:
>
> Hi guys,
>
> I am using *Keycloak 1.0.1* final and I have integrated it with *OpenLDAP*
> .
> When I try to authenticate the user which is in LDAP, it is not able to
> authenticate it and the exception that comes up is "
> *org.h2.jdbc.JdbcSQLException: Timeout trying to lock table "USER_ENTITY"
> ; " *
> Is there anyone who has faced this problem? Is there a way to set the lock
> table timeout to be more than what it is by default?
>
> The other thing is, I tried authenticating with *Active Directory *and it
> works just fine. So I am guessing the problem is limited to OpenLDAP.
>
> Any help would be appreciated.
>
> Thanks,
> Robin
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141029/25f77cc0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 45802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141029/25f77cc0/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 38257 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141029/25f77cc0/attachment-0003.png 

From j.kamal at ymail.com  Wed Oct 29 15:16:10 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Wed, 29 Oct 2014 19:16:10 +0000 (UTC)
Subject: [keycloak-user] Java API documentation
In-Reply-To: <CAJfT+OoDB80f7nvcbeE+uxjTaXNBuxQf2L3yxgKvHuFYuCsxCg@mail.gmail.com>
References: <CAJfT+OoDB80f7nvcbeE+uxjTaXNBuxQf2L3yxgKvHuFYuCsxCg@mail.gmail.com>
Message-ID: <1314214423.165496.1414610170091.JavaMail.yahoo@jws100156.mail.ne1.yahoo.com>

Hi Alexander,? On a second look, my problem was with my tomcat application that integrates with Keycloak. This tomcat application was using fasterxml jackson parser whereas keycloak implementation uses codehaus jackson which gets overridden during runtime. I was able to overcome this problem by creating PropertyNamingStrategy and set it to ObjectMapper before deserializing the JSON.
Alternatively Keycloak implementation can be modified to use fasterxml jackson databinding.
-Kamal

      From: Alexander Chriztopher <alexander.chriztopher at gmail.com>
 To: Kamal Jagadevan <j.kamal at ymail.com> 
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 27, 2014 12:54 PM
 Subject: Re: [keycloak-user] Java API documentation
   
Hi Kamal and thanks.
Am using the keycloak admin client which brings the following Jackson dependency : jackson-core-asl:1.9.9 and can not override this. I also don't have the option to change the property mapping as it comes with the Keycloak distribution am using :-(


On Mon, Oct 27, 2014 at 4:54 PM, Kamal Jagadevan <j.kamal at ymail.com> wrote:

Hi Alexander,?? I had faced the same problem few days back it is because of the mismatch between JSONProperty and POJO variable name(getter method) that too with fasterxml jackson parser.If you use codehaus jackson parser you wouldnt get any problem. One work around to this problem is to update the POJO variable name to reflect the JSONProperty name.Similar problem is observed in multiple places where deserialization kicks in..

Specifically it is because of this
??? @JsonProperty("access_token")
??? protected String token;

Hi Bill,??? Do you have any other ideas besides updating POJOs member variable name matching the JSON property? Please advise.
ThanksKamal
? 

      From: Alexander Chriztopher <alexander.chriztopher at gmail.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, October 27, 2014 11:45 AM
 Subject: [keycloak-user] Java API documentation
   
Hi All,?Am using Keycloak 1.0.2.Final and am getting this error when using the rest API :?Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (7 known properties: "tokenType", "notBeforePolicy", "token", "expiresIn", "sessionState", "refreshToken", "idToken"]) at [Source: org.apache.http.conn.EofSensorInputStream at 11b8a95d; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:51) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(DeserializationContext.java:671) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:771) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1297) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1275) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:247) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:118) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1233) [jackson-databind-2.3.2.jar:2.3.2] at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:677) [jackson-databind-2.3.2.jar:2.3.2] at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:120) [resteasy-jackson2-provider-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:51) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:32) [resteasy-crypto-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.8.Final.jar:] at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:248) [resteasy-client-3.0.8.Final.jar:] ... 164 more
Was wondering where this comes from as am using the 1.0.2.Final admin api and have updated my Wildfly Server accordingly.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

   



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141029/e092d453/attachment.html 

From prabhalar at yahoo.com  Wed Oct 29 21:59:35 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Thu, 30 Oct 2014 01:59:35 +0000 (UTC)
Subject: [keycloak-user] Mongo DB Connections Issue
Message-ID: <1828554299.738311.1414634375725.JavaMail.yahoo@jws10002g.mail.ne1.yahoo.com>

I configured Keycloak 1.0.3 to use Mongodb and created a new realm, added a user and deleted the user. While doing so I noticed that Keycloak opens 1 connection each for almost any update/insert/delete and it doesn't close them. 24 Connections were opened for 1 user performing those operations and they remained open even after 3 hrs of inactivity.
Can a fix be put in for this issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141030/06ee8738/attachment.html 

From mposolda at redhat.com  Thu Oct 30 06:22:17 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 30 Oct 2014 11:22:17 +0100
Subject: [keycloak-user] Mongo DB Connections Issue
In-Reply-To: <1828554299.738311.1414634375725.JavaMail.yahoo@jws10002g.mail.ne1.yahoo.com>
References: <1828554299.738311.1414634375725.JavaMail.yahoo@jws10002g.mail.ne1.yahoo.com>
Message-ID: <54521159.7060602@redhat.com>

Hi,

We are using MongoClient, which has it's own connection pooling 
mechanism. The default size of connection pool is 100 connections.

When MongoClient needs to do some DB operation, it opens new connection 
and put it to connection pool until there are 100 connections here. Once 
there are 100 connections, it stops open new connections, but it will 
start to reuse existing ones instead.

As of now, we don't support configuration of connection pool in 
Keycloak, but I've added https://issues.jboss.org/browse/KEYCLOAK-799, 
which will be available in next 1.1.0.Beta1 version. Then you will be 
able to add this to mongo configuration in keycloak-server.json:

"connectionsPerHost": 10

to limit size of connection pool to 10 connections for example. You will 
be also able to configure other options related to connections and 
connection pooling.

Marek

On 30.10.2014 02:59, prab rrrr wrote:
> I configured Keycloak 1.0.3 to use Mongodb and created a new realm, 
> added a user and deleted the user. While doing so I noticed that 
> Keycloak opens 1 connection each for almost any update/insert/delete 
> and it doesn't close them. 24 Connections were opened for 1 user 
> performing those operations and they remained open even after 3 hrs of 
> inactivity.
>
> Can a fix be put in for this issue?
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141030/f2814c97/attachment-0001.html 

From prabhalar at yahoo.com  Thu Oct 30 07:51:14 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Thu, 30 Oct 2014 11:51:14 +0000 (UTC)
Subject: [keycloak-user] Mongo DB Connections Issue
In-Reply-To: <54521159.7060602@redhat.com>
References: <54521159.7060602@redhat.com>
Message-ID: <1820628243.266518.1414669874349.JavaMail.yahoo@jws10096.mail.ne1.yahoo.com>

Perfect. Looking forward to the next version of Keycloak. Thanks Marek. 

     On Thursday, October 30, 2014 6:22 AM, Marek Posolda <mposolda at redhat.com> wrote:
   

  Hi,
 
 We are using MongoClient, which has it's own connection pooling mechanism. The default size of connection pool is 100 connections.
 
 When MongoClient needs to do some DB operation, it opens new connection and put it to connection pool until there are 100 connections here. Once there are 100 connections, it stops open new connections, but it will start to reuse existing ones instead.
 
 As of now, we don't support configuration of connection pool in Keycloak, but I've added https://issues.jboss.org/browse/KEYCLOAK-799, which will be available in next 1.1.0.Beta1 version. Then you will be able to add this to mongo configuration in keycloak-server.json:
 
 "connectionsPerHost": 10
 
 to limit size of connection pool to 10 connections for example. You will be also able to configure other options related to connections and connection pooling.
 
 Marek
 
 On 30.10.2014 02:59, prab rrrr wrote:
  
  I configured Keycloak 1.0.3 to use Mongodb and created a new realm, added a user and deleted the user. While doing so I noticed that Keycloak opens 1 connection each for almost any update/insert/delete and it doesn't close them. 24 Connections were opened for 1 user performing those operations and they  remained open even after 3 hrs of inactivity. 
  Can a fix be put in for this issue? 
  
   
  
 _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 
 
 

    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141030/3e9c1a97/attachment.html 

From prabhalar at yahoo.com  Thu Oct 30 11:56:50 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Thu, 30 Oct 2014 11:56:50 -0400
Subject: [keycloak-user] Openid connect end points
Message-ID: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>

Does key cloak fully support open ID connect specification? I failed to figure out the following end points - 
1. /authorize
2. /userinfo
3. /well-known/webfinger (optional as per spec)

Can you please guide me to an example that shows the above calls? Any help would be appreciated.

Thanks

Sent from my iPhone

From bburke at redhat.com  Thu Oct 30 12:07:13 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 30 Oct 2014 12:07:13 -0400
Subject: [keycloak-user] Openid connect end points
In-Reply-To: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
References: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
Message-ID: <54526231.5090709@redhat.com>

1. /authorize  We have multiple endpoints based on the flow of the 
protocol.  We need to fix this to have one endpoint.
2. not yet
3. not yet



On 10/30/2014 11:56 AM, Raghuram wrote:
> Does key cloak fully support open ID connect specification? I failed to figure out the following end points -
> 1. /authorize
> 2. /userinfo
> 3. /well-known/webfinger (optional as per spec)
>
> Can you please guide me to an example that shows the above calls? Any help would be appreciated.
>
> Thanks
>
> Sent from my iPhone
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Thu Oct 30 12:12:45 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Thu, 30 Oct 2014 12:12:45 -0400
Subject: [keycloak-user] Openid connect end points
In-Reply-To: <54526231.5090709@redhat.com>
References: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
	<54526231.5090709@redhat.com>
Message-ID: <81107743-7DBE-42EA-9360-D12ECD99A381@yahoo.com>

Ok. Thanks. Any timelines to provide those end points and also to fully support the specification ( including both basic and implicit flows)?

Sent from my iPhone

> On Oct 30, 2014, at 12:07 PM, Bill Burke <bburke at redhat.com> wrote:
> 
> 1. /authorize  We have multiple endpoints based on the flow of the 
> protocol.  We need to fix this to have one endpoint.
> 2. not yet
> 3. not yet
> 
> 
> 
>> On 10/30/2014 11:56 AM, Raghuram wrote:
>> Does key cloak fully support open ID connect specification? I failed to figure out the following end points -
>> 1. /authorize
>> 2. /userinfo
>> 3. /well-known/webfinger (optional as per spec)
>> 
>> Can you please guide me to an example that shows the above calls? Any help would be appreciated.
>> 
>> Thanks
>> 
>> Sent from my iPhone
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ivan at akvo.org  Thu Oct 30 12:17:06 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Thu, 30 Oct 2014 17:17:06 +0100
Subject: [keycloak-user] Openid connect end points
In-Reply-To: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
References: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
Message-ID: <20141030171706.0c5cb528@akvo.org>

Hi,

On Thu, 30 Oct 2014 11:56:50 -0400
Raghuram <prabhalar at yahoo.com> wrote:

> Does key cloak fully support open ID connect specification?
afaik, Keycloak only supports OpenID Connect Core ...

> I failed to figure out the following end points - 
> 1. /authorize
<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/login

> 2. /userinfo
<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/account

> 3. /well-known/webfinger (optional as per spec)
As you mentioned - optional

Notice that there is an open issue regarding IDToken generation
https://issues.jboss.org/browse/KEYCLOAK-767

> 
> Can you please guide me to an example that shows the above calls? Any
> help would be appreciated.
> 
> Thanks
> 
> Sent from my iPhone
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Iv?n


From prabhalar at yahoo.com  Thu Oct 30 12:34:12 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Thu, 30 Oct 2014 12:34:12 -0400
Subject: [keycloak-user] Openid connect end points
In-Reply-To: <20141030171706.0c5cb528@akvo.org>
References: <2081F684-E41E-4FAB-B88A-6E88D6A7C373@yahoo.com>
	<20141030171706.0c5cb528@akvo.org>
Message-ID: <1B65D682-C72F-4EF5-B9B1-BCF0D8DF85CE@yahoo.com>

Thanks Ivan. Will start testing those end points 

Sent from my iPhone

> On Oct 30, 2014, at 12:17 PM, Iv?n Perdomo <ivan at akvo.org> wrote:
> 
> Hi,
> 
> On Thu, 30 Oct 2014 11:56:50 -0400
> Raghuram <prabhalar at yahoo.com> wrote:
> 
>> Does key cloak fully support open ID connect specification?
> afaik, Keycloak only supports OpenID Connect Core ...
> 
>> I failed to figure out the following end points - 
>> 1. /authorize
> <KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/login
> 
>> 2. /userinfo
> <KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/account
> 
>> 3. /well-known/webfinger (optional as per spec)
> As you mentioned - optional
> 
> Notice that there is an open issue regarding IDToken generation
> https://issues.jboss.org/browse/KEYCLOAK-767
> 
>> 
>> Can you please guide me to an example that shows the above calls? Any
>> help would be appreciated.
>> 
>> Thanks
>> 
>> Sent from my iPhone
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> -- 
> Iv?n


From peterson.dean at gmail.com  Thu Oct 30 15:57:51 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 30 Oct 2014 14:57:51 -0500
Subject: [keycloak-user] updateToken method not working
Message-ID: <CAFGzvPnGPtk1Htrp+Rsph-OXV2LR8H3UnG3WUWw=ckzq4+6U_Q@mail.gmail.com>

I use the following code to make sure I have a valid token before making a
request.  Even though I am logged in, if I wait until the token expires
then make a request, the error function is called most of the time when I
try to update the token using the updateToken method.  I have the page
reload, and I have a valid token again.  However, I did not have to log in
again because the session had not expired.  I am using
1.1.0-Alpha1-SNAPSHOT   I have read the documentation.  Am I missing
something?

keycloak.updateToken().success(function() {
        if (data) {
          $http({
            url: 'http://localhost:8080' + url,
            method: method,
            data: data,
            headers: {
              'Content-Type': contentType,
              'Accept': acceptType,
              'Authorization': 'Bearer ' + service.auth.token
            },
            transformRequest: angular.identity
          }).success(success).error(error);
        } else {
          $http({
            url: 'http://localhost:8080' + url,
            method: method,
            headers: {
              'Content-Type': contentType,
              'Accept': acceptType,
              'Authorization': 'Bearer ' + service.auth.token
            }
          }).success(success).error(error);
        }
      }).error(function() {
        alert("Token could not be refreshed!");
        location.reload();
      });
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141030/b48a625d/attachment-0001.html 

From prabhalar at yahoo.com  Thu Oct 30 16:15:56 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Thu, 30 Oct 2014 16:15:56 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20141020202416.4dbbcf88@akvo.org>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org> <54454D18.1080608@redhat.com>
	<20141020202416.4dbbcf88@akvo.org>
Message-ID: <81AC1AC3-BA8E-491C-81BA-64BD099D5D5D@yahoo.com>

I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.

Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test

Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.

Sent from my iPhone

> On Oct 20, 2014, at 2:24 PM, Iv?n Perdomo <ivan at akvo.org> wrote:
> 
> On Mon, 20 Oct 2014 13:57:44 -0400
> Bill Burke <bburke at redhat.com> wrote:
> 
>> I thought the issuer was the realm.  I guess its not....Also looks
>> like we'll need to have one URL to process all realm oidc requests as
>> the ISS is validated.
>> 
>> Does this library offer any encryption/signature options for the ID
>> Token?
> 
> The library validating the token is Google's OAuth Client Library
> [1][2], the piece of code calling that library [3]
> 
> [1] https://code.google.com/p/google-oauth-java-client/
> [2]
> http://javadoc.google-oauth-java-client.googlecode.com/hg/1.19.0/com/google/api/client/auth/openidconnect/IdTokenVerifier.html
> [3]
> https://github.com/iperdomo/android-openid-connect-sample/blob/master/app/src/main/java/com/lnikkila/oidcsample/oidc/OIDCUtils.java#L156-L164
> 
> -- 
> Iv?n
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Thu Oct 30 16:58:57 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 30 Oct 2014 16:58:57 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <81AC1AC3-BA8E-491C-81BA-64BD099D5D5D@yahoo.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org> <54454D18.1080608@redhat.com>
	<20141020202416.4dbbcf88@akvo.org>
	<81AC1AC3-BA8E-491C-81BA-64BD099D5D5D@yahoo.com>
Message-ID: <5452A691.10607@redhat.com>

Ivan, btw, looking at the library you are using, validation of the ID 
token is optional.

On 10/30/2014 4:15 PM, Raghuram wrote:
> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
>
"aud" has been fixed in master.

"iss" still is the realm name.  This is just a unique identifier for the 
realm.  And there is nothing in the spec that I could find that states 
that it must match the token endpoint URL.  It just has to be a URL that 
uniquely identifies the issuer.  It is something that is configured, or, 
found during OIDC discovery.

"AZP
Your interpretation of AZP is not my interpretation of AZP.  #1.  AZP is 
optional, we don't have to include it at all.  #2 It would only have the 
value of the client that requested the token.  In Keycloak, ID Tokens 
are generated and only given to one audience.


> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
>

As I said before, we do not support userinfo yet.  Our access tokens are 
Json Web Signatures signed by the realm and the content is an extended 
version of ID Tokens that contains additional keycloak metadata.

> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
>

It's on the roadmap to expand our OIDC support beyond the minimal 
requirements and to validate it against other implementations.  Just 
haven't gotten to it yet.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Thu Oct 30 18:42:12 2014
From: prabhalar at yahoo.com (Raghuram)
Date: Thu, 30 Oct 2014 18:42:12 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <5452A691.10607@redhat.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org> <54454D18.1080608@redhat.com>
	<20141020202416.4dbbcf88@akvo.org>
	<81AC1AC3-BA8E-491C-81BA-64BD099D5D5D@yahoo.com>
	<5452A691.10607@redhat.com>
Message-ID: <B6552CA7-38A4-4557-9E03-C160984A37D5@yahoo.com>

Hi Bill -  here is my understanding  of the spec:

Section 3.1.3.7 of the core spec says that clients must validate the id tokens. The third point of the same section says that "aud" can contain more than 1 element in which case the fourth point says that the client should verify that "azp" is present and the fifth point says azp should be verified against the client id

Now when an oauth client registers, it can specify multiple redirect Uris, corresponding to diff oauth clients that wish to participate in a single sign on. When a user tries to access first client and he is authenticated, the client just gets a code. If the code is passed to the second client ( the first client could be web app and the second client could be a database service) then the second client could get an Idtoken. The auth server (key cloak in this case) would then list all the client ids in "aud" and specify the second client in "azp" which will be validated by the second client. 

The above is a valid use case in our organization ( authentication delegation). It gives flexibility to the apps ( especially sensitive ones) to pick the apps they trust rather than just participate in an organization wide single sign on.

Section 3 (openID provider metadata) of the discovery spec mentions that issuer is a url using https.

Hope I make sense.

Thanks.
Sent from my iPhone

> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com> wrote:
> 
> Ivan, btw, looking at the library you are using, validation of the ID token is optional.
> 
>> On 10/30/2014 4:15 PM, Raghuram wrote:
>> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
> "aud" has been fixed in master.
> 
> "iss" still is the realm name.  This is just a unique identifier for the realm.  And there is nothing in the spec that I could find that states that it must match the token endpoint URL.  It just has to be a URL that uniquely identifies the issuer.  It is something that is configured, or, found during OIDC discovery.
> 
> "AZP
> Your interpretation of AZP is not my interpretation of AZP.  #1.  AZP is optional, we don't have to include it at all.  #2 It would only have the value of the client that requested the token.  In Keycloak, ID Tokens are generated and only given to one audience.
> 
> 
>> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
> 
> As I said before, we do not support userinfo yet.  Our access tokens are Json Web Signatures signed by the realm and the content is an extended version of ID Tokens that contains additional keycloak metadata.
> 
>> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
> 
> It's on the roadmap to expand our OIDC support beyond the minimal requirements and to validate it against other implementations.  Just haven't gotten to it yet.
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com


From bburke at redhat.com  Thu Oct 30 20:53:38 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 30 Oct 2014 20:53:38 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <B6552CA7-38A4-4557-9E03-C160984A37D5@yahoo.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
	<20140925145304.4ba311e0@akvo.org>
	<20141020172808.0c9ec9e9@akvo.org> <5445329C.2030808@redhat.com>
	<20141020192224.62d09a63@akvo.org> <54454D18.1080608@redhat.com>
	<20141020202416.4dbbcf88@akvo.org>
	<81AC1AC3-BA8E-491C-81BA-64BD099D5D5D@yahoo.com>
	<5452A691.10607@redhat.com>
	<B6552CA7-38A4-4557-9E03-C160984A37D5@yahoo.com>
Message-ID: <5452DD92.8020900@redhat.com>

Section 3 does mention that the issuer is a URL using HTTPS, but this 
URL does not have to match the token endpoint URL.  It is just a unique 
identifier for the issuer.  That's it.

Maybe I'm just not understanding OIDC, but what you are describing for 
"aud" and "azp" doesn't make sense to me.  An ID Token is not an access 
token.  Its not something you pass around to use for authz.  Neither do 
you pass around access codes.  Access codes are only usable once.

Keycloak just doesn't support multiple audiences.  When an oauth client 
is registered, a set of valid redirect uri patterns are associated with 
it.  You cannot associate a client with another client.  The ID Token 
will only ever contain one client_id in the "aud" and the "azp" will 
always be blank because its an optional setting.

We support narrowed "trust" by role scope mappings.  When an access 
token is created for a specific client, it is only granted permissions 
that are configured for that client's scope.  For example:

* Service 'A' has roles of "user" and "admin"
* Service 'B' has roles of "admin" and "analyst"
* User has a role mapping of A.user, A.admin, B.admin, B.analyst
* Oauth client "C" is registered with a role scope mapping of A.user
* Oauth client 'C' initiates a token request on behalf of the User, it 
gets an access token only with a permission of 'A.user' even though the 
user has other permissions. So it wouldn't be able to access Service 'B' 
at all.



On 10/30/2014 6:42 PM, Raghuram wrote:
> Hi Bill -  here is my understanding  of the spec:
>
> Section 3.1.3.7 of the core spec says that clients must validate the id tokens. The third point of the same section says that "aud" can contain more than 1 element in which case the fourth point says that the client should verify that "azp" is present and the fifth point says azp should be verified against the client id
>
> Now when an oauth client registers, it can specify multiple redirect Uris, corresponding to diff oauth clients that wish to participate in a single sign on. When a user tries to access first client and he is authenticated, the client just gets a code. If the code is passed to the second client ( the first client could be web app and the second client could be a database service) then the second client could get an Idtoken. The auth server (key cloak in this case) would then list all the client ids in "aud" and specify the second client in "azp" which will be validated by the second client.
>
> The above is a valid use case in our organization ( authentication delegation). It gives flexibility to the apps ( especially sensitive ones) to pick the apps they trust rather than just participate in an organization wide single sign on.
>
> Section 3 (openID provider metadata) of the discovery spec mentions that issuer is a url using https.
>
> Hope I make sense.
>
> Thanks.
> Sent from my iPhone
>
>> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> Ivan, btw, looking at the library you are using, validation of the ID token is optional.
>>
>>> On 10/30/2014 4:15 PM, Raghuram wrote:
>>> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
>> "aud" has been fixed in master.
>>
>> "iss" still is the realm name.  This is just a unique identifier for the realm.  And there is nothing in the spec that I could find that states that it must match the token endpoint URL.  It just has to be a URL that uniquely identifies the issuer.  It is something that is configured, or, found during OIDC discovery.
>>
>> "AZP
>> Your interpretation of AZP is not my interpretation of AZP.  #1.  AZP is optional, we don't have to include it at all.  #2 It would only have the value of the client that requested the token.  In Keycloak, ID Tokens are generated and only given to one audience.
>>
>>
>>> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
>>
>> As I said before, we do not support userinfo yet.  Our access tokens are Json Web Signatures signed by the realm and the content is an extended version of ID Tokens that contains additional keycloak metadata.
>>
>>> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
>>
>> It's on the roadmap to expand our OIDC support beyond the minimal requirements and to validate it against other implementations.  Just haven't gotten to it yet.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Fri Oct 31 03:18:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 31 Oct 2014 03:18:26 -0400 (EDT)
Subject: [keycloak-user] updateToken method not working
In-Reply-To: <CAFGzvPnGPtk1Htrp+Rsph-OXV2LR8H3UnG3WUWw=ckzq4+6U_Q@mail.gmail.com>
References: <CAFGzvPnGPtk1Htrp+Rsph-OXV2LR8H3UnG3WUWw=ckzq4+6U_Q@mail.gmail.com>
Message-ID: <828758206.4624335.1414739906070.JavaMail.zimbra@redhat.com>

That looks correct to me. 

Looks like for some reason the token refresh isn't successful. The default session idle timeout is pretty low so it could be that. Try increasing 'SSO Session Idle Timeout' in the admin console (Session and Tokens -> Timeout Settings) to make sure that's not the problem.

We don't currently pass the error details to the error method, which we should, but you can look at the actual request http using your a dev console to see if there's any details in the response to why the refresh fails.

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 30 October, 2014 8:57:51 PM
> Subject: [keycloak-user] updateToken method not working
> 
> I use the following code to make sure I have a valid token before making a
> request. Even though I am logged in, if I wait until the token expires then
> make a request, the error function is called most of the time when I try to
> update the token using the updateToken method. I have the page reload, and I
> have a valid token again. However, I did not have to log in again because
> the session had not expired. I am using 1.1.0-Alpha1-SNAPSHOT I have read
> the documentation. Am I missing something?
> 
> keycloak.updateToken().success(function() {
> if (data) {
> $http({
> url: ' http://localhost:8080 ' + url,
> method: method,
> data: data,
> headers: {
> 'Content-Type': contentType,
> 'Accept': acceptType,
> 'Authorization': 'Bearer ' + service.auth.token
> },
> transformRequest: angular.identity
> }).success(success).error(error);
> } else {
> $http({
> url: ' http://localhost:8080 ' + url,
> method: method,
> headers: {
> 'Content-Type': contentType,
> 'Accept': acceptType,
> 'Authorization': 'Bearer ' + service.auth.token
> }
> }).success(success).error(error);
> }
> }).error(function() {
> alert("Token could not be refreshed!");
> location.reload();
> });
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Oct 31 05:41:21 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 31 Oct 2014 10:41:21 +0100
Subject: [keycloak-user] Problems Authenticating with OpenLDAP
In-Reply-To: <CAFOTW4bmjpiEzftYjFkXPSnWAx97c0LuszeGAp8+4FCXCoXvqw@mail.gmail.com>
References: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>	<5449F73A.1090306@redhat.com>
	<CAFOTW4bmjpiEzftYjFkXPSnWAx97c0LuszeGAp8+4FCXCoXvqw@mail.gmail.com>
Message-ID: <54535941.3040106@redhat.com>

Hi,

for servers like OpenLDAP it's supposed that "uid" contains username of 
the user (and I think that if you change "Vendor" combobox to "Other", 
it will also change the "Username LDAP Attribute" too). Using "cn" is 
supposed to be used mainly for servers like Active Directory.

The root issue is, that right now we don't support dynamic mapping of 
LDAP attributes to attributes of user account. For servers like OpenLDAP 
we have some hard-coded mapping (like "cn" from LDAP is mapped to user's 
firstName in Keycloak, "sn" from LDAP is mapped to user's lastName in 
Keycloak and "mail" from LDAP is mapped to user's email in KC).

We have plan to support dynamic attributes mapping in the future, so you 
will be able to configure that for example: "cn" is mapped to Keycloak 
username, "givenName" is mapped to firstName, "sn" to lastName etc. JIRA 
is already created https://issues.jboss.org/browse/KEYCLOAK-599 but 
right now, it's maybe not the biggest priority (feel free to vote in 
JIRA if you want prioritize)

Marek

On 29.10.2014 19:54, robinfernandes . wrote:
> Hi,
>
> We are also testing with the same OpenLDAP version and the connection 
> is not a problem. The "Test Authentication" and the "Test Connection" 
> works just fine.
> Below are the screenshots of my configuration. In the LDAP Provider 
> Settings in Keycloak if we use "*Username LDAP attribute = uid*" it 
> works well. However if we use "*Username LDAP attribute = cn*" it 
> fails to authenticate. Have u faced a similar problem?
>
> Inline image 1
>
>
>
> Inline image 2
>
> On Fri, Oct 24, 2014 at 2:52 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     we are testing with OpenLDAP 2.4 and works fine. Are you using
>     different version?
>
>     Also can't be problem in the slow connection to LDAP server? On
>     LDAP configuration screen in Keycloak admin console, you can try
>     "Test Connection" or "Test Authentication" . Works this well for you?
>
>     If connection is not a problem, maybe you can send exception
>     stacktrace and your LDAP configuration (Once you configure LDAP,
>     there should be message in server.log like "INFO
>     [org.keycloak.picketlink.ldap.PartitionManagerRegistry] Creating
>     new LDAP based partition manager for the Federation provider...."
>     with details about LDAP configuration. It may help if you send it
>     here as well)
>
>     Thanks,
>     Marek
>
>
>     On 23.10.2014 17:13, robinfernandes . wrote:
>>     Hi guys,
>>
>>     I am using *Keycloak 1.0.1* final and I have integrated it with
>>     *OpenLDAP*.
>>     When I try to authenticate the user which is in LDAP, it is not
>>     able to authenticate it and the exception that comes up is
>>     "*/org.h2.jdbc.JdbcSQLException: Timeout trying to lock table
>>     "USER_ENTITY" ; "
>>     /*
>>     Is there anyone who has faced this problem? Is there a way to set
>>     the lock table timeout to be more than what it is by default?
>>
>>     The other thing is, I tried authenticating with *Active Directory
>>     *and it works just fine. So I am guessing the problem is limited
>>     to OpenLDAP.
>>
>>     Any help would be appreciated.
>>
>>     Thanks,
>>     Robin
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/982dc40c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 38257 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/982dc40c/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 45802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/982dc40c/attachment-0003.png 

From prabhalar at yahoo.com  Fri Oct 31 08:41:37 2014
From: prabhalar at yahoo.com (prab rrrr)
Date: Fri, 31 Oct 2014 12:41:37 +0000 (UTC)
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <5452DD92.8020900@redhat.com>
References: <5452DD92.8020900@redhat.com>
Message-ID: <680633017.71362.1414759297021.JavaMail.yahoo@jws100207.mail.ne1.yahoo.com>

Read the spec once again and agree to your point that access code can only be used once. Regarding "iss", as long as realm name is replaced by URL, it should be good.?I will do some more testing today, mostly on validating the signature of the token and will let you know if I find any discrepancies.
Thanks once again, for the response and explanation. 

     On Thursday, October 30, 2014 8:53 PM, Bill Burke <bburke at redhat.com> wrote:
   

 Section 3 does mention that the issuer is a URL using HTTPS, but this 
URL does not have to match the token endpoint URL.? It is just a unique 
identifier for the issuer.? That's it.

Maybe I'm just not understanding OIDC, but what you are describing for 
"aud" and "azp" doesn't make sense to me.? An ID Token is not an access 
token.? Its not something you pass around to use for authz.? Neither do 
you pass around access codes.? Access codes are only usable once.

Keycloak just doesn't support multiple audiences.? When an oauth client 
is registered, a set of valid redirect uri patterns are associated with 
it.? You cannot associate a client with another client.? The ID Token 
will only ever contain one client_id in the "aud" and the "azp" will 
always be blank because its an optional setting.

We support narrowed "trust" by role scope mappings.? When an access 
token is created for a specific client, it is only granted permissions 
that are configured for that client's scope.? For example:

* Service 'A' has roles of "user" and "admin"
* Service 'B' has roles of "admin" and "analyst"
* User has a role mapping of A.user, A.admin, B.admin, B.analyst
* Oauth client "C" is registered with a role scope mapping of A.user
* Oauth client 'C' initiates a token request on behalf of the User, it 
gets an access token only with a permission of 'A.user' even though the 
user has other permissions. So it wouldn't be able to access Service 'B' 
at all.



On 10/30/2014 6:42 PM, Raghuram wrote:
> Hi Bill -? here is my understanding? of the spec:
>
> Section 3.1.3.7 of the core spec says that clients must validate the id tokens. The third point of the same section says that "aud" can contain more than 1 element in which case the fourth point says that the client should verify that "azp" is present and the fifth point says azp should be verified against the client id
>
> Now when an oauth client registers, it can specify multiple redirect Uris, corresponding to diff oauth clients that wish to participate in a single sign on. When a user tries to access first client and he is authenticated, the client just gets a code. If the code is passed to the second client ( the first client could be web app and the second client could be a database service) then the second client could get an Idtoken. The auth server (key cloak in this case) would then list all the client ids in "aud" and specify the second client in "azp" which will be validated by the second client.
>
> The above is a valid use case in our organization ( authentication delegation). It gives flexibility to the apps ( especially sensitive ones) to pick the apps they trust rather than just participate in an organization wide single sign on.
>
> Section 3 (openID provider metadata) of the discovery spec mentions that issuer is a url using https.
>
> Hope I make sense.
>
> Thanks.
> Sent from my iPhone
>
>> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> Ivan, btw, looking at the library you are using, validation of the ID token is optional.
>>
>>> On 10/30/2014 4:15 PM, Raghuram wrote:
>>> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
>> "aud" has been fixed in master.
>>
>> "iss" still is the realm name.? This is just a unique identifier for the realm.? And there is nothing in the spec that I could find that states that it must match the token endpoint URL.? It just has to be a URL that uniquely identifies the issuer.? It is something that is configured, or, found during OIDC discovery.
>>
>> "AZP
>> Your interpretation of AZP is not my interpretation of AZP.? #1.? AZP is optional, we don't have to include it at all.? #2 It would only have the value of the client that requested the token.? In Keycloak, ID Tokens are generated and only given to one audience.
>>
>>
>>> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
>>
>> As I said before, we do not support userinfo yet.? Our access tokens are Json Web Signatures signed by the realm and the content is an extended version of ID Tokens that contains additional keycloak metadata.
>>
>>> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
>>
>> It's on the roadmap to expand our OIDC support beyond the minimal requirements and to validate it against other implementations.? Just haven't gotten to it yet.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/015f6ad0/attachment.html 

From robin1233 at gmail.com  Fri Oct 31 09:36:04 2014
From: robin1233 at gmail.com (robinfernandes .)
Date: Fri, 31 Oct 2014 09:36:04 -0400
Subject: [keycloak-user] Problems Authenticating with OpenLDAP
In-Reply-To: <54535941.3040106@redhat.com>
References: <CAFOTW4ZZtd1FX8zRgnjQZG=2gNhOEnRg0Xb=_WwFjEmYBkmLbA@mail.gmail.com>
	<5449F73A.1090306@redhat.com>
	<CAFOTW4bmjpiEzftYjFkXPSnWAx97c0LuszeGAp8+4FCXCoXvqw@mail.gmail.com>
	<54535941.3040106@redhat.com>
Message-ID: <CAFOTW4a2rPLSi4uTsr5=a4FkOm1tnpGC98P=dUALOdpBFJk=nQ@mail.gmail.com>

Hi,

Thanks Marek for the clarity on the mapping of LDAP attributes to
attributes of user account. It gives us more confidence now moving forward
with our implementation.

Thanks,
Robin

On Fri, Oct 31, 2014 at 5:41 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> for servers like OpenLDAP it's supposed that "uid" contains username of
> the user (and I think that if you change "Vendor" combobox to "Other", it
> will also change the "Username LDAP Attribute" too). Using "cn" is supposed
> to be used mainly for servers like Active Directory.
>
> The root issue is, that right now we don't support dynamic mapping of LDAP
> attributes to attributes of user account. For servers like OpenLDAP we have
> some hard-coded mapping (like "cn" from LDAP is mapped to user's firstName
> in Keycloak, "sn" from LDAP is mapped to user's lastName in Keycloak and
> "mail" from LDAP is mapped to user's email in KC).
>
> We have plan to support dynamic attributes mapping in the future, so you
> will be able to configure that for example: "cn" is mapped to Keycloak
> username, "givenName" is mapped to firstName, "sn" to lastName etc. JIRA is
> already created https://issues.jboss.org/browse/KEYCLOAK-599 but right
> now, it's maybe not the biggest priority (feel free to vote in JIRA if you
> want prioritize)
>
> Marek
>
>
> On 29.10.2014 19:54, robinfernandes . wrote:
>
> Hi,
>
> We are also testing with the same OpenLDAP version and the connection is
> not a problem. The "Test Authentication" and the "Test Connection" works
> just fine.
> Below are the screenshots of my configuration. In the LDAP Provider
> Settings in Keycloak if we use "*Username LDAP attribute = uid*" it works
> well. However if we use "*Username LDAP attribute = cn*" it fails to
> authenticate. Have u faced a similar problem?
>
> [image: Inline image 1]
>
>
>
> [image: Inline image 2]
>
> On Fri, Oct 24, 2014 at 2:52 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>>  Hi,
>>
>> we are testing with OpenLDAP 2.4 and works fine. Are you using different
>> version?
>>
>> Also can't be problem in the slow connection to LDAP server? On LDAP
>> configuration screen in Keycloak admin console, you can try "Test
>> Connection" or "Test Authentication" . Works this well for you?
>>
>> If connection is not a problem, maybe you can send exception stacktrace
>> and your LDAP configuration (Once you configure LDAP, there should be
>> message in server.log like "INFO
>> [org.keycloak.picketlink.ldap.PartitionManagerRegistry] Creating new LDAP
>> based partition manager for the Federation provider...." with details about
>> LDAP configuration. It may help if you send it here as well)
>>
>> Thanks,
>> Marek
>>
>>
>> On 23.10.2014 17:13, robinfernandes . wrote:
>>
>>  Hi guys,
>>
>> I am using *Keycloak 1.0.1* final and I have integrated it with
>> *OpenLDAP*.
>> When I try to authenticate the user which is in LDAP, it is not able to
>> authenticate it and the exception that comes up is "
>> *org.h2.jdbc.JdbcSQLException: Timeout trying to lock table "USER_ENTITY"
>> ; " *
>> Is there anyone who has faced this problem? Is there a way to set the
>> lock table timeout to be more than what it is by default?
>>
>> The other thing is, I tried authenticating with *Active Directory *and
>> it works just fine. So I am guessing the problem is limited to OpenLDAP.
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Robin
>>
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/052d57e4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 38257 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/052d57e4/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 45802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/052d57e4/attachment-0003.png 

From bburke at redhat.com  Fri Oct 31 11:41:34 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 31 Oct 2014 11:41:34 -0400
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <680633017.71362.1414759297021.JavaMail.yahoo@jws100207.mail.ne1.yahoo.com>
References: <5452DD92.8020900@redhat.com>
	<680633017.71362.1414759297021.JavaMail.yahoo@jws100207.mail.ne1.yahoo.com>
Message-ID: <5453ADAE.3000801@redhat.com>

realm name by itself is a valid URL, its just not a url with a scheme.

On 10/31/2014 8:41 AM, prab rrrr wrote:
> Read the spec once again and agree to your point that access code can
> only be used once. Regarding "iss", as long as realm name is replaced by
> URL, it should be good. I will do some more testing today, mostly on
> validating the signature of the token and will let you know if I find
> any discrepancies.
>
> Thanks once again, for the response and explanation.
>
>
> On Thursday, October 30, 2014 8:53 PM, Bill Burke <bburke at redhat.com> wrote:
>
>
> Section 3 does mention that the issuer is a URL using HTTPS, but this
> URL does not have to match the token endpoint URL.  It is just a unique
> identifier for the issuer.  That's it.
>
> Maybe I'm just not understanding OIDC, but what you are describing for
> "aud" and "azp" doesn't make sense to me.  An ID Token is not an access
> token.  Its not something you pass around to use for authz.  Neither do
> you pass around access codes.  Access codes are only usable once.
>
> Keycloak just doesn't support multiple audiences.  When an oauth client
> is registered, a set of valid redirect uri patterns are associated with
> it.  You cannot associate a client with another client.  The ID Token
> will only ever contain one client_id in the "aud" and the "azp" will
> always be blank because its an optional setting.
>
> We support narrowed "trust" by role scope mappings.  When an access
> token is created for a specific client, it is only granted permissions
> that are configured for that client's scope.  For example:
>
> * Service 'A' has roles of "user" and "admin"
> * Service 'B' has roles of "admin" and "analyst"
> * User has a role mapping of A.user, A.admin, B.admin, B.analyst
> * Oauth client "C" is registered with a role scope mapping of A.user
> * Oauth client 'C' initiates a token request on behalf of the User, it
> gets an access token only with a permission of 'A.user' even though the
> user has other permissions. So it wouldn't be able to access Service 'B'
> at all.
>
>
>
> On 10/30/2014 6:42 PM, Raghuram wrote:
>  > Hi Bill -  here is my understanding  of the spec:
>  >
>  > Section 3.1.3.7 of the core spec says that clients must validate the
> id tokens. The third point of the same section says that "aud" can
> contain more than 1 element in which case the fourth point says that the
> client should verify that "azp" is present and the fifth point says azp
> should be verified against the client id
>  >
>  > Now when an oauth client registers, it can specify multiple redirect
> Uris, corresponding to diff oauth clients that wish to participate in a
> single sign on. When a user tries to access first client and he is
> authenticated, the client just gets a code. If the code is passed to the
> second client ( the first client could be web app and the second client
> could be a database service) then the second client could get an
> Idtoken. The auth server (key cloak in this case) would then list all
> the client ids in "aud" and specify the second client in "azp" which
> will be validated by the second client.
>  >
>  > The above is a valid use case in our organization ( authentication
> delegation). It gives flexibility to the apps ( especially sensitive
> ones) to pick the apps they trust rather than just participate in an
> organization wide single sign on.
>  >
>  > Section 3 (openID provider metadata) of the discovery spec mentions
> that issuer is a url using https.
>  >
>  > Hope I make sense.
>  >
>  > Thanks.
>  > Sent from my iPhone
>  >
>  >> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>  >>
>  >> Ivan, btw, looking at the library you are using, validation of the
> ID token is optional.
>  >>
>  >>> On 10/30/2014 4:15 PM, Raghuram wrote:
>  >>> I tested with libraries based on Apache Oltu and even I noticed
> that realm name is being sent in the Idtoken under "iss". "aud" is null
> when I included multiple redirect Uris which is breaking the validation
> (as per openid spec). "azp" is not being sent (it is optional unless
> more than 1 client is registered) - expect that to be sent once I
> register two clients.
>  >> "aud" has been fixed in master.
>  >>
>  >> "iss" still is the realm name.  This is just a unique identifier for
> the realm.  And there is nothing in the spec that I could find that
> states that it must match the token endpoint URL.  It just has to be a
> URL that uniquely identifies the issuer.  It is something that is
> configured, or, found during OIDC discovery.
>  >>
>  >> "AZP
>  >> Your interpretation of AZP is not my interpretation of AZP.  #1.
> AZP is optional, we don't have to include it at all.  #2 It would only
> have the value of the client that requested the token.  In Keycloak, ID
> Tokens are generated and only given to one audience.
>  >>
>  >>
>  >>> Used /account for userinfo end point that didn't work. Will provide
> more feedback as I continue to test
>  >>
>  >> As I said before, we do not support userinfo yet.  Our access tokens
> are Json Web Signatures signed by the realm and the content is an
> extended version of ID Tokens that contains additional keycloak metadata.
>  >>
>  >>> Fyi -My libraries were tested completely against a server
> implementation based on Mitre's open Id connect and they are good.
>  >>
>  >> It's on the roadmap to expand our OIDC support beyond the minimal
> requirements and to validate it against other implementations.  Just
> haven't gotten to it yet.
>  >>
>  >>
>  >> --
>  >> Bill Burke
>  >> JBoss, a division of Red Hat
>  >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ivan at akvo.org  Fri Oct 31 11:49:52 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Fri, 31 Oct 2014 16:49:52 +0100
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <5453ADAE.3000801@redhat.com>
References: <5452DD92.8020900@redhat.com>
	<680633017.71362.1414759297021.JavaMail.yahoo@jws100207.mail.ne1.yahoo.com>
	<5453ADAE.3000801@redhat.com>
Message-ID: <20141031164952.5778dca6@akvo.org>


Wouldn't just using the
https://<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME> a way to meet the
specification but also enable the multi-tenant behavior in Keycloak ?

Just an idea

On Fri, 31 Oct 2014 11:41:34 -0400
Bill Burke <bburke at redhat.com> wrote:

> realm name by itself is a valid URL, its just not a url with a scheme.
> 
> On 10/31/2014 8:41 AM, prab rrrr wrote:
> > Read the spec once again and agree to your point that access code
> > can only be used once. Regarding "iss", as long as realm name is
> > replaced by URL, it should be good. I will do some more testing
> > today, mostly on validating the signature of the token and will let
> > you know if I find any discrepancies.
> >
> > Thanks once again, for the response and explanation.
> >
> >
> > On Thursday, October 30, 2014 8:53 PM, Bill Burke
> > <bburke at redhat.com> wrote:
> >
> >
> > Section 3 does mention that the issuer is a URL using HTTPS, but
> > this URL does not have to match the token endpoint URL.  It is just
> > a unique identifier for the issuer.  That's it.
> >
> > Maybe I'm just not understanding OIDC, but what you are describing
> > for "aud" and "azp" doesn't make sense to me.  An ID Token is not
> > an access token.  Its not something you pass around to use for
> > authz.  Neither do you pass around access codes.  Access codes are
> > only usable once.
> >
> > Keycloak just doesn't support multiple audiences.  When an oauth
> > client is registered, a set of valid redirect uri patterns are
> > associated with it.  You cannot associate a client with another
> > client.  The ID Token will only ever contain one client_id in the
> > "aud" and the "azp" will always be blank because its an optional
> > setting.
> >
> > We support narrowed "trust" by role scope mappings.  When an access
> > token is created for a specific client, it is only granted
> > permissions that are configured for that client's scope.  For
> > example:
> >
> > * Service 'A' has roles of "user" and "admin"
> > * Service 'B' has roles of "admin" and "analyst"
> > * User has a role mapping of A.user, A.admin, B.admin, B.analyst
> > * Oauth client "C" is registered with a role scope mapping of A.user
> > * Oauth client 'C' initiates a token request on behalf of the User,
> > it gets an access token only with a permission of 'A.user' even
> > though the user has other permissions. So it wouldn't be able to
> > access Service 'B' at all.
> >
> >
> >
> > On 10/30/2014 6:42 PM, Raghuram wrote:
> >  > Hi Bill -  here is my understanding  of the spec:
> >  >
> >  > Section 3.1.3.7 of the core spec says that clients must validate
> >  > the
> > id tokens. The third point of the same section says that "aud" can
> > contain more than 1 element in which case the fourth point says
> > that the client should verify that "azp" is present and the fifth
> > point says azp should be verified against the client id
> >  >
> >  > Now when an oauth client registers, it can specify multiple
> >  > redirect
> > Uris, corresponding to diff oauth clients that wish to participate
> > in a single sign on. When a user tries to access first client and
> > he is authenticated, the client just gets a code. If the code is
> > passed to the second client ( the first client could be web app and
> > the second client could be a database service) then the second
> > client could get an Idtoken. The auth server (key cloak in this
> > case) would then list all the client ids in "aud" and specify the
> > second client in "azp" which will be validated by the second client.
> >  >
> >  > The above is a valid use case in our organization
> >  > ( authentication
> > delegation). It gives flexibility to the apps ( especially sensitive
> > ones) to pick the apps they trust rather than just participate in an
> > organization wide single sign on.
> >  >
> >  > Section 3 (openID provider metadata) of the discovery spec
> >  > mentions
> > that issuer is a url using https.
> >  >
> >  > Hope I make sense.
> >  >
> >  > Thanks.
> >  > Sent from my iPhone
> >  >
> >  >> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >  >>
> >  >> Ivan, btw, looking at the library you are using, validation of
> >  >> the
> > ID token is optional.
> >  >>
> >  >>> On 10/30/2014 4:15 PM, Raghuram wrote:
> >  >>> I tested with libraries based on Apache Oltu and even I noticed
> > that realm name is being sent in the Idtoken under "iss". "aud" is
> > null when I included multiple redirect Uris which is breaking the
> > validation (as per openid spec). "azp" is not being sent (it is
> > optional unless more than 1 client is registered) - expect that to
> > be sent once I register two clients.
> >  >> "aud" has been fixed in master.
> >  >>
> >  >> "iss" still is the realm name.  This is just a unique
> >  >> identifier for
> > the realm.  And there is nothing in the spec that I could find that
> > states that it must match the token endpoint URL.  It just has to
> > be a URL that uniquely identifies the issuer.  It is something that
> > is configured, or, found during OIDC discovery.
> >  >>
> >  >> "AZP
> >  >> Your interpretation of AZP is not my interpretation of AZP.  #1.
> > AZP is optional, we don't have to include it at all.  #2 It would
> > only have the value of the client that requested the token.  In
> > Keycloak, ID Tokens are generated and only given to one audience.
> >  >>
> >  >>
> >  >>> Used /account for userinfo end point that didn't work. Will
> >  >>> provide
> > more feedback as I continue to test
> >  >>
> >  >> As I said before, we do not support userinfo yet.  Our access
> >  >> tokens
> > are Json Web Signatures signed by the realm and the content is an
> > extended version of ID Tokens that contains additional keycloak
> > metadata.
> >  >>
> >  >>> Fyi -My libraries were tested completely against a server
> > implementation based on Mitre's open Id connect and they are good.
> >  >>
> >  >> It's on the roadmap to expand our OIDC support beyond the
> >  >> minimal
> > requirements and to validate it against other implementations.  Just
> > haven't gotten to it yet.
> >  >>
> >  >>
> >  >> --
> >  >> Bill Burke
> >  >> JBoss, a division of Red Hat
> >  >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >
> >
> 



-- 
Iv?n


From alexander.chriztopher at gmail.com  Fri Oct 31 11:59:24 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 31 Oct 2014 16:59:24 +0100
Subject: [keycloak-user] Java API documentation
In-Reply-To: <1314214423.165496.1414610170091.JavaMail.yahoo@jws100156.mail.ne1.yahoo.com>
References: <CAJfT+OoDB80f7nvcbeE+uxjTaXNBuxQf2L3yxgKvHuFYuCsxCg@mail.gmail.com>
	<1314214423.165496.1414610170091.JavaMail.yahoo@jws100156.mail.ne1.yahoo.com>
Message-ID: <CAJfT+OqrdaCdW=PQU8z8CHnBzvTLf86uLjMvnBxV8Q7p8tWATA@mail.gmail.com>

I have upgraded to 1.0.4.Final but still have the issue.

I would consider this as a bug in Keycloak -well in the client at least- as
am using Wildfly and i am embedding the Jackson dependencies with my war
anyway. These dependencies are pulled by the Keycloak ones.

@Keycloak team : should i open an issue for this one ?

On Wed, Oct 29, 2014 at 8:16 PM, Kamal Jagadevan <j.kamal at ymail.com> wrote:

> Hi Alexander,
>   On a second look, my problem was with my tomcat application that
> integrates with Keycloak. This tomcat application was using fasterxml
> jackson parser whereas keycloak implementation uses codehaus jackson which
> gets overridden during runtime. I was able to overcome this problem by
> creating PropertyNamingStrategy and set it to ObjectMapper before
> deserializing the JSON.
>
> Alternatively Keycloak implementation can be modified to use fasterxml
> jackson databinding.
>
> -Kamal
>
>   ------------------------------
>  *From:* Alexander Chriztopher <alexander.chriztopher at gmail.com>
> *To:* Kamal Jagadevan <j.kamal at ymail.com>
> *Cc:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, October 27, 2014 12:54 PM
> *Subject:* Re: [keycloak-user] Java API documentation
>
> Hi Kamal and thanks.
>
> Am using the keycloak admin client which brings the following Jackson
> dependency : jackson-core-asl:1.9.9 and can not override this. I also don't
> have the option to change the property mapping as it comes with the
> Keycloak distribution am using :-(
>
>
>
> On Mon, Oct 27, 2014 at 4:54 PM, Kamal Jagadevan <j.kamal at ymail.com>
> wrote:
>
> Hi Alexander,
>    I had faced the same problem few days back it is because of the
> mismatch between JSONProperty and POJO variable name(getter method) that
> too with fasterxml jackson parser.
> If you use codehaus jackson parser you wouldnt get any problem. One work
> around to this problem is to update the POJO variable name to reflect the
> JSONProperty name.
> Similar problem is observed in multiple places where deserialization kicks
> in..
>
> Specifically it is because of this
>
>     @JsonProperty("*access_token*")
>     protected String *token*;
>
> Hi Bill,
>     Do you have any other ideas besides updating POJOs member variable
> name matching the JSON property? Please advise.
>
> Thanks
> Kamal
>
>
>   ------------------------------
>  *From:* Alexander Chriztopher <alexander.chriztopher at gmail.com>
> *To:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, October 27, 2014 11:45 AM
> *Subject:* [keycloak-user] Java API documentation
>
> Hi All,
>
> Am using Keycloak 1.0.2.Final and am getting this error when using the
> rest API :
>
> Caused by:
> *com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException*:
> Unrecognized field "access_token" (class
> org.keycloak.representations.AccessTokenResponse), not marked as ignorable
> (7 known properties: "tokenType", "notBeforePolicy", "token", "expiresIn",
> "sessionState", "refreshToken", "idToken"])
>  at [Source: org.apache.http.conn.EofSensorInputStream at 11b8a95d; line: 1,
> column: 18] (through reference chain:
> org.keycloak.representations.AccessTokenResponse["access_token"])
>  at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(
> *UnrecognizedPropertyException.java:51*)
> [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(
> *DeserializationContext.java:671*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(
> *StdDeserializer.java:771*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(
> *BeanDeserializerBase.java:1297*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(
> *BeanDeserializerBase.java:1275*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(
> *BeanDeserializer.java:247*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(
> *BeanDeserializer.java:118*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.ObjectReader._bind(
> *ObjectReader.java:1233*) [jackson-databind-2.3.2.jar:2.3.2]
>  at com.fasterxml.jackson.databind.ObjectReader.readValue(
> *ObjectReader.java:677*) [jackson-databind-2.3.2.jar:2.3.2]
>  at
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(
> *ResteasyJackson2Provider.java:120*)
> [resteasy-jackson2-provider-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(
> *AbstractReaderInterceptorContext.java:59*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:51*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(
> *DigitalVerificationInterceptor.java:32*)
> [resteasy-crypto-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:53*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(
> *GZIPDecodingInterceptor.java:59*) [resteasy-jaxrs-3.0.8.Final.jar:]
>  at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(
> *AbstractReaderInterceptorContext.java:53*)
> [resteasy-jaxrs-3.0.8.Final.jar:]
>  at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(
> *ClientResponse.java:248*) [resteasy-client-3.0.8.Final.jar:]
>  ... 164 more
>
> Was wondering where this comes from as am using the 1.0.2.Final admin api
> and have updated my Wildfly Server accordingly.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/65f860e4/attachment-0001.html 

From alexander.chriztopher at gmail.com  Fri Oct 31 14:27:12 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Fri, 31 Oct 2014 19:27:12 +0100
Subject: [keycloak-user] Getting the current user name in EJB
Message-ID: <CAJfT+Or7ptb0oLutvw6dt0bV+=tJTH_j979XRkwL+oUpj_xkKg@mail.gmail.com>

Hi All,

Am trying to get the name and surname of the currently connected user by
doing this :

import java.io.Serializable;
import java.security.Principal;

import javax.annotation.Resource;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJBContext;
import javax.ejb.LocalBean;
import javax.ejb.Stateless;

import org.jboss.ejb3.annotation.SecurityDomain;


@Stateless(name="myEJB")
@LocalBean
@SecurityDomain("keycloak")
public class MyEJB implements Serializable {

    private static final long serialVersionUID = 1L;

    @Resource
    private EJBContext ejbContext;

    @RolesAllowed("ADMIN")
    public void test() {
        Principal principal = ejbContext.getCallerPrincipal();
        System.out.println("principal.getName() = " + principal.getName());
    }
}

This works nicely as i get a 403 if my currently connected user does have
the role : ADMIN.

My question is : does keycloak propagate the username or any other
information that would help me get the first name and last name of the
currently connected user ? Unfortunately, principal.getName() returns a
string like this : edd42240-85bf-4724-8d79-5374338506b7 which i don't know
the interpretation !

Thanks for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141031/45eb5c5e/attachment.html 

From bburke at redhat.com  Fri Oct 31 15:10:16 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 31 Oct 2014 15:10:16 -0400
Subject: [keycloak-user] Getting the current user name in EJB
In-Reply-To: <CAJfT+Or7ptb0oLutvw6dt0bV+=tJTH_j979XRkwL+oUpj_xkKg@mail.gmail.com>
References: <CAJfT+Or7ptb0oLutvw6dt0bV+=tJTH_j979XRkwL+oUpj_xkKg@mail.gmail.com>
Message-ID: <5453DE98.6080303@redhat.com>

You should be able to typecast Principal to KeycloakPrincipal.

On 10/31/2014 2:27 PM, Alexander Chriztopher wrote:
> Hi All,
>
> Am trying to get the name and surname of the currently connected user by
> doing this :
>
> import java.io.Serializable;
> import java.security.Principal;
>
> import javax.annotation.Resource;
> import javax.annotation.security.RolesAllowed;
> import javax.ejb.EJBContext;
> import javax.ejb.LocalBean;
> import javax.ejb.Stateless;
>
> import org.jboss.ejb3.annotation.SecurityDomain;
>
>
> @Stateless(name="myEJB")
> @LocalBean
> @SecurityDomain("keycloak")
> public class MyEJB implements Serializable {
>
>      private static final long serialVersionUID = 1L;
>
>      @Resource
>      private EJBContext ejbContext;
>      @RolesAllowed("ADMIN")
>      public void test() {
>          Principal principal = ejbContext.getCallerPrincipal();
>          System.out.println("principal.getName() = " + principal.getName());
>      }
> }
>
> This works nicely as i get a 403 if my currently connected user does
> have the role : ADMIN.
>
> My question is : does keycloak propagate the username or any other
> information that would help me get the first name and last name of the
> currently connected user ? Unfortunately, principal.getName() returns a
> string like this : edd42240-85bf-4724-8d79-5374338506b7 which i don't
> know the interpretation !
>
> Thanks for any help.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com