From kalc04 at gmail.com Wed Jul 1 01:58:00 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Wed, 1 Jul 2015 11:28:00 +0530
Subject: [keycloak-user] Importing an Application (Client) into an
Existing Realm
In-Reply-To: <559282DC.4010503@redhat.com>
References:
<559282DC.4010503@redhat.com>
Message-ID:
Thanks Marek for the suggestion on the client-utility, will evaluate our
options.
However, you haven't answered my question on the 'Import Client' option. Is
that something we could make use of here? I couldn't find any related
documentation, hence the confusion as of now. Appreciate if you could give
some insight.
Regards,
Lohitha.
On Tue, Jun 30, 2015 at 5:21 PM, Marek Posolda wrote:
> On 30.6.2015 08:37, Lohitha Chiranjeewa wrote:
>
> Hi,
>
> We get the need to create applications (clients) from time to time in our
> already existing realm. Since these clients have to be created in all the
> environments (dev, QA, staging, production) we'd like it to be (partly)
> automated rather than creating them through Admin console in each
> environment.
>
> In that case, I would create some admin client utility, which will invoke
> REST endpoints for create new client into each realm (environment) you
> want.
>
>
> We've seen an 'Import Client' option in the Clients section in the Admin
> console, but not sure how to create the initial client so that it can be
> imported. The only import type is 'SAML 2.0 Entity Descriptor', which we
> aren't sure about as well. Can someone point out how we should continue to
> build the initial client here?
>
> Also, if there is an option to update the existing realm with the 'Export
> Realm' facility, that would do as well. However that's not possible I
> suppose?
>
> not yet, probably it's something which we can improve. Feel free to create
> JIRA.
>
> Marek
>
>
>
> Regards,
> Lohitha.
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/9ff2bed9/attachment.html
From sonicaaaa at gmail.com Wed Jul 1 04:07:20 2015
From: sonicaaaa at gmail.com (Paolo Antinori)
Date: Wed, 1 Jul 2015 10:07:20 +0200
Subject: [keycloak-user] problem with keycloak on openshift
Message-ID:
Hi guys, I have deployed an instance of keycloak on openshift
following the steps described here:
https://github.com/keycloak/openshift-keycloak-cartridge
The operation apparently went ok and I have been able to login to the
instance and see kc administrative interface.
Problem is that after a while, I am no longer able to login to the
instance. Not even if I restart it.
This is the error I see when trying:
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
X-Forwarded-Host
/n
And I get that with both ffox and chromium on linux
this from curl:
$ curl -L -v https://kc-paolo.rhcloud.com/
* Trying 54.89.206.14...
* Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
* subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
* start date: Apr 07 00:00:00 2015 GMT
* expire date: Apr 11 12:00:00 2018 GMT
* common name: *.rhcloud.com
* issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: kc-paolo.rhcloud.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Date: Wed, 01 Jul 2015 08:06:46 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 392
< Content-Type: text/html; charset=iso-8859-1
< Connection: close
<
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
X-Forwarded-Host
/n
Apache/2.2.15 (Red Hat) Server at localhost Port 80
* Closing connection 0
any idea about what's wrong?
thank you
paolo
From gregj at thesoftwarecottage.com.au Wed Jul 1 08:41:41 2015
From: gregj at thesoftwarecottage.com.au (Greg Jones)
Date: Wed, 1 Jul 2015 22:41:41 +1000
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <559288F5.7090405@redhat.com>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
<559288F5.7090405@redhat.com>
Message-ID: <75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>
Hi Marek,
An update on today?s trials:
1. Getting the proxy UserModel to perform the registration is not workable. Our back-end has about 15 required fields, which need to be set in order to register the user. It would be necessary to keep track of each property being set in order to determine when we have enough information to actually register the user. We could call our register method once the last field on the screen has been set, but this creates a very fragile system.
2. I have forked the Keycloak code and made a couple of changes (setting the attributes from the form earlier) that have made it possible to register the user when the provider?s register method is called. I believe this has no side-effects on Keycloak but I will do some further testing before raising a Jira and/or creating a pull request.
3. Throwing a ModelException causes an internal server error to be displayed on the page, rather than being displayed as an error message. I have added a catch statement to the code in LoginActionsService to catch any registration exceptions and display the appropriate error on the registration page. This is with 1.3.1.Final but I don?t think this has changed in master.
Thanks again for your assistance.
Regards,
Greg J.
> On 30 Jun 2015, at 10:17 pm, Marek Posolda wrote:
>
> On 30.6.2015 08:06, Greg Jones wrote:
>> Hi Team,
>>
>> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>>
>> The next step was to use the back-end server for user registrations and this is where we are having problems.
>>
>> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
> Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA?
>
> But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32
>
>>
>> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>>
>> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>>
>> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
>> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
>> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
> If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ?
>
> There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set.
>
> Marek
>>
>> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>>
>> Thanks in advance,
>> Greg Jones
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
From kevin.thorpe at p-i.net Wed Jul 1 09:09:28 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Wed, 1 Jul 2015 14:09:28 +0100
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <5592996D.8000108@redhat.com>
References:
<5592996D.8000108@redhat.com>
Message-ID:
Hi Marek, I'm having problems doing a distribution build. Are you expecting
that to work?
What extra information do you want form me? I am not a java developer so
I'm not sure.
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 01:58 min
[INFO] Finished at: 2015-07-01T14:06:24+01:00
[INFO] Final Memory: 122M/464M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-surefire-plugin:2.17:test (default-test) on
project arquillian-integration: There are test failures.
[ERROR]
[ERROR] Please refer to
/home/kevin/keycloak/testsuite/integration-arquillian/target/surefire-reports
for the individual test results.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
*Kevin Thorpe*
CTO
www.p-i.net | @PI_150
M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK
_____________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
*"SAVE PAPER - THINK BEFORE YOU PRINT!" *
On 30 June 2015 at 14:28, Marek Posolda wrote:
> Hi Kevin,
>
> in latest master there is support for multiple values of some user
> attribute mapped from LDAP. There is also new switch "multivalued" in admin
> console for User attribute protocol mapper - when it's on, you will see all
> the values of the attribute in the id token (or access token) in your
> application.
>
> Also there is switch "Always read value from LDAP" on User attribute LDAP
> federation mapper. When it's on, the value of attribute is always read from
> LDAP even for the users, which were already added into Keycloak DB before
> you created the LDAP mapper.
>
> I hope this will address the issues you mentioned below and in the
> previous mails last week.
>
> Please let me know if it works or if there are still some issues you're
> seeing.
>
> Thanks,
> Marek
>
>
> On 29.6.2015 14:22, Kevin Thorpe wrote:
>
> There are two mappings here
>
> Firstly you need an attribute mapper in user federation. This maps an
> LAP attribute to a Keycloak one.
> I don't think this works on existing users though. Try creating a new LDAP
> user and log in as that user to test this.
> Check the log. In my case it's at /var/log/wildfly/console.log but might
> have been moved there by one of our devs.
> Check USER_ATTRIBUTES table in the database. You should have a line for
> your new attribute for your new user.
> I know this doesn't work for multi-attribute values. eg we have an
> 'applications' attribute which users will have several entries.
>
> Secondly you need to map the user attribute you created above to the JWT
> token
> This is under your client application definition.
> You need a 'user attribute' not 'property' mapper to map the new keycloak
> user attribute to a value in the token(s)
> You also need to turn it on for either the id token or access token
> depending on where your client expects it.
>
>
>
>
>
>
> *Kevin Thorpe *
> CTO
>
>
>
> www.p-i.net | @PI_150
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 29 June 2015 at 13:02, Adam Daduev wrote:
>
>> Hi.
>> I try use new feature of keycloak 1.3.1, i added new attribute, like
>> department, but i can not get it in my web bean, i try get new attribute
>> from KeycloakSecurityContext, but con not found.
>> How can i get my new added atribute?
>> Thanks!
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0002.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0003.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0003.jpg
From mposolda at redhat.com Wed Jul 1 09:53:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 01 Jul 2015 15:53:15 +0200
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To:
References:
<5592996D.8000108@redhat.com>
Message-ID: <5593F0CB.5030000@redhat.com>
Hi Kevin,
could you try to attach "-DskipTests=true" as the parameter to the maven
command during build? Or maybe even just run those commands (assuming
you are in the directory with latest keycloak master):
mvn clean install -DskipTests=true
cd distribution
mvn clean install
Thanks,
Marek
On 1.7.2015 15:09, Kevin Thorpe wrote:
> Hi Marek, I'm having problems doing a distribution build. Are you
> expecting that to work?
>
> What extra information do you want form me? I am not a java developer
> so I'm not sure.
>
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 01:58 min
> [INFO] Finished at: 2015-07-01T14:06:24+01:00
> [INFO] Final Memory: 122M/464M
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-surefire-plugin:2.17:test
> (default-test) on project arquillian-integration: There are test failures.
> [ERROR]
> [ERROR] Please refer to
> /home/kevin/keycloak/testsuite/integration-arquillian/target/surefire-reports
> for the individual test results.
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with
> the -e switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions,
> please read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
>
>
> *Kevin Thorpe
> *
> CTO
>
>
>
> www.p-i.net | @PI_150
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager. This message contains confidential information and
> is intended only for the individual named. If you are not the named
> addressee you should not disseminate, distribute or copy this e-mail.
> Please notify the sender immediately by e-mail if you have received
> this e-mail by mistake and delete this e-mail from your system. If you
> are not the intended recipient you are notified that disclosing,
> copying, distributing or taking any action in reliance on the contents
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 30 June 2015 at 14:28, Marek Posolda > wrote:
>
> Hi Kevin,
>
> in latest master there is support for multiple values of some user
> attribute mapped from LDAP. There is also new switch "multivalued"
> in admin console for User attribute protocol mapper - when it's
> on, you will see all the values of the attribute in the id token
> (or access token) in your application.
>
> Also there is switch "Always read value from LDAP" on User
> attribute LDAP federation mapper. When it's on, the value of
> attribute is always read from LDAP even for the users, which were
> already added into Keycloak DB before you created the LDAP mapper.
>
> I hope this will address the issues you mentioned below and in the
> previous mails last week.
>
> Please let me know if it works or if there are still some issues
> you're seeing.
>
> Thanks,
> Marek
>
>
> On 29.6.2015 14:22, Kevin Thorpe wrote:
>> There are two mappings here
>>
>> Firstly you need an attribute mapper in user federation. This
>> maps an LAP attribute to a Keycloak one.
>> I don't think this works on existing users though. Try creating a
>> new LDAP user and log in as that user to test this.
>> Check the log. In my case it's at /var/log/wildfly/console.log
>> but might have been moved there by one of our devs.
>> Check USER_ATTRIBUTES table in the database. You should have a
>> line for your new attribute for your new user.
>> I know this doesn't work for multi-attribute values. eg we have
>> an 'applications' attribute which users will have several entries.
>>
>> Secondly you need to map the user attribute you created above to
>> the JWT token
>> This is under your client application definition.
>> You need a 'user attribute' not 'property' mapper to map the new
>> keycloak user attribute to a value in the token(s)
>> You also need to turn it on for either the id token or access
>> token depending on where your client expects it.
>>
>>
>>
>>
>>
>> *Kevin Thorpe
>> *
>> CTO
>>
>>
>>
>> www.p-i.net | @PI_150
>>
>>
>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207
>> 730 2635
>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>> **
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom
>> they are addressed. If you have received this email in error
>> please notify the system manager. This message contains
>> confidential information and is intended only for the individual
>> named. If you are not the named addressee you should not
>> disseminate, distribute or copy this e-mail. Please notify the
>> sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not
>> the intended recipient you are notified that disclosing, copying,
>> distributing or taking any action in reliance on the contents of
>> this information is strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>>
>> On 29 June 2015 at 13:02, Adam Daduev > > wrote:
>>
>> Hi.
>> I try use new feature of keycloak 1.3.1, i added new
>> attribute, like department, but i can not get it in my web
>> bean, i try get new attribute from KeycloakSecurityContext,
>> but con not found.
>> How can i get my new added atribute?
>> Thanks!
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0004.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0005.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0006.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0007.jpe
From mposolda at redhat.com Wed Jul 1 10:20:37 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 01 Jul 2015 16:20:37 +0200
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
<559288F5.7090405@redhat.com>
<75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>
Message-ID: <5593F735.4030908@redhat.com>
On 1.7.2015 14:41, Greg Jones wrote:
> Hi Marek,
>
> An update on today?s trials:
>
> 1. Getting the proxy UserModel to perform the registration is not workable. Our back-end has about 15 required fields, which need to be set in order to register the user. It would be necessary to keep track of each property being set in order to determine when we have enough information to actually register the user. We could call our register method once the last field on the screen has been set, but this creates a very fragile system.
yeah, what I meant was to not send the user to your backend once the
"register" method is called, but just return the proxy. Then when you
see that all fields and attributes are set on the proxy and are valid
(you may need to implement all the methods like setFirstName,
setLastName, setEmail, setAttribute etc) you will send the user to be
registered in your backend. Could this work?
>
> 2. I have forked the Keycloak code and made a couple of changes (setting the attributes from the form earlier) that have made it possible to register the user when the provider?s register method is called. I believe this has no side-effects on Keycloak but I will do some further testing before raising a Jira and/or creating a pull request.
>
> 3. Throwing a ModelException causes an internal server error to be displayed on the page, rather than being displayed as an error message. I have added a catch statement to the code in LoginActionsService to catch any registration exceptions and display the appropriate error on the registration page. This is with 1.3.1.Final but I don?t think this has changed in master.
ah, ok. I believe the registering user through UI of admin console
should display the message from the ModelException in the UI, but for
the standard user registration, it maybe doesn't work well.
I wonder that in the case of standard registration, we may need to
create subclass of ModelException (for example ModelFederationException)
and catch just this subclass? Because ModelException could indicate some
error at DB level during persisting user, and it's probably not best
from the usability perspective to display details about DB error in the
UI, which is going to be shown to end user.
Marek
>
> Thanks again for your assistance.
>
> Regards,
> Greg J.
>
>
>> On 30 Jun 2015, at 10:17 pm, Marek Posolda wrote:
>>
>> On 30.6.2015 08:06, Greg Jones wrote:
>>> Hi Team,
>>>
>>> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>>>
>>> The next step was to use the back-end server for user registrations and this is where we are having problems.
>>>
>>> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
>> Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA?
>>
>> But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32
>>
>>> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>>>
>>> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>>>
>>> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
>>> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
>>> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
>> If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ?
>>
>> There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set.
>>
>> Marek
>>> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>>>
>>> Thanks in advance,
>>> Greg Jones
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
From stian at redhat.com Thu Jul 2 02:26:51 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 02:26:51 -0400 (EDT)
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To:
References:
<1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
Message-ID: <1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>
Send me the json you're updating with an what fields are changed and I'll look into it
----- Original Message -----
> From: "Chamantha De Silva"
> To: "Stian Thorgersen"
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 26 June, 2015 7:18:08 AM
> Subject: RE: [keycloak-user] Update the user only with required fields
>
> Hi Stain,
>
> Thank you for your response, we are using Keycloak 1.2.0 final and in that
> version we do have that problem. If we update only particular element in
> user update call it will truncate (turn to default values in some cases eg :
> boolean).
>
> Best Regards,
> Chamantha
>
> > Date: Thu, 25 Jun 2015 10:20:53 -0400
> > From: stian at redhat.com
> > To: chamantha at outlook.com
> > CC: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Update the user only with required fields
> >
> > You can just send the user json and only include the attributes you want to
> > change.
> >
> > ----- Original Message -----
> > > From: "Chamantha De Silva"
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 25 June, 2015 1:22:31 AM
> > > Subject: [keycloak-user] Update the user only with required fields
> > >
> > > Hi Team,
> > >
> > > There are situations that we use update user rest API, to update just one
> > > element of user (eg: enabled : false etc.) .
> > > This requires a pre fetched user object from the GET user call, other
> > > wise
> > > rest of the user information tend to be truncated after the update call.
> > >
> > > Is there a possibility to update only specific elements of the user
> > > instead
> > > of sending whole the user object (objective is to avoid the GET call
> > > right
> > > before the update call and avoid possible tendency of data truncations )?
> > > Your kind reply is highly appreciated.
> > >
> > > Best regards,
> > > Chamantha
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
From stian at redhat.com Thu Jul 2 03:40:48 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 03:40:48 -0400 (EDT)
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
introspection url
In-Reply-To:
References:
Message-ID: <1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
Keycloak has an endpoint to verify token. URL is:
/auth/realms//protocol/openid-connect/validate
It takes a single query_param 'access_token'. If token is valid the response will be the token as json document, otherwise it'll return an error.
----- Original Message -----
> From: "Niels Bertram"
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 29 June, 2015 5:30:51 PM
> Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
>
> Hi there,
>
> I am trying to configure a server side (RP) client which requires a JWT
> introspection URL on the OP. I tried to find such endpoint on the KeyCloak
> server without avail neither did I actually find any url of type
> "introspect" in the OpenID Connect Specification.
>
> Does anyone know if/how a OAuth2 client can validate a JWT token via a back
> channel with the KeyCloak server?
>
> The client I am trying to configure is the MITREid client as per
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
>
> Looking at the code, the client will issue a post to the introspection
> endpoint with some form data:
>
> POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> Host: localhost:8080
> Cache-Control: no-cache
> Content-Type: application/x-www-form-urlencoded
>
> client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> valid access token]
>
> Any pointers are much appreciated.
>
> Kind Regards,
> Niels
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
From stian at redhat.com Thu Jul 2 06:22:12 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 06:22:12 -0400 (EDT)
Subject: [keycloak-user] problem with keycloak on openshift
In-Reply-To:
References:
Message-ID: <670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>
Don't know what's going on here. If you're sending a request directly to 'https://kc-paolo.rhcloud.com/' it's not specific to Keycloak and it's either a WildFly or OpenShift issue. My guess would be the latter so maybe ask on OpenShift forums?
----- Original Message -----
> From: "Paolo Antinori"
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 1 July, 2015 10:07:20 AM
> Subject: [keycloak-user] problem with keycloak on openshift
>
> Hi guys, I have deployed an instance of keycloak on openshift
> following the steps described here:
>
> https://github.com/keycloak/openshift-keycloak-cartridge
>
> The operation apparently went ok and I have been able to login to the
> instance and see kc administrative interface.
>
> Problem is that after a while, I am no longer able to login to the
> instance. Not even if I restart it.
>
> This is the error I see when trying:
>
> Bad Request
>
> Your browser sent a request that this server could not understand.
> Size of a request header field exceeds server limit.
>
> X-Forwarded-Host
>
> /n
>
>
> And I get that with both ffox and chromium on linux
>
> this from curl:
>
>
> $ curl -L -v https://kc-paolo.rhcloud.com/
> * Trying 54.89.206.14...
> * Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> * Server certificate:
> * subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North
> Carolina,C=US
> * start date: Apr 07 00:00:00 2015 GMT
> * expire date: Apr 11 12:00:00 2018 GMT
> * common name: *.rhcloud.com
> * issuer: CN=DigiCert SHA2 High Assurance Server
> CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> > GET / HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: kc-paolo.rhcloud.com
> > Accept: */*
> >
> < HTTP/1.1 400 Bad Request
> < Date: Wed, 01 Jul 2015 08:06:46 GMT
> < Server: Apache/2.2.15 (Red Hat)
> < Content-Length: 392
> < Content-Type: text/html; charset=iso-8859-1
> < Connection: close
> <
>
>
> 400 Bad Request
>
> Bad Request
> Your browser sent a request that this server could not understand.
> Size of a request header field exceeds server limit.
>
> X-Forwarded-Host
>
/n
>
> Apache/2.2.15 (Red Hat) Server at localhost Port 80
>
> * Closing connection 0
>
>
>
>
> any idea about what's wrong?
>
> thank you
>
> paolo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
From sonicaaaa at gmail.com Thu Jul 2 08:21:21 2015
From: sonicaaaa at gmail.com (Paolo Antinori)
Date: Thu, 2 Jul 2015 14:21:21 +0200
Subject: [keycloak-user] problem with keycloak on openshift
In-Reply-To: <670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>
References:
<670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>
Message-ID:
Thank you. After confirming it's anything known or that I'm doing
anything obviously stupid on Keycloak side I will verify with the OS
guys.
I'll report the finding just for cross linking.
thank you!
paolo
On Thu, Jul 2, 2015 at 12:22 PM, Stian Thorgersen wrote:
> Don't know what's going on here. If you're sending a request directly to 'https://kc-paolo.rhcloud.com/' it's not specific to Keycloak and it's either a WildFly or OpenShift issue. My guess would be the latter so maybe ask on OpenShift forums?
>
> ----- Original Message -----
>> From: "Paolo Antinori"
>> To: keycloak-user at lists.jboss.org
>> Sent: Wednesday, 1 July, 2015 10:07:20 AM
>> Subject: [keycloak-user] problem with keycloak on openshift
>>
>> Hi guys, I have deployed an instance of keycloak on openshift
>> following the steps described here:
>>
>> https://github.com/keycloak/openshift-keycloak-cartridge
>>
>> The operation apparently went ok and I have been able to login to the
>> instance and see kc administrative interface.
>>
>> Problem is that after a while, I am no longer able to login to the
>> instance. Not even if I restart it.
>>
>> This is the error I see when trying:
>>
>> Bad Request
>>
>> Your browser sent a request that this server could not understand.
>> Size of a request header field exceeds server limit.
>>
>> X-Forwarded-Host
>>
>> /n
>>
>>
>> And I get that with both ffox and chromium on linux
>>
>> this from curl:
>>
>>
>> $ curl -L -v https://kc-paolo.rhcloud.com/
>> * Trying 54.89.206.14...
>> * Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> CApath: none
>> * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> * Server certificate:
>> * subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North
>> Carolina,C=US
>> * start date: Apr 07 00:00:00 2015 GMT
>> * expire date: Apr 11 12:00:00 2018 GMT
>> * common name: *.rhcloud.com
>> * issuer: CN=DigiCert SHA2 High Assurance Server
>> CA,OU=www.digicert.com,O=DigiCert Inc,C=US
>> > GET / HTTP/1.1
>> > User-Agent: curl/7.40.0
>> > Host: kc-paolo.rhcloud.com
>> > Accept: */*
>> >
>> < HTTP/1.1 400 Bad Request
>> < Date: Wed, 01 Jul 2015 08:06:46 GMT
>> < Server: Apache/2.2.15 (Red Hat)
>> < Content-Length: 392
>> < Content-Type: text/html; charset=iso-8859-1
>> < Connection: close
>> <
>>
>>
>> 400 Bad Request
>>
>> Bad Request
>> Your browser sent a request that this server could not understand.
>> Size of a request header field exceeds server limit.
>>
>> X-Forwarded-Host
>>
/n
>>
>> Apache/2.2.15 (Red Hat) Server at localhost Port 80
>>
>> * Closing connection 0
>>
>>
>>
>>
>> any idea about what's wrong?
>>
>> thank you
>>
>> paolo
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
From roman.usatenko at gmail.com Thu Jul 2 21:35:12 2015
From: roman.usatenko at gmail.com (Roman Usatenko)
Date: Thu, 2 Jul 2015 18:35:12 -0700
Subject: [keycloak-user] Login problems in cluster mode with keycloak
1.2.0.Final
Message-ID:
Hello,
I have HA set up of keycloak 1.2.0.Final - two instances in cluster behind
load-balancer. Sometimes (not every time) I cannot log in and have this
exception in log file on one of the boxes.
Is this a known issue or did I something wrong?
Thank you,
Roman Usatenko.
=====================================================================================
2015-07-02 23:42:24,811 ERROR [io.undertow.request] (default task-15)
UT005023: Exception handling request to
/realms/master/login-actions/request/login: java.lang.RuntimeException:
request path: /realms/master/login-actions/request/login
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_79]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
Caused by: org.jboss.resteasy.spi.UnhandledException:
org.infinispan.commons.CacheException: java.lang.RuntimeException: Failure
to marshal argument(s)
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.10.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
... 28 more
Caused by: org.infinispan.commons.CacheException:
java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:141)
at
org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:524)
at
org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.invokeClusterGetCommandRemotely(BaseDistributionInterceptor.java:130)
at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.retrieveFromRemoteSource(BaseDistributionInterceptor.java:118)
at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.remoteGetCacheEntry(NonTxDistributionInterceptor.java:161)
at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.visitGetKeyValueCommand(NonTxDistributionInterceptor.java:48)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.EntryWrappingInterceptor.visitGetKeyValueCommand(EntryWrappingInterceptor.java:116)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitGetKeyValueCommand(NonTransactionalLockingInterceptor.java:32)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:263)
at
org.infinispan.statetransfer.StateTransferInterceptor.handleDefault(StateTransferInterceptor.java:247)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.CacheMgmtInterceptor.visitGetKeyValueCommand(CacheMgmtInterceptor.java:92)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:110)
at
org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:73)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:333)
at org.infinispan.CacheImpl.get(CacheImpl.java:377)
at org.infinispan.CacheImpl.get(CacheImpl.java:369)
at
org.infinispan.AbstractDelegatingCache.get(AbstractDelegatingCache.java:271)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:283)
[keycloak-model-sessions-infinispan-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.managers.BruteForceProtector.isTemporarilyDisabled(BruteForceProtector.java:241)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.managers.AuthenticationManager.authenticateForm(AuthenticationManager.java:587)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.resources.LoginActionsService.processLogin(LoginActionsService.java:345)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_79]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_79]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_79]
at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_79]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.10.Final.jar:]
... 39 more
Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processCalls(CommandAwareRpcDispatcher.java:407)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:132)
... 91 more
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
Caused by: an exception which occurred:
in object
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at a1289374
in object
org.infinispan.commands.remote.ClusteredGetCommand at a1289374
=====================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150702/15868518/attachment-0001.html
From nielsbne at gmail.com Thu Jul 2 23:19:27 2015
From: nielsbne at gmail.com (Niels Bertram)
Date: Fri, 3 Jul 2015 13:19:27 +1000
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
introspection url
In-Reply-To: <1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
References:
<1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
Message-ID:
Thanks Stian, got it to work.
Strangely enough this validation endpoint is not returned in the keycloak
response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
tried to find any standard reference in the OpenID Connect 1.0
specification and there is no mentioning of this mechanism. So I assume its
not a standard OpenID method right?
Kind Regards,
Niels
On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen wrote:
> Keycloak has an endpoint to verify token. URL is:
>
> /auth/realms//protocol/openid-connect/validate
>
> It takes a single query_param 'access_token'. If token is valid the
> response will be the token as json document, otherwise it'll return an
> error.
>
> ----- Original Message -----
> > From: "Niels Bertram"
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 29 June, 2015 5:30:51 PM
> > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> introspection url
> >
> > Hi there,
> >
> > I am trying to configure a server side (RP) client which requires a JWT
> > introspection URL on the OP. I tried to find such endpoint on the
> KeyCloak
> > server without avail neither did I actually find any url of type
> > "introspect" in the OpenID Connect Specification.
> >
> > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> back
> > channel with the KeyCloak server?
> >
> > The client I am trying to configure is the MITREid client as per
> >
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> >
> > Looking at the code, the client will issue a post to the introspection
> > endpoint with some form data:
> >
> > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > Host: localhost:8080
> > Cache-Control: no-cache
> > Content-Type: application/x-www-form-urlencoded
> >
> > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > valid access token]
> >
> > Any pointers are much appreciated.
> >
> > Kind Regards,
> > Niels
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150703/e27fca09/attachment.html
From stian at redhat.com Fri Jul 3 02:46:23 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jul 2015 02:46:23 -0400 (EDT)
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
introspection url
In-Reply-To:
References:
<1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
Message-ID: <941174148.31521785.1435905983117.JavaMail.zimbra@redhat.com>
----- Original Message -----
> From: "Niels Bertram"
> To: "Stian Thorgersen"
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 3 July, 2015 5:19:27 AM
> Subject: Re: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
>
> Thanks Stian, got it to work.
>
> Strangely enough this validation endpoint is not returned in the keycloak
> response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
> tried to find any standard reference in the OpenID Connect 1.0
> specification and there is no mentioning of this mechanism. So I assume its
> not a standard OpenID method right?
As far as I know you're right there's no standard endpoint for verifying the token. Not sure it makes sense for us to add non-standard endpoints to the openid-configuration endpoint.
It's long overdue, but we do plan to provide some better docs with regards to OpenID Connect, including the "extensions" we've added.
>
> Kind Regards,
> Niels
>
> On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen wrote:
>
> > Keycloak has an endpoint to verify token. URL is:
> >
> > /auth/realms//protocol/openid-connect/validate
> >
> > It takes a single query_param 'access_token'. If token is valid the
> > response will be the token as json document, otherwise it'll return an
> > error.
> >
> > ----- Original Message -----
> > > From: "Niels Bertram"
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 29 June, 2015 5:30:51 PM
> > > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> > introspection url
> > >
> > > Hi there,
> > >
> > > I am trying to configure a server side (RP) client which requires a JWT
> > > introspection URL on the OP. I tried to find such endpoint on the
> > KeyCloak
> > > server without avail neither did I actually find any url of type
> > > "introspect" in the OpenID Connect Specification.
> > >
> > > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> > back
> > > channel with the KeyCloak server?
> > >
> > > The client I am trying to configure is the MITREid client as per
> > >
> > https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> > >
> > > Looking at the code, the client will issue a post to the introspection
> > > endpoint with some form data:
> > >
> > > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > > Host: localhost:8080
> > > Cache-Control: no-cache
> > > Content-Type: application/x-www-form-urlencoded
> > >
> > > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > > valid access token]
> > >
> > > Any pointers are much appreciated.
> > >
> > > Kind Regards,
> > > Niels
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
From stian at redhat.com Fri Jul 3 03:14:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jul 2015 03:14:14 -0400 (EDT)
Subject: [keycloak-user] Login problems in cluster mode with
keycloak 1.2.0.Final
In-Reply-To:
References:
Message-ID: <823741506.31539290.1435907654801.JavaMail.zimbra@redhat.com>
It's a known issue - if you enable brute force protection and clustering. It's fixed in 1.3.1 (https://issues.jboss.org/browse/KEYCLOAK-1333).
----- Original Message -----
> From: "Roman Usatenko"
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 3 July, 2015 3:35:12 AM
> Subject: [keycloak-user] Login problems in cluster mode with keycloak 1.2.0.Final
>
> Hello,
>
> I have HA set up of keycloak 1.2.0.Final - two instances in cluster behind
> load-balancer. Sometimes (not every time) I cannot log in and have this
> exception in log file on one of the boxes.
>
> Is this a known issue or did I something wrong?
>
> Thank you,
> Roman Usatenko.
>
> =====================================================================================
> 2015-07-02 23:42:24,811 ERROR [io.undertow.request] (default task-15)
> UT005023: Exception handling request to
> /realms/master/login-actions/request/login: java.lang.RuntimeException:
> request path: /realms/master/login-actions/request/login
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_79]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_79]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> org.infinispan.commons.CacheException: java.lang.RuntimeException: Failure
> to marshal argument(s)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> ... 28 more
> Caused by: org.infinispan.commons.CacheException: java.lang.RuntimeException:
> Failure to marshal argument(s)
> at org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:141)
> at
> org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:524)
> at
> org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
> at
> org.infinispan.interceptors.distribution.BaseDistributionInterceptor.invokeClusterGetCommandRemotely(BaseDistributionInterceptor.java:130)
> at
> org.infinispan.interceptors.distribution.BaseDistributionInterceptor.retrieveFromRemoteSource(BaseDistributionInterceptor.java:118)
> at
> org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.remoteGetCacheEntry(NonTxDistributionInterceptor.java:161)
> at
> org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.visitGetKeyValueCommand(NonTxDistributionInterceptor.java:48)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.EntryWrappingInterceptor.visitGetKeyValueCommand(EntryWrappingInterceptor.java:116)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitGetKeyValueCommand(NonTransactionalLockingInterceptor.java:32)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:263)
> at
> org.infinispan.statetransfer.StateTransferInterceptor.handleDefault(StateTransferInterceptor.java:247)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.CacheMgmtInterceptor.visitGetKeyValueCommand(CacheMgmtInterceptor.java:92)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:110)
> at
> org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:73)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:333)
> at org.infinispan.CacheImpl.get(CacheImpl.java:377)
> at org.infinispan.CacheImpl.get(CacheImpl.java:369)
> at
> org.infinispan.AbstractDelegatingCache.get(AbstractDelegatingCache.java:271)
> at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:283)
> [keycloak-model-sessions-infinispan-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.managers.BruteForceProtector.isTemporarilyDisabled(BruteForceProtector.java:241)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.managers.AuthenticationManager.authenticateForm(AuthenticationManager.java:587)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.resources.LoginActionsService.processLogin(LoginActionsService.java:345)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_79]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_79]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_79]
> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> ... 39 more
> Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processCalls(CommandAwareRpcDispatcher.java:407)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:132)
> ... 91 more
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> Caused by: an exception which occurred:
> in object
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at a1289374
> in object org.infinispan.commands.remote.ClusteredGetCommand at a1289374
>
> =====================================================================================
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
From chamantha at outlook.com Sun Jul 5 10:25:40 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Sun, 5 Jul 2015 20:25:40 +0600
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To: <1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>
References:
<1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
,
<1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>
Message-ID:
Hi Stain,
I included a sample scenario as follows, in that I have updated only one field which is "enabled" field. But this is common for rest of the fields and attributes as well.
1. Before the update (test user's original information):
{
"id":"c2279ae4-99b7-403c-9ac7-0ff838ff1b83",
"username":"test-user",
"enabled":true,
"totp":false,
"emailVerified":false,
"firstName":"test",
"lastName":"user",
"email":"test-user at test.com",
"attributes":{
"locality":"Redwood city",
"country":"USA",
"region":"CA",
"postal_code":"94065",
"street":"Holly St"
},
"requiredActions":[
]
}
2. Update user as following :
Update user with just one field
API call : PUT /auth/admin/realms/leapset/users/test-user
Headers :
Accept: application/json
content-type: application/json
Authorization: Bearer TOKEN
Request body :
{"enabled":false}
After the update fields like email, firstname, lastname are missing
{
"id":"c2279ae4-99b7-403c-9ac7-0ff838ff1b83",
"username":"test-user",
"enabled":false,
"totp":false,
"emailVerified":false,
"attributes":{
"locality":"Redwood city",
"country":"USA",
"region":"CA",
"postal_code":"94065",
"street":"Holly St"
},
"requiredActions":[
]
}
> Date: Thu, 2 Jul 2015 02:26:51 -0400
> From: stian at redhat.com
> To: chamantha at outlook.com
> CC: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Update the user only with required fields
>
> Send me the json you're updating with an what fields are changed and I'll look into it
>
> ----- Original Message -----
> > From: "Chamantha De Silva"
> > To: "Stian Thorgersen"
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 26 June, 2015 7:18:08 AM
> > Subject: RE: [keycloak-user] Update the user only with required fields
> >
> > Hi Stain,
> >
> > Thank you for your response, we are using Keycloak 1.2.0 final and in that
> > version we do have that problem. If we update only particular element in
> > user update call it will truncate (turn to default values in some cases eg :
> > boolean).
> >
> > Best Regards,
> > Chamantha
> >
> > > Date: Thu, 25 Jun 2015 10:20:53 -0400
> > > From: stian at redhat.com
> > > To: chamantha at outlook.com
> > > CC: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Update the user only with required fields
> > >
> > > You can just send the user json and only include the attributes you want to
> > > change.
> > >
> > > ----- Original Message -----
> > > > From: "Chamantha De Silva"
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 25 June, 2015 1:22:31 AM
> > > > Subject: [keycloak-user] Update the user only with required fields
> > > >
> > > > Hi Team,
> > > >
> > > > There are situations that we use update user rest API, to update just one
> > > > element of user (eg: enabled : false etc.) .
> > > > This requires a pre fetched user object from the GET user call, other
> > > > wise
> > > > rest of the user information tend to be truncated after the update call.
> > > >
> > > > Is there a possibility to update only specific elements of the user
> > > > instead
> > > > of sending whole the user object (objective is to avoid the GET call
> > > > right
> > > > before the update call and avoid possible tendency of data truncations )?
> > > > Your kind reply is highly appreciated.
> > > >
> > > > Best regards,
> > > > Chamantha
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150705/c3b2599b/attachment-0001.html
From stephen.more at gmail.com Sun Jul 5 12:00:00 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sun, 5 Jul 2015 12:00:00 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To:
References:
Message-ID:
How could I extend the multi-tenant example (
https://github.com/keycloak/keycloak/tree/master/examples/
multi-tenant
) to make a Rest admin api call back to keycloak using java ?
I think this would be a helpful example in upcoming releases.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150705/836390bf/attachment.html
From Maurice.Quaedackers at planonsoftware.com Mon Jul 6 04:29:29 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Mon, 6 Jul 2015 10:29:29 +0200
Subject: [keycloak-user] Keycloak and Microsoft ADFS
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>
Hello all,
Has anybody experience with the combination keycloak and an SAML2 Identity Provider which is running on Microsoft ADFS?
On both sides I am not able to import the metadata xml files.
- Within keycloak when I try to import the ADFS IDP metadata.xml the message import was succesfull comes but no fields are filled in.
- Within ADFS when I try to import the keycloak SP metadata.xml an message comes that the xml file is not a valid format.
With kind regards / Met vriendelijke groet,
Maurice Quaedackers
Planon Cloud Center
_____________________
Planon B.V.
Postbus 38074
6503 AB Nijmegen
Wijchenseweg 8
6537 TL Nijmegen
Nederland
T: +31 (0) 24 641 3135
F: +31 (0) 24 642 2942
E: maurice.quaedackers at planonsoftware.com
W: www.planonsoftware.com
Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt, bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle bijlagen en kopie?n onmiddellijk en informeer de afzender.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/1034f6f6/attachment.html
From orestis.tsakiridis at telestax.com Mon Jul 6 07:33:14 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 6 Jul 2015 14:33:14 +0300
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
Message-ID:
Hello,
I'm securing a REST bearer-only application using keycloak.
Is there any way to change keycloak.json adapter config file on the fly so
that it can take effect without restarting the container?
Will just editing keycloak.json work? I guess not.
What i want to do is complete an administrative task that will provide the
information needed for keycloak.json such as 'resource', edit keycloak.json
and then make this configuration effective for the REST api.
Best regards
Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/105d028a/attachment.html
From bburke at redhat.com Mon Jul 6 08:53:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 06 Jul 2015 08:53:30 -0400
Subject: [keycloak-user] Keycloak and Microsoft ADFS
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>
Message-ID: <559A7A4A.9060308@redhat.com>
Can you log a jira and attach the ADFS IDP metadata.xml file?
On 7/6/2015 4:29 AM, Maurice Quaedackers wrote:
> Hello all,
>
> Has anybody experience with the combination keycloak and an SAML2
> Identity Provider which is running on Microsoft ADFS?
>
> On both sides I am not able to import the metadata xml files.
>
> -Within keycloak when I try to import the ADFS IDP metadata.xml the
> message import was succesfull comes but no fields are filled in.
>
> -Within ADFS when I try to import the keycloak SP metadata.xml an
> message comes that the xml file is not a valid format.
>
> With kind regards / Met vriendelijke groet,
>
>
> Maurice Quaedackers
> Planon Cloud Center
> _____________________
>
> Planon B.V.
> Postbus 38074
> 6503 AB Nijmegen
>
> Wijchenseweg 8
> 6537 TL Nijmegen
>
> Nederland
> T: +31 (0) 24 641 3135
> F: +31 (0) 24 642 2942
>
> E: maurice.quaedackers at planonsoftware.com
>
> W: www.planonsoftware.com
>
>
> Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde
> ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke
> informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt,
> bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is.
> Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle
> bijlagen en kopie?n onmiddellijk en informeer de afzender.
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From bburke at redhat.com Mon Jul 6 08:59:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 06 Jul 2015 08:59:21 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To:
References:
Message-ID: <559A7BA9.3010608@redhat.com>
If your client is JBoss/Wildfly, then you can call the JBoss CLI and
edit the config.
http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918
Otherwise, you'll have to implement this yourself using a config
resolver. I think you can adapt the multitenancy support:
http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy
On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly
> so that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide
> the information needed for keycloak.json such as 'resource', edit
> keycloak.json and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From ssilvert at redhat.com Mon Jul 6 09:09:04 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 06 Jul 2015 09:09:04 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <559A7BA9.3010608@redhat.com>
References:
<559A7BA9.3010608@redhat.com>
Message-ID: <559A7DF0.30307@redhat.com>
On 7/6/2015 8:59 AM, Bill Burke wrote:
> If your client is JBoss/Wildfly, then you can call the JBoss CLI and
> edit the config.
>
> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918
For this solution you will also need to redeploy the application. So
after you make changes to the secure-deployment you use CLI to redeploy:
/deployment=myapp.war/:redeploy
You don't have to restart the whole container though.
>
> Otherwise, you'll have to implement this yourself using a config
> resolver. I think you can adapt the multitenancy support:
>
> http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy
>
>
> On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
>> Hello,
>>
>> I'm securing a REST bearer-only application using keycloak.
>>
>> Is there any way to change keycloak.json adapter config file on the fly
>> so that it can take effect without restarting the container?
>>
>> Will just editing keycloak.json work? I guess not.
>>
>> What i want to do is complete an administrative task that will provide
>> the information needed for keycloak.json such as 'resource', edit
>> keycloak.json and then make this configuration effective for the REST api.
>>
>>
>> Best regards
>>
>> Orestis
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
From srossillo at smartling.com Mon Jul 6 09:52:57 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 6 Jul 2015 09:52:57 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To:
References:
Message-ID:
Well, the keycloak.json config is just a means to configure
a KeycloakDeployment from an AdapterConfig object. Specifically for the the
Spring adapter, the AdapterDeploymentContextBean would have to be aware
that the deployment changed. There would be a minimal amount of code needed
to support that and we can modify AdapterDeploymentContextBean to be more
flexible.
Just so I understand what you're asking for: you want to be able to update
a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
keycloak.json can be configured at startup via either environment variables
on command like properties, correct? You have to change at runtime?
I think the AdapterDeploymentContextBean should be as flexible as possible,
however I have a small concern about the security of allowing certain
properties to be swapped at runtime (e.g. the realm-public-key and
the auth-server-url).
Best,
Scott
On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:
> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly so
> that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide the
> information needed for keycloak.json such as 'resource', edit keycloak.json
> and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/63307723/attachment-0001.html
From srossillo at smartling.com Mon Jul 6 09:54:43 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 6 Jul 2015 09:54:43 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To:
References:
Message-ID:
Sorry, just re-read the whole thread. Which adapter are you using?
On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo
wrote:
> Well, the keycloak.json config is just a means to configure
> a KeycloakDeployment from an AdapterConfig object. Specifically for the the
> Spring adapter, the AdapterDeploymentContextBean would have to be aware
> that the deployment changed. There would be a minimal amount of code needed
> to support that and we can modify AdapterDeploymentContextBean to be more
> flexible.
>
> Just so I understand what you're asking for: you want to be able to update
> a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
> keycloak.json can be configured at startup via either environment variables
> on command like properties, correct? You have to change at runtime?
>
> I think the AdapterDeploymentContextBean should be as flexible as
> possible, however I have a small concern about the security of allowing
> certain properties to be swapped at runtime (e.g. the realm-public-key and
> the auth-server-url).
>
> Best,
> Scott
>
>
> On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Hello,
>>
>> I'm securing a REST bearer-only application using keycloak.
>>
>> Is there any way to change keycloak.json adapter config file on the fly
>> so that it can take effect without restarting the container?
>>
>> Will just editing keycloak.json work? I guess not.
>>
>> What i want to do is complete an administrative task that will provide
>> the information needed for keycloak.json such as 'resource', edit
>> keycloak.json and then make this configuration effective for the REST api.
>>
>>
>> Best regards
>>
>> Orestis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/2843ccf8/attachment.html
From orestis.tsakiridis at telestax.com Mon Jul 6 10:41:53 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 6 Jul 2015 17:41:53 +0300
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To:
References:
Message-ID:
Thanks all for your responses!
I'm using the JBoss/Wildfly adapter.
So, my case can be reduced to the following:
I have a java REST bearer-only web application (no Spring context here)
that is protected using keycloak1.json
I need to switch on the fly (at runtime, without container restart or
re-deploying) to another keycloak2.json adapter config.
It seems that the multitenancy solution suggested by Bill should work.
Best regards
Orestis
On Mon, Jul 6, 2015 at 4:54 PM, Scott Rossillo
wrote:
> Sorry, just re-read the whole thread. Which adapter are you using?
>
> On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo
> wrote:
>
>> Well, the keycloak.json config is just a means to configure
>> a KeycloakDeployment from an AdapterConfig object. Specifically for the the
>> Spring adapter, the AdapterDeploymentContextBean would have to be aware
>> that the deployment changed. There would be a minimal amount of code needed
>> to support that and we can modify AdapterDeploymentContextBean to be more
>> flexible.
>>
>> Just so I understand what you're asking for: you want to be able to
>> update a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
>> keycloak.json can be configured at startup via either environment variables
>> on command like properties, correct? You have to change at runtime?
>>
>> I think the AdapterDeploymentContextBean should be as flexible as
>> possible, however I have a small concern about the security of allowing
>> certain properties to be swapped at runtime (e.g. the realm-public-key and
>> the auth-server-url).
>>
>> Best,
>> Scott
>>
>>
>> On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello,
>>>
>>> I'm securing a REST bearer-only application using keycloak.
>>>
>>> Is there any way to change keycloak.json adapter config file on the fly
>>> so that it can take effect without restarting the container?
>>>
>>> Will just editing keycloak.json work? I guess not.
>>>
>>> What i want to do is complete an administrative task that will provide
>>> the information needed for keycloak.json such as 'resource', edit
>>> keycloak.json and then make this configuration effective for the REST api.
>>>
>>>
>>> Best regards
>>>
>>> Orestis
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/d1bc27f4/attachment.html
From fmrage at hotmail.com Mon Jul 6 16:04:27 2015
From: fmrage at hotmail.com (Fabio Monteiro)
Date: Mon, 6 Jul 2015 22:04:27 +0200
Subject: [keycloak-user] =?windows-1256?q?Is_it_possible_to_make_the_login?=
=?windows-1256?q?_keycloak_page_look_different_between_several_applicatio?=
=?windows-1256?q?ns=3F=FE?=
In-Reply-To:
References:
Message-ID:
Hi there, We have a client that uses KeyCloak as a centralized server solution for grant and security access. We would like to know if it is possible to make the login page of KeyCloak look COMPLETELY different and different between several apps ? Even better, is it possible to simply use ONLY REST communications from a business app to handle everything Keycloak has to offer in terms of security and identity ??
Thanks a lot for your help, we are not sure about how to handle all this. Fabio Mfmrage at hotmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/cf4ddbb5/attachment.html
From eugene.chow.ct at gmail.com Mon Jul 6 23:51:43 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 7 Jul 2015 11:51:43 +0800
Subject: [keycloak-user] Error decoding JSON response from custom identity
provider
Message-ID: <787C4D43-23BB-4FB8-8D10-037647565ED3@gmail.com>
Hi all,
I?m trying to integrate Keycloak with a custom OpenID Connect identity provider. I got to the point where the server returned Keycloak a JSON response.
I got the following error:
2015-07-07 02:39:46,013 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-12) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.
?
...
Caused by: org.codehaus.jackson.JsonParseException: Unexpected character (',' (code 44)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') at [Source: java.io.StringReader at 183b074c; line: 3, column: 10]
Is there a way to peek at the content of the JSON response? I tried switching on debug mode in Wildfly, but the token wasn?t printed in the logs.
Thanks!
Eugene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/86b56391/attachment.html
From rajat.nair at hp.com Tue Jul 7 07:44:36 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Tue, 7 Jul 2015 11:44:36 +0000
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
v1.3.1/v1.2.0)
Message-ID:
Hi,
I have setup LDAP server and configured Keycloak (under User Federation) to communicate with LDAP. Test connection and test authentication both work and Keycloak "seems" to be communicating with LDAP successfully, but when I try to sync users, no data is imported to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final. Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but still no luck.
I'm attaching my LDAP setting (from phpLdap) and my Keycloak settings - could this be configuration issues?
On Keycloak logs, I can see -
06:32:57,286 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users from LDAP to local store: realm: 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
06:32:57,301 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users finished: 0 imported users, 0 updated users, 0 removed users
Any way I can debug further to figure out what is going on? Currently, Keycloak and LDAP are setup on different boxes.
-- Rajat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Comm.LDAP.Settings.PNG
Type: image/png
Size: 72370 bytes
Desc: Comm.LDAP.Settings.PNG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Comm.phpLDAP.Settings.PNG
Type: image/png
Size: 45265 bytes
Desc: Comm.phpLDAP.Settings.PNG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0003.png
From bburke at redhat.com Tue Jul 7 08:48:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 08:48:53 -0400
Subject: [keycloak-user]
=?utf-8?q?Is_it_possible_to_make_the_login_keyclo?=
=?utf-8?q?ak_page_look_different_between_several_applications=3F=E2=80=8F?=
In-Reply-To:
References:
Message-ID: <559BCAB5.8080906@redhat.com>
Thought I already answered this?
It is possible to make keycloak login look entirely different. The
login pages all use Freemarker templates and you have the ability to
override anything you want piecemeal, or you can entirely change the
look and feel. Here's a good example of that:
https://developers.redhat.com/auth/realms/rhd/account
Here's the documentation on themes:
http://keycloak.github.io/docs/userguide/html/themes.html
Now, can you make it look completely different for different apps? Our
theme framework does not have this capability. But, the client making
the call is available in the login.ftl template as a variable, you could
have a bunch of #if statements everywhere. Would look really ugly and
hard to maintain, but it would work.
On 7/6/2015 4:04 PM, Fabio Monteiro wrote:
> Hi there,
>
> We have a client that uses KeyCloak as a centralized server solution for
> grant and security access. We would like to know if it is possible to
> make the login page of KeyCloak look COMPLETELY different and different
> between several apps ?
>
> Even better, is it possible to simply use ONLY REST communications from
> a business app to handle everything Keycloak has to offer in terms of
> security and identity ??
>
Keycloak has a REST interface, but you are losing a lot of functionality
if you just use that. Keycloak just becomes a backend store in that
scenario...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From stephen.more at gmail.com Tue Jul 7 10:01:50 2015
From: stephen.more at gmail.com (Stephen More)
Date: Tue, 7 Jul 2015 10:01:50 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To:
References:
Message-ID:
Or perhaps a better question would be: Once a user is already logged into
keycloak, how can a org.keycloak.representations.AccessTokenResponse
without providing a password a second time ?
On Sun, Jul 5, 2015 at 12:00 PM, Stephen More
wrote:
> How could I extend the multi-tenant example (
> https://github.com/keycloak/keycloak/tree/master/examples/
> multi-tenant
> ) to make a Rest admin api call back to keycloak using java ?
>
> I think this would be a helpful example in upcoming releases.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/2baf546c/attachment.html
From bburke at redhat.com Tue Jul 7 10:08:22 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 10:08:22 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To:
References:
Message-ID: <559BDD56.90308@redhat.com>
The access token should already be available.
On 7/7/2015 10:01 AM, Stephen More wrote:
> Or perhaps a better question would be: Once a user is already logged
> into keycloak, how can a
> org.keycloak.representations.AccessTokenResponse without providing a
> password a second time ?
>
> On Sun, Jul 5, 2015 at 12:00 PM, Stephen More > wrote:
>
> How could I extend the multi-tenant example (
> https://github.com/keycloak/keycloak/tree/master/examples/
> multi-tenant
> ) to make a Rest admin api call back to keycloak using java ?
>
> I think this would be a helpful example in upcoming releases.
>
> Thanks
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From thiago.addevico at gmail.com Tue Jul 7 10:57:00 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 7 Jul 2015 11:57:00 -0300
Subject: [keycloak-user] Testing JSR-250 annotated EJBs with Keycloak and
Arquillian
Message-ID:
Hi there,
Is there any documentation or examples on testing JSR-250 annotated EJBs
with Keycloak and Arquillian? I've found [1], but couldn't figure out how
to use it in a test environment.
Best Regards,
Thiago Presa
[1] -
https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule.java
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/000b0461/attachment.html
From stephen.more at gmail.com Tue Jul 7 12:46:34 2015
From: stephen.more at gmail.com (Stephen More)
Date: Tue, 7 Jul 2015 12:46:34 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <559BDD56.90308@redhat.com>
References:
<559BDD56.90308@redhat.com>
Message-ID:
I have tried to add:
org.keycloak.representations.IDToken idToken =
principal.getKeycloakSecurityContext().getIdToken();
org.keycloak.representations.AccessToken token =
principal.getKeycloakSecurityContext().getToken();
writer.write("
Access Token id: " + token.getId());
writer.write("
Access Token String: " +
principal.getKeycloakSecurityContext().getTokenString());
writer.write("
ID Token id: " + idToken.getId());
writer.write("
ID Token String: " +
principal.getKeycloakSecurityContext().getIdTokenString());
writer.write(String.format("
Logout", realm));
try
{
java.net.URL url = new java.net.URL( "
http://localhost:8080/auth/admin/realms/" +
principal.getKeycloakSecurityContext().getRealm() + "/roles" );
java.net.HttpURLConnection conn =
(java.net.HttpURLConnection)url.openConnection();
conn.setRequestMethod( "GET" );
conn.setRequestProperty("Authorization", "Bearer " +
principal.getKeycloakSecurityContext().getTokenString());
java.io.BufferedReader in = new java.io.BufferedReader( new
java.io.InputStreamReader( conn.getInputStream()));
String line;
while ((line = in.readLine()) != null)
{
writer.write( line );
}
in.close();
}
catch( Exception e )
{
e.printStackTrace();
}
to
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
But I am getting an error:
12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
task-16) Failed executing GET /admin/realms/tenant1/roles:
org.keycloak.services.ForbiddenException
In stepping through the AdminClient of the admin-access-app I have found an
example bearer token was 1157 characters long.
principal.getKeycloakSecurityContext().getIdTokenString() turned out to be
645 characters long.
principal.getKeycloakSecurityContext().getTokenString() turned out to be
865 characters long.
What is it that I am missing ?
On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke wrote:
> The access token should already be available.
>
> On 7/7/2015 10:01 AM, Stephen More wrote:
> > Or perhaps a better question would be: Once a user is already logged
> > into keycloak, how can a
> > org.keycloak.representations.AccessTokenResponse without providing a
> > password a second time ?
> >
> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More > > wrote:
> >
> > How could I extend the multi-tenant example (
> > https://github.com/keycloak/keycloak/tree/master/examples/
> > <
> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
> >multi-tenant
> > ) to make a Rest admin api call back to keycloak using java ?
> >
> > I think this would be a helpful example in upcoming releases.
> >
> > Thanks
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/e5648cf7/attachment.html
From bburke at redhat.com Tue Jul 7 13:33:34 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 13:33:34 -0400
Subject: [keycloak-user] Testing JSR-250 annotated EJBs with Keycloak
and Arquillian
In-Reply-To:
References:
Message-ID: <559C0D6E.7060206@redhat.com>
You mean RolesAllowed and stuff? It should just work:
http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter
Search for EJB. You have to create a security domain to propagate the
security context, but its a simple step.
On 7/7/2015 10:57 AM, Thiago Presa wrote:
> Hi there,
>
> Is there any documentation or examples on testing JSR-250 annotated EJBs
> with Keycloak and Arquillian? I've found [1], but couldn't figure out
> how to use it in a test environment.
>
> Best Regards,
> Thiago Presa
>
>
> [1] -
> https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule.java
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From mposolda at redhat.com Wed Jul 8 06:20:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 08 Jul 2015 12:20:26 +0200
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To:
References: <559BDD56.90308@redhat.com>
Message-ID: <559CF96A.2020004@redhat.com>
It looks like authorization issue. Your user either doesn't have
required roles or your client is missing scopes (which means that roles
are not propagated to accessToken).
To just view roles, you need role "view-realm" of client
"realm-management" .
Marek
On 7.7.2015 18:46, Stephen More wrote:
> I have tried to add:
> org.keycloak.representations.IDToken idToken =
> principal.getKeycloakSecurityContext().getIdToken();
> org.keycloak.representations.AccessToken token =
> principal.getKeycloakSecurityContext().getToken();
>
> writer.write("
Access Token id: " + token.getId());
> writer.write("
Access Token String: " +
> principal.getKeycloakSecurityContext().getTokenString());
> writer.write("
ID Token id: " + idToken.getId());
> writer.write("
ID Token String: " +
> principal.getKeycloakSecurityContext().getIdTokenString());
>
> writer.write(String.format("
href=\"/multitenant/%s/logout\">Logout", realm));
>
> try
> {
> java.net.URL url = new java.net.URL(
> "http://localhost:8080/auth/admin/realms/" +
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
> java.net.HttpURLConnection conn =
> (java.net.HttpURLConnection)url.openConnection();
> conn.setRequestMethod( "GET" );
> conn.setRequestProperty("Authorization", "Bearer " +
> principal.getKeycloakSecurityContext().getTokenString());
> java.io.BufferedReader in = new
> java.io.BufferedReader( new java.io.InputStreamReader(
> conn.getInputStream()));
> String line;
> while ((line = in.readLine()) != null)
> {
> writer.write( line );
> }
> in.close();
> }
> catch( Exception e )
> {
> e.printStackTrace();
> }
>
> to
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
> But I am getting an error:
> 12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
> task-16) Failed executing GET /admin/realms/tenant1/roles:
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have
> found an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out
> to be 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to
> be 865 characters long.
>
>
> What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke > wrote:
>
> The access token should already be available.
>
> On 7/7/2015 10:01 AM, Stephen More wrote:
> > Or perhaps a better question would be: Once a user is already logged
> > into keycloak, how can a
> > org.keycloak.representations.AccessTokenResponse without providing a
> > password a second time ?
> >
> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More
>
> > >> wrote:
> >
> > How could I extend the multi-tenant example (
> > https://github.com/keycloak/keycloak/tree/master/examples/
> >
> multi-tenant
> > ) to make a Rest admin api call back to keycloak using java ?
> >
> > I think this would be a helpful example in upcoming releases.
> >
> > Thanks
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/b20e494f/attachment-0001.html
From mposolda at redhat.com Wed Jul 8 06:31:39 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 08 Jul 2015 12:31:39 +0200
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
v1.3.1/v1.2.0)
In-Reply-To:
References:
Message-ID: <559CFC0B.20104@redhat.com>
On 7.7.2015 13:44, Nair, Rajat wrote:
>
> Hi,
>
> I have setup LDAP server and configured Keycloak (under User
> Federation) to communicate with LDAP. Test connection and test
> authentication both work and Keycloak ?seems? to be communicating with
> LDAP successfully, but when I try to sync users, no data is imported
> to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final.
> Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but
> still no luck.
>
> I?m attaching my LDAP setting (from phpLdap) and my Keycloak settings
> ? could this be configuration issues?
>
Yes, for "User Object classes" you are supposed to enter all values of
objectClass attribute of your typical user record in LDAP. For your
case, it might be sufficient to enter just value "inetOrgPerson" .
In latest master, I've improved the description of User Object classes
tooltip a bit to clearify this a bit more. Let me know if still seeing
issues.
Thanks,
Marek
>
> On Keycloak logs, I can see ?
>
> 06:32:57,286 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
> task-15) Sync all users from LDAP to local store: realm:
> 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
>
> 06:32:57,301 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
> task-15) Sync all users finished: 0 imported users, 0 updated users, 0
> removed users
>
> Any way I can debug further to figure out what is going on? Currently,
> Keycloak and LDAP are setup on different boxes.
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/7dbbcf34/attachment.html
From rajat.nair at hp.com Wed Jul 8 06:36:18 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 8 Jul 2015 10:36:18 +0000
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
v1.3.1/v1.2.0)
In-Reply-To: <559CFC0B.20104@redhat.com>
References:
<559CFC0B.20104@redhat.com>
Message-ID:
Thanks for the tip Marek. That was the issue.
Adding this information as a tooltip will positively help future users.
-- Rajat
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, July 08, 2015 4:02 PM
To: Nair, Rajat; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Issues syncing users with LDAP (Keycloak v1.3.1/v1.2.0)
On 7.7.2015 13:44, Nair, Rajat wrote:
Hi,
I have setup LDAP server and configured Keycloak (under User Federation) to communicate with LDAP. Test connection and test authentication both work and Keycloak "seems" to be communicating with LDAP successfully, but when I try to sync users, no data is imported to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final. Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but still no luck.
I'm attaching my LDAP setting (from phpLdap) and my Keycloak settings - could this be configuration issues?
Yes, for "User Object classes" you are supposed to enter all values of objectClass attribute of your typical user record in LDAP. For your case, it might be sufficient to enter just value "inetOrgPerson" .
In latest master, I've improved the description of User Object classes tooltip a bit to clearify this a bit more. Let me know if still seeing issues.
Thanks,
Marek
On Keycloak logs, I can see -
06:32:57,286 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users from LDAP to local store: realm: 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
06:32:57,301 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users finished: 0 imported users, 0 updated users, 0 removed users
Any way I can debug further to figure out what is going on? Currently, Keycloak and LDAP are setup on different boxes.
-- Rajat
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/73054abe/attachment.html
From rajat.nair at hp.com Wed Jul 8 12:26:42 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 8 Jul 2015 16:26:42 +0000
Subject: [keycloak-user] Errors while running LDAP integration test
Message-ID:
Hi,
During LDAP integration with Keycloak (v1.3.1), we get to see a "Unique index or primary key violation" exception while trying to login with an LDAP using on Keycloak's account service site. I setup latest Keycloak source (from Github) to debug this issue. During build, I saw the same error when LDAP integration tests were running. Here are the logs -
21:40:24,624 INFO [org.keycloak.testsuite.KeycloakServer] Imported realm test
21:40:24,709 INFO [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] Creating new LDAP based partition manager for the Federation provider: test-ldap, LDAP Configuration: {bindDn=uid=admin,ou=system, userObjectClasses=null, baseDn=dc=keycloak,dc=org, usersDn=ou=People,dc=keycloak,dc=org, vendor=other, kerberosRealm=KEYCLOAK.ORG, syncRegistrations=false, userAccountControlsAfterPasswordUpdate=false, debug=true, connectionPooling=true, serverPrincipal=HTTP/localhost at KEYCLOAK.ORG, usernameLDAPAttribute=null, allowKerberosAuthentication=false, useKerberosForPasswordAuthentication=false, rdnLDAPAttribute=null, keyTab=/home/USER/apps/keycloak/testsuite/integration/target/test-classes/kerberos/http.keytab, batchSizeForSync=3, connectionUrl=ldap://localhost:10389, allowPasswordAuthentication=true, editMode=WRITABLE, updateProfileFirstLogin=true, pagination=true}
21:40:25,790 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:25,845 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 5 imported users, 0 updated users, 0 removed users
21:40:26,862 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync changed users from LDAP to local store: realm: test, federation provider: test-ldap, last sync time: Wed Jul 08 21:40:25 IST 2015
21:40:26,900 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync changed users finished: 1 imported users, 1 updated users, 0 removed users
21:40:26,920 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:26,962 WARN [org.keycloak.federation.ldap.LDAPFederationProviderFactory] User 'user7' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider 'test-ldap'
21:40:26,969 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 0 imported users, 6 updated users, 0 removed users, 1 users failed sync! See server log for more details
21:40:26,981 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:27,054 ERROR [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Failed during import user from LDAP
org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)
at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:30)
at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:58)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:247)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
at org.keycloak.testsuite.federation.SyncProvidersTest.test02duplicateUsernameSync(SyncProvidersTest.java:200)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
at org.junit.rules.RunRules.evaluate(RunRules.java:20)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1361)
at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1289)
at org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:78)
at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:28)
... 33 more
Caused by: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)
at org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)
at com.sun.proxy.$Proxy54.executeUpdate(Unknown Source)
at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:56)
at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3006)
at org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2908)
at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3237)
at org.hibernate.action.internal.EntityUpdateAction.execute(EntityUpdateAction.java:113)
at org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:272)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:264)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:187)
at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)
at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)
at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1081)
at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:315)
at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.beforeTransactionCommit(JdbcTransaction.java:101)
at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.commit(AbstractTransactionImpl.java:175)
at org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:73)
... 34 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
at org.h2.message.DbException.get(DbException.java:179)
at org.h2.message.DbException.get(DbException.java:155)
at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:102)
at org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:233)
at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:191)
at org.h2.mvstore.db.MVTable.addRow(MVTable.java:638)
at org.h2.table.Table.updateRows(Table.java:478)
at org.h2.command.dml.Update.update(Update.java:145)
at org.h2.command.CommandContainer.update(CommandContainer.java:78)
at org.h2.command.Command.executeUpdate(Command.java:254)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:157)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:143)
at sun.reflect.GeneratedMethodAccessor261.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)
... 51 more
21:40:27,103 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 1 imported users, 6 updated users, 0 removed users, 1 users failed sync! See server log for more details
21:40:27,110 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:27,167 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 1 imported users, 6 updated users, 0 removed users
21:40:28,175 INFO [org.keycloak.testsuite.DummyUserFederationProviderFactory] syncChangedUsers invoked
Is this a known issue?
-- Rajat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/aead4c34/attachment-0001.html
From mposolda at redhat.com Thu Jul 9 02:25:02 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 08:25:02 +0200
Subject: [keycloak-user] Errors while running LDAP integration test
In-Reply-To:
References:
Message-ID: <559E13BE.8090901@redhat.com>
Hi,
this is actually expected. I've added new test for fix syncing bugs with
duplicated username or email. Test asserts that user is not synced from
LDAP if there is already other user with same username or email in
Keycloak database. And the test also asserts that just the syncing of
"duplicated" user fails but other users are successfully synced (not
whole sync transaction is broken as it was in 1.3.1 ).
As I can see in your log, it works as expected and the test is passing,
is it correct?
Yesterday I've added some more fixes (now there is not
ConstraintException thrown from DB but there is check for duplications
triggered earlier from Keycloak). So I suggest to update to latest
master and try it now. Please let me know if still seeing issues.
I will do a bit more testing and will add the LDAP example today, so
there might be still some changes, but I hope that not much.
Thanks,
Marek
On 8.7.2015 18:26, Nair, Rajat wrote:
>
> Hi,
>
> During LDAP integration with Keycloak (v1.3.1), we get to see a
> ?/Unique index or primary key violation? /exception while trying to
> login with an LDAP using on Keycloak?s account service site. I setup
> latest Keycloak source (from Github) to debug this issue. During
> build, I saw the same error when LDAP integration tests were running.
> Here are the logs ?
>
> /21:40:24,624 INFO [org.keycloak.testsuite.KeycloakServer] Imported
> realm test/
>
> /21:40:24,709 INFO
> [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] Creating new
> LDAP based partition manager for the Federation provider: test-ldap,
> LDAP Configuration: {bindDn=uid=admin,ou=system,
> userObjectClasses=null, baseDn=dc=keycloak,dc=org,
> usersDn=ou=People,dc=keycloak,dc=org, vendor=other,
> kerberosRealm=KEYCLOAK.ORG, syncRegistrations=false,
> userAccountControlsAfterPasswordUpdate=false, debug=true,
> connectionPooling=true, serverPrincipal=HTTP/localhost at KEYCLOAK.ORG,
> usernameLDAPAttribute=null, allowKerberosAuthentication=false,
> useKerberosForPasswordAuthentication=false, rdnLDAPAttribute=null,
> keyTab=/home/USER/apps/keycloak/testsuite/integration/target/test-classes/kerberos/http.keytab,
> batchSizeForSync=3, connectionUrl=ldap://localhost:10389,
> allowPasswordAuthentication=true, editMode=WRITABLE,
> updateProfileFirstLogin=true, pagination=true}/
>
> /21:40:25,790 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users from LDAP to local store: realm: test, federation provider:
> test-ldap/
>
> /21:40:25,845 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users finished: 5 imported users, 0 updated users, 0 removed users/
>
> /21:40:26,862 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync
> changed users from LDAP to local store: realm: test, federation
> provider: test-ldap, last sync time: Wed Jul 08 21:40:25 IST 2015/
>
> /21:40:26,900 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync
> changed users finished: 1 imported users, 1 updated users, 0 removed
> users/
>
> /21:40:26,920 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users from LDAP to local store: realm: test, federation provider:
> test-ldap/
>
> /21:40:26,962 WARN
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] User
> 'user7' is not updated during sync as he already exists in Keycloak
> database but is not linked to federation provider 'test-ldap'/
>
> /21:40:26,969 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users finished: 0 imported users, 6 updated users, 0 removed users, 1
> users failed sync! See server log for more details/
>
> /21:40:26,981 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users from LDAP to local store: realm: test, federation provider:
> test-ldap/
>
> /21:40:27,054 ERROR
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Failed
> during import user from LDAP/
>
> /org.keycloak.models.ModelDuplicateException:
> javax.persistence.PersistenceException:
> org.hibernate.exception.ConstraintViolationException: Unique index or
> primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test',
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?,
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?,
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=?
> [23505-187]/
>
> / at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)/
>
> / at
> org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:30)/
>
> / at
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:58)/
>
> / at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:247)/
>
> / at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)/
>
> / at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)/
>
> / at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)/
>
> / at
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)/
>
> / at
> org.keycloak.testsuite.federation.SyncProvidersTest.test02duplicateUsernameSync(SyncProvidersTest.java:200)/
>
> / at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)/
>
> / at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)/
>
> / at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)/
>
> / at java.lang.reflect.Method.invoke(Method.java:606)/
>
> / at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)/
>
> / at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)/
>
> / at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)/
>
> / at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)/
>
> / at
> org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)/
>
> / at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)/
>
> / at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)/
>
> / at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)/
>
> / at
> org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)/
>
> / at
> org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)/
>
> / at
> org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)/
>
> / at
> org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)/
>
> / at
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)/
>
> / at
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)/
>
> / at org.junit.rules.RunRules.evaluate(RunRules.java:20)/
>
> / at org.junit.runners.ParentRunner.run(ParentRunner.java:363)/
>
> / at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)/
>
> / at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)/
>
> / at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)/
>
> / at
> org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)/
>
> / at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)/
>
> / at
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)/
>
> /Caused by: javax.persistence.PersistenceException:
> org.hibernate.exception.ConstraintViolationException: Unique index or
> primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test',
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?,
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?,
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=?
> [23505-187]/
>
> / at
> org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1361)/
>
> / at
> org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1289)/
>
> / at
> org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:78)/
>
> / at
> org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:28)/
>
> / ... 33 more/
>
> /Caused by: org.hibernate.exception.ConstraintViolationException:
> Unique index or primary key violation:
> "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID,
> EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?,
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?,
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=?
> [23505-187]/
>
> / at
> org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)/
>
> / at
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)/
>
> / at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)/
>
> / at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)/
>
> / at
> org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)/
>
> / at
> org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)/
>
> / at com.sun.proxy.$Proxy54.executeUpdate(Unknown Source)/
>
> / at
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:56)/
>
> / at
> org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3006)/
>
> / at
> org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2908)/
>
> / at
> org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3237)/
>
> / at
> org.hibernate.action.internal.EntityUpdateAction.execute(EntityUpdateAction.java:113)/
>
> / at
> org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:272)/
>
> / at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:264)/
>
> / at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:187)/
>
> / at
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)/
>
> / at
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)/
>
> / at
> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1081)/
>
> / at
> org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:315)/
>
> / at
> org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.beforeTransactionCommit(JdbcTransaction.java:101)/
>
> / at
> org.hibernate.engine.transaction.spi.AbstractTransactionImpl.commit(AbstractTransactionImpl.java:175)/
>
> / at
> org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:73)/
>
> / ... 34 more/
>
> /Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
> violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test',
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?,
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?,
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=?
> [23505-187]/
>
> / at
> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)/
>
> / at org.h2.message.DbException.get(DbException.java:179)/
>
> / at org.h2.message.DbException.get(DbException.java:155)/
>
> / at
> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:102)/
>
> / at
> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:233)/
>
> / at
> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:191)/
>
> / at org.h2.mvstore.db.MVTable.addRow(MVTable.java:638)/
>
> / at org.h2.table.Table.updateRows(Table.java:478)/
>
> / at org.h2.command.dml.Update.update(Update.java:145)/
>
> / at
> org.h2.command.CommandContainer.update(CommandContainer.java:78)/
>
> / at org.h2.command.Command.executeUpdate(Command.java:254)/
>
> / at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:157)/
>
> / at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:143)/
>
> / at sun.reflect.GeneratedMethodAccessor261.invoke(Unknown
> Source)/
>
> / at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)/
>
> / at java.lang.reflect.Method.invoke(Method.java:606)/
>
> / at
> org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)/
>
> / ... 51 more/
>
> /21:40:27,103 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users finished: 1 imported users, 6 updated users, 0 removed users, 1
> users failed sync! See server log for more details/
>
> /21:40:27,110 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users from LDAP to local store: realm: test, federation provider:
> test-ldap/
>
> /21:40:27,167 INFO
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all
> users finished: 1 imported users, 6 updated users, 0 removed users/
>
> /21:40:28,175 INFO
> [org.keycloak.testsuite.DummyUserFederationProviderFactory]
> syncChangedUsers invoked/
>
> Is this a known issue?
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/2a8c694d/attachment-0001.html
From Maurice.Quaedackers at planonsoftware.com Thu Jul 9 05:34:11 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 9 Jul 2015 11:34:11 +0200
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
Hello,
Is a GitHub repository of Keycloak 1.3.1 available?
When I visit https://github.com/keycloak I can find the https://github.com/keycloak/openshift-keycloak-cartridge repository but that there is no 1.3.1 version available
Can a 1.3.1 version be added or can you point me into the correct direction.
Thank you very much in advance,
Best regards
Maurice Quaedackers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/719c99e7/attachment.html
From favez.steve at gmail.com Thu Jul 9 06:03:28 2015
From: favez.steve at gmail.com (Steve Favez)
Date: Thu, 9 Jul 2015 12:03:28 +0200
Subject: [keycloak-user] Oauth2 Saml Bearer Assertion support
Message-ID:
Hi all,
Quick question regarding Keycloak 1.3.1. Does it already support Oauth2
Saml Bearer Assertions ?
Our use case would be the following :
One Angular js app authenticating user using keycloak, then invoking odata
/ restful services published by SAP NetWeaver Gateway protected using the
Oauth2 Saml Bearer Assertion (see sample here :
http://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
).
Thanks in advance for your help
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/d5115286/attachment.html
From favez.steve at gmail.com Thu Jul 9 06:58:30 2015
From: favez.steve at gmail.com (Steve Favez)
Date: Thu, 9 Jul 2015 12:58:30 +0200
Subject: [keycloak-user] authentication level / chaining realms
Message-ID:
Hi keycloak's experts,
I'm wondering if it's possible to chain realm's invocation in keycloak (and
also, if it's a good practice or not).
The use case is the following :
Keycloak is used as an SSO identity server for a set of application
with different security policies, but for the same users. (so, same user
directory).
- some applications require only "user / password" authentication.
- some applications require a second authentication factor. (for
example sms, or any other systems).
My idea was the following :
- we've a first realm - let's name it "simple realm", that require only
user / password
- we've a second realm - let's name it "2fa realm" that require a
token from "simple realm" and the second authentication factor.
- If I connect to an application secured by the "2fa realm", my
application will redirect to the "2fa realm", then, as it can't found any
simple token, the realm dispatch the invocation to the "simple
realm", and
then ask for the second authentication factor.
So, a user authenticated against the "2fa realm" get two tokens : the
simple realm token and the 2FA token.
Thanks in advance for your valuable comments , ideas or critics.
Best regards.
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/81bfcf9f/attachment.html
From Maurice.Quaedackers at planonsoftware.com Thu Jul 9 08:34:02 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 9 Jul 2015 14:34:02 +0200
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
Sorry,
I forgot to mention that I am looking for a Keycloak Openshift 1.3.1 cartridge.
Best regards,
Maurice Quaedackers
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Maurice Quaedackers
Sent: donderdag 9 juli 2015 11:34
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
Hello,
Is a GitHub repository of Keycloak 1.3.1 available?
When I visit https://github.com/keycloak I can find the https://github.com/keycloak/openshift-keycloak-cartridge repository but that there is no 1.3.1 version available
Can a 1.3.1 version be added or can you point me into the correct direction.
Thank you very much in advance,
Best regards
Maurice Quaedackers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/58be89bc/attachment.html
From bburke at redhat.com Thu Jul 9 08:55:24 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 09 Jul 2015 08:55:24 -0400
Subject: [keycloak-user] Oauth2 Saml Bearer Assertion support
In-Reply-To:
References:
Message-ID: <559E6F3C.1030905@redhat.com>
We do not have support for OAuth2 SAML Bearer Assertions. Contributions
would be lovely. If not, log a jira with the exact link shown below.
Our queue is pretty big at the moment though...
On 7/9/2015 6:03 AM, Steve Favez wrote:
> Hi all,
> Quick question regarding Keycloak 1.3.1. Does it already support Oauth2
> Saml Bearer Assertions ?
> Our use case would be the following :
> One Angular js app authenticating user using keycloak, then invoking
> odata / restful services published by SAP NetWeaver Gateway protected
> using the Oauth2 Saml Bearer Assertion (see sample here :
> http://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow).
>
> Thanks in advance for your help
>
> Steve
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From bburke at redhat.com Thu Jul 9 09:08:44 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 09 Jul 2015 09:08:44 -0400
Subject: [keycloak-user] authentication level / chaining realms
In-Reply-To:
References:
Message-ID: <559E725C.3050400@redhat.com>
There's no way to do this right now. This one is actually on the
roadmap though.
On 7/9/2015 6:58 AM, Steve Favez wrote:
> Hi keycloak's experts,
>
> I'm wondering if it's possible to chain realm's invocation in keycloak
> (and also, if it's a good practice or not).
>
> The use case is the following :
>
> Keycloak is used as an SSO identity server for a set of
> application with different security policies, but for the same users.
> (so, same user directory).
>
> o some applications require only "user / password" authentication.
> o some applications require a second authentication factor. (for
> example sms, or any other systems).
>
> My idea was the following :
>
> o we've a first realm - let's name it "simple realm", that require
> only user / password
> o we've a second realm - let's name it "2fa realm" that require a
> token from "simple realm" and the second authentication factor.
> o If I connect to an application secured by the "2fa realm", my
> application will redirect to the "2fa realm", then, as it can't
> found any simple token, the realm dispatch the invocation to the
> "simple realm", and then ask for the second authentication factor.
>
> So, a user authenticated against the "2fa realm" get two tokens : the
> simple realm token and the 2FA token.
>
> Thanks in advance for your valuable comments , ideas or critics.
>
> Best regards.
>
>
> Steve
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From mposolda at redhat.com Thu Jul 9 17:32:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 23:32:46 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an
LDAP Server
In-Reply-To:
References:
Message-ID: <559EE87E.5090308@redhat.com>
I think it should be fixed in latest master. Among LDAP fixes, I've also
added the example application showing integration with LDAP. It's here:
https://github.com/keycloak/keycloak/tree/master/examples/ldap
If you have opportunity to try it you can build latest master with the
commands like this (you need java7, maven 3.1 or later and git):
$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn clean install -DskipTests=true
$ cd distribution
$ mvn clean install
then in
$KEYCLOAK_HOME/distribution/demo-dist/target/keycloak-demo-1.4.0.Final-SNAPSHOT.zip
is latest demo distribution (which contains the example) and in
$KEYCLOAK_HOME/distribution/server-dist/target/keycloak-1.4.0.Final-SNAPSHOT.zip
is latest server distribution .
Marek
On 25.6.2015 10:10, Giovanni Baruzzi wrote:
> Marek,
>
> Thank you for your attention.
> It is sure in the same area. But as you see I used a very simple LDAP
> and only the attribute objectClass has multiple values.
> Please tell me if you need further information about my setup.
>
> Regards,
> Giovanni
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/5bf0563d/attachment.html
From mposolda at redhat.com Thu Jul 9 17:23:29 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 23:23:29 +0200
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To:
References:
Message-ID: <559EE651.5050106@redhat.com>
Hi,
I've pushed the LDAP example and some LDAP related fixes into latest
master. It's here:
https://github.com/keycloak/keycloak/tree/master/examples/ldap
If you have opportunity to try it you can build latest master with the
commands like this (you need java7, maven 3.1 or later and git):
$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn clean install -DskipTests=true
$ cd distribution
$ mvn clean install
then in
$KEYCLOAK_HOME/distribution/demo-dist/target/keycloak-demo-1.4.0.Final-SNAPSHOT.zip
is latest demo distribution (which contains the example) and in
$KEYCLOAK_HOME/distribution/server-dist/target/keycloak-1.4.0.Final-SNAPSHOT.zip
is latest server distribution .
Marek
On 29.6.2015 14:02, Adam Daduev wrote:
> Hi.
> I try use new feature of keycloak 1.3.1, i added new attribute, like
> department, but i can not get it in my web bean, i try get new
> attribute from KeycloakSecurityContext, but con not found.
> How can i get my new added atribute?
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/eb92081a/attachment.html
From jcoria at healthcentrix.com Thu Jul 9 21:40:55 2015
From: jcoria at healthcentrix.com (Javier Coria)
Date: Thu, 9 Jul 2015 18:40:55 -0700
Subject: [keycloak-user] error creating user
Message-ID:
Hello I hope you can help.
When I want to create my user I do follows
Keycloak keycloak = Keycloak.getInstance (getURL (), "MyRealm", "myUser",
"myPassword" clientID);
UserRepresentation userRep = new UserRepresentation ();
userRep.setUsername ("testUser");
CredentialRepresentation CredentialRepresentation credentials = new ();
credentials.setType ("password");
credentials.setValue ("t");
List list = new ArrayList ();
list.add (credentials);
userRep.setCredentials (list);
userRep.setEnabled (true);
userRep.setEmail ("myMail at outlook.com");
userRep.setEmailVerified (false);
userRep.setFirstName ("Javier");
userRep.setLastName ("Javi");
Map map = new HashMap ();
userRep.setAttributes (map);
UsersResource users = keycloak.realm ("MyRealm") users ().;
Response response = users.create (userRep);
first responds with code 200
- 18:14:09 DEBUG org.apache.http.headers:273
>> POST /auth/realms/prevvy/protocol/openid-connect/token HTTP/1.1
- 18:14:09 DEBUG org.apache.http.impl.conn.DefaultClientConnection:254
Receiving response: HTTP/1.1 200 OK
but at the end responds with a 500 error and I don't know why :(:
- 18:14:10 DEBUG org.apache.http.wire:63
>> "Host: develop.prevvy.co:9095[\r][\n]"
- 18:14:10 DEBUG org.apache.http.wire:63
>> "Connection: Keep-Alive[\r][\n]"
- 18:14:10 DEBUG org.apache.http.wire:63
>> "[\r][\n]"
- 18:14:10 DEBUG org.apache.http.headers:273
>> POST /auth/admin/realms/prevvy/users HTTP/1.1
- 18:14:10 DEBUG org.apache.http.headers:276
>> Accept-Encoding: gzip, deflate
- 18:14:10 DEBUG org.apache.http.headers:276
>> Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3ODgzZmE5ZS1iYzkyLTQzNDQtOWY3Ni02NTdiYWI4YjAzNzkiLCJleHAiOjE0MzY0OTEyMzYsIm5iZiI6MCwiaWF0IjoxNDM2NDkwOTM2LCJpc3MiOiJodHRwOi8vZGV2ZWxvcC5wcmV2dnkuY286OTA5NS9hdXRoL3JlYWxtcy9wcmV2dnkiLCJhdWQiOiJldmVudGhhbmRsZXItY2xpZW50Iiwic3ViIjoiYmIyMDQyZDktNjhlMS00MjQ5LWE5YWQtZTMzZjFkMTA3MGQ4IiwiYXpwIjoiZXZlbnRoYW5kbGVyLWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI0MzZjMTI2Ny1mNzA5LTQwNTEtOTk0YS03OWYyNjExZjM2Y2EiLCJjbGllbnRfc2Vzc2lvbiI6IjkxOGI2NWQ4LTY1YTUtNDljNi04M2JiLWQzOTg4ZGU0ODVlMCIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJtYW5hZ2UtdXNlcnMiXX0sInJlc291cmNlX2FjY2VzcyI6e319.hAfHcOZZJwYBBoTRhlqzPfraesg7n9Gp0IHFQvmLYK-wYQBcFb7XAkAdGNWujW4kh5e7EJmyIggLWn0KnaPq2Qf2f57x34A3wjSklxdlIskUjLRZMVjUmUz65ayCPaFh33rxQIv6mhtST6CPdowZdsRyGfmcE9kKhknU8jjY2tY
- 18:14:10 DEBUG org.apache.http.headers:276
>> Content-Type: application/json
- 18:14:10 DEBUG org.apache.http.headers:276
>> Content-Length: 498
- 18:14:10 DEBUG org.apache.http.headers:276
>> Host: develop.prevvy.co:9095
- 18:14:10 DEBUG org.apache.http.headers:276
>> Connection: Keep-Alive
- 18:14:10 DEBUG org.apache.http.wire:77
>>
"{"self":null,"id":null,"username":"testttt","enabled":true,"totp":false,"emailVerified":false,"firstName":"Javier","lastName":"Coria","email":"
jcoria at healthcentrix.com
","federationLink":null,"attributes":{},"credentials":[{"type":"password","device":null,"value":"t","hashedSaltedValue":null,"salt":null,"hashIterations":null,"temporary":false}],"requiredActions":null,"federatedIdentities":null,"realmRoles":null,"clientRoles":null,"clientConsents":null,"applicationRoles":null,"socialLinks":null}"
- 18:14:10 DEBUG org.apache.http.wire:63
<< "HTTP/1.1 500 Internal Server Error[\r][\n]"
Thank you!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/43abac9b/attachment.html
From peterson.dean at gmail.com Fri Jul 10 01:30:42 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 01:30:42 -0400
Subject: [keycloak-user] Still getting index error when upgrading to
1.3.1.Final
Message-ID:
I did a fresh install with mongodb 3.0 and everything worked fine running
1.3.1.Final. However, I need to upgrade from 1.2.0.Beta1 so I tried the
same configuration with everything except this time migrating the old
database data. I get the following error:
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more
Caused by: java.lang.RuntimeException: Failed to update database
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
at
org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
... 36 more
Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index not
found with name [realmId_1_name_1]"}
at com.mongodb.CommandResult.getException(CommandResult.java:71)
at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
... 37 more
01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.
I mentioned this before and Stian was going to look into it; at the time he
thought it might be due to using mongodb 3.0. However, mongodb 3.0 works
fine with a fresh install.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/4042aaf8/attachment-0001.html
From giriraj.sharma27 at gmail.com Fri Jul 10 01:41:25 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Fri, 10 Jul 2015 11:11:25 +0530
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
<16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
Message-ID:
Hi,
The latest version available for Keycloak Openshift 1.3.1 cartridge at
present is Keycloak 1.2.0.Final
I am not sure but the version shall be updated soon.
On Thu, Jul 9, 2015 at 6:04 PM, Maurice Quaedackers <
Maurice.Quaedackers at planonsoftware.com> wrote:
> Sorry,
>
>
>
> I forgot to mention that I am looking for a Keycloak Openshift 1.3.1
> cartridge.
>
>
>
> Best regards,
>
>
>
> Maurice Quaedackers
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Maurice Quaedackers
> *Sent:* donderdag 9 juli 2015 11:34
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] Keycloak 1.3.1 Openshift cartridge
>
>
>
> Hello,
>
>
>
> Is a GitHub repository of Keycloak 1.3.1 available?
>
>
>
> When I visit https://github.com/keycloak I can find the
> https://github.com/keycloak/openshift-keycloak-cartridge repository but
> that there is no 1.3.1 version available
>
>
>
> Can a 1.3.1 version be added or can you point me into the correct
> direction.
>
>
>
> Thank you very much in advance,
>
>
>
> Best regards
>
> Maurice Quaedackers
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Giriraj Sharma
about.me/girirajsharma
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/e7dbf11d/attachment.html
From juandiego83 at gmail.com Fri Jul 10 12:48:53 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 11:48:53 -0500
Subject: [keycloak-user] params on my url get duplicated on angular app on
reload
Message-ID:
Hi,
I dont know if it is a problem of my code but for example I see my page
http://localhost/index.html
then I load and I see something like
http://localhost/index.html?prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609
If I keep reloading my page I keep seeing
prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609
added over and over
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/50d7443b/attachment.html
From peterson.dean at gmail.com Fri Jul 10 12:53:02 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 11:53:02 -0500
Subject: [keycloak-user] Upgrading is a giant pain
Message-ID:
I wish Keycloak had a one button click mechanism for upgrading the
application. I use Discourse (http://www.discourse.org/) for messaging in
my application. I run Keycloak inside a Docker container just like
Discourse. Discourse gives me an admin landing page that tells me every
time I log in if I am up to date. If I am not, a little sad face tells me
I need to upgrade. All I have to do to upgrade is click a button and
everything happens automatically. The data is migrated, the docker
container is updated and the application is redeployed. It never fails and
takes 5 minutes. Every time I need to upgrade Keycloak it is a month long
ordeal. The database migration never works. I always have to export the
data as json, then upload the file after I manage to get a fresh install of
the latest version up and running. I understand Keycloak has a lot of
parts and I really like it, but I wish the upgrade process would get some
attention. It is a very painful process at the moment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/6f5499d6/attachment.html
From bburke at redhat.com Fri Jul 10 13:39:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Jul 2015 13:39:04 -0400
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To:
References:
Message-ID: <55A00338.4000908@redhat.com>
Yeah, migration is something we will fully nail down before we go into
product. The project has been moving too fast and we still have a lot
of features to get in this year.
That being said, I did read some of your email history. I don't think
you should expect migration to work with snapshots from master or from
betas and alphas though. I know I've changed the data model multiple
times in master prior to doing a release.
On 7/10/2015 12:53 PM, Dean Peterson wrote:
> I wish Keycloak had a one button click mechanism for upgrading the
> application. I use Discourse (http://www.discourse.org/) for messaging
> in my application. I run Keycloak inside a Docker container just like
> Discourse. Discourse gives me an admin landing page that tells me every
> time I log in if I am up to date. If I am not, a little sad face tells
> me I need to upgrade. All I have to do to upgrade is click a button and
> everything happens automatically. The data is migrated, the docker
> container is updated and the application is redeployed. It never fails
> and takes 5 minutes. Every time I need to upgrade Keycloak it is a
> month long ordeal. The database migration never works. I always have
> to export the data as json, then upload the file after I manage to get a
> fresh install of the latest version up and running. I understand
> Keycloak has a lot of parts and I really like it, but I wish the upgrade
> process would get some attention. It is a very painful process at the
> moment.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
From peterson.dean at gmail.com Fri Jul 10 14:22:00 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 13:22:00 -0500
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To:
References:
Message-ID:
I no longer pull down masters because the releases have been working for
me. The documentation says I should be able to upgrade from beta versions
to newer releases. This latest problem happened even when I was trying to
go from 1.2.0.Beta3 to 1.2.0.Final. Since that did not work, I waited a
while hoping a later version would improve the situation. People often do
what they are not supposed to. Expecting people to only upgrade from Final
release to Final release seems like wishful thinking and may lead to
unhappy customers, even if they are wrong.
On Fri, Jul 10, 2015 at 11:53 AM, Dean Peterson
wrote:
> I wish Keycloak had a one button click mechanism for upgrading the
> application. I use Discourse (http://www.discourse.org/) for messaging
> in my application. I run Keycloak inside a Docker container just like
> Discourse. Discourse gives me an admin landing page that tells me every
> time I log in if I am up to date. If I am not, a little sad face tells me
> I need to upgrade. All I have to do to upgrade is click a button and
> everything happens automatically. The data is migrated, the docker
> container is updated and the application is redeployed. It never fails and
> takes 5 minutes. Every time I need to upgrade Keycloak it is a month long
> ordeal. The database migration never works. I always have to export the
> data as json, then upload the file after I manage to get a fresh install of
> the latest version up and running. I understand Keycloak has a lot of
> parts and I really like it, but I wish the upgrade process would get some
> attention. It is a very painful process at the moment.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/579b5a31/attachment-0001.html
From juandiego83 at gmail.com Fri Jul 10 18:48:44 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 17:48:44 -0500
Subject: [keycloak-user] Getting the user id from the access token
Message-ID:
Hi
I want to be able to update the user password and some preferences from my
web app, in order to update some of the user info from my portal i can see
in the rest api that you need the user ID.
I have a backend with java that should connect to my keycloak server once
it gets the token
KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
httpRequest
.getAttribute(KeycloakSecurityContext.class.getName());
AccessToken accessToken = securityContext.getToken();
I dont know how to get info from the accesToken, or does the access token
class already has methods to do that. I know this is more of a question of
design. This part is not really clear for me.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/fdca4052/attachment.html
From scott at xigole.com Fri Jul 10 18:54:01 2015
From: scott at xigole.com (Scott Dunbar)
Date: Fri, 10 Jul 2015 16:54:01 -0600
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To:
References:
Message-ID: <55A04D09.6060803@xigole.com>
I use something like:
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.representations.IDToken;
...
@Resource
private SessionContext sessionContext;
...
@SuppressWarnings("unchecked")
KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
Not sure if that's the recommended way but it works well.
On 07/10/2015 04:48 PM, Juan Diego wrote:
> Hi
>
> I want to be able to update the user password and some preferences
> from my web app, in order to update some of the user info from my
> portal i can see in the rest api that you need the user ID.
> I have a backend with java that should connect to my keycloak server
> once it gets the token
>
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> httpRequest
> .getAttribute(KeycloakSecurityContext.class.getName());
>
> AccessToken accessToken = securityContext.getToken();
>
> I dont know how to get info from the accesToken, or does the access
> token class already has methods to do that. I know this is more of a
> question of design. This part is not really clear for me.
>
> Thanks
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Scott Dunbar
Xigole Systems, Inc.
Enterprise consulting, development, and hosting
303?667?6343
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/1ac67b07/attachment.html
From juandiego83 at gmail.com Fri Jul 10 19:01:07 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:01:07 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <55A04D09.6060803@xigole.com>
References:
<55A04D09.6060803@xigole.com>
Message-ID:
Where do you get sessionContext from?
On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar wrote:
> I use something like:
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
> ...
>
> @Resource
> private SessionContext sessionContext;
>
> ...
>
> @SuppressWarnings("unchecked")
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>
> Not sure if that's the recommended way but it works well.
>
>
> On 07/10/2015 04:48 PM, Juan Diego wrote:
>
> Hi
>
> I want to be able to update the user password and some preferences from
> my web app, in order to update some of the user info from my portal i can
> see in the rest api that you need the user ID.
> I have a backend with java that should connect to my keycloak server once
> it gets the token
>
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> httpRequest
> .getAttribute(KeycloakSecurityContext.class.getName());
>
> AccessToken accessToken = securityContext.getToken();
>
> I dont know how to get info from the accesToken, or does the access token
> class already has methods to do that. I know this is more of a question of
> design. This part is not really clear for me.
>
> Thanks
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/8ab143e1/attachment.html
From juandiego83 at gmail.com Fri Jul 10 19:10:46 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:10:46 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To:
References:
<55A04D09.6060803@xigole.com>
Message-ID:
Sorry I jus reviewed your code, i am kind of tired, found what I was
looking for
On Fri, Jul 10, 2015 at 6:01 PM, Juan Diego wrote:
> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar wrote:
>
>> I use something like:
>>
>> import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>> ...
>>
>> @Resource
>> private SessionContext sessionContext;
>>
>> ...
>>
>> @SuppressWarnings("unchecked")
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>> Not sure if that's the recommended way but it works well.
>>
>>
>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>
>> Hi
>>
>> I want to be able to update the user password and some preferences from
>> my web app, in order to update some of the user info from my portal i can
>> see in the rest api that you need the user ID.
>> I have a backend with java that should connect to my keycloak server
>> once it gets the token
>>
>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> httpRequest
>> .getAttribute(KeycloakSecurityContext.class.getName());
>>
>> AccessToken accessToken = securityContext.getToken();
>>
>> I dont know how to get info from the accesToken, or does the access
>> token class already has methods to do that. I know this is more of a
>> question of design. This part is not really clear for me.
>>
>> Thanks
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/3740195a/attachment.html
From scott at xigole.com Fri Jul 10 19:24:11 2015
From: scott at xigole.com (Scott Dunbar)
Date: Fri, 10 Jul 2015 17:24:11 -0600
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To:
References: <55A04D09.6060803@xigole.com>
Message-ID: <55A0541B.50007@xigole.com>
It is injected into the bean - sorry, might not have been enough code
before. A small example:
import javax.annotation.Resource;
import javax.annotation.security.RolesAllowed;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.representations.IDToken;
@Path("/user")
@Stateless
public class UserService {
private static final Log log = LogFactory.getLog(UserService.class);
@Resource
private SessionContext sessionContext;
@Path("/getCurrentUserInfo")
@Produces({ MediaType.APPLICATION_JSON })
@GET
@RolesAllowed({"someRole"})
public Response getCurrentUser() {
@SuppressWarnings("unchecked")
KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
// your return is likely something more useful
return Response.ok().build();
}
}
Your use case might be different but this is how it is working for me.
Again, there may be a better way.
On 07/10/2015 05:01 PM, Juan Diego wrote:
> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar > wrote:
>
> I use something like:
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
> ...
>
> @Resource
> private SessionContext sessionContext;
>
> ...
>
> @SuppressWarnings("unchecked")
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>
> Not sure if that's the recommended way but it works well.
>
>
> On 07/10/2015 04:48 PM, Juan Diego wrote:
>> Hi
>>
>> I want to be able to update the user password and some
>> preferences from my web app, in order to update some of the user
>> info from my portal i can see in the rest api that you need the
>> user ID.
>> I have a backend with java that should connect to my keycloak
>> server once it gets the token
>>
>> KeycloakSecurityContext securityContext =
>> (KeycloakSecurityContext) httpRequest
>> .getAttribute(KeycloakSecurityContext.class.getName());
>>
>> AccessToken accessToken = securityContext.getToken();
>>
>> I dont know how to get info from the accesToken, or does the
>> access token class already has methods to do that. I know this
>> is more of a question of design. This part is not really clear
>> for me.
>>
>> Thanks
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Scott Dunbar
Xigole Systems, Inc.
Enterprise consulting, development, and hosting
303?667?6343
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/e24ce140/attachment-0001.html
From juandiego83 at gmail.com Fri Jul 10 19:27:19 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:27:19 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <55A0541B.50007@xigole.com>
References:
<55A04D09.6060803@xigole.com>
<55A0541B.50007@xigole.com>
Message-ID:
Are you identifying you user mainly by the email?
On Fri, Jul 10, 2015 at 6:24 PM, Scott Dunbar wrote:
> It is injected into the bean - sorry, might not have been enough code
> before. A small example:
>
> import javax.annotation.Resource;
> import javax.annotation.security.RolesAllowed;
> import javax.ejb.SessionContext;
> import javax.ejb.Stateless;
> import javax.ws.rs.GET;
> import javax.ws.rs.Path;
> import javax.ws.rs.Produces;
> import javax.ws.rs.core.MediaType;
> import javax.ws.rs.core.Response;
>
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
> @Path("/user")
> @Stateless
> public class UserService {
> private static final Log log = LogFactory.getLog(UserService.class);
>
> @Resource
> private SessionContext sessionContext;
>
> @Path("/getCurrentUserInfo")
> @Produces({ MediaType.APPLICATION_JSON })
> @GET
> @RolesAllowed({"someRole"})
> public Response getCurrentUser() {
>
> @SuppressWarnings("unchecked")
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
> // your return is likely something more useful
> return Response.ok().build();
> }
> }
>
>
> Your use case might be different but this is how it is working for me.
> Again, there may be a better way.
>
>
>
>
> On 07/10/2015 05:01 PM, Juan Diego wrote:
>
> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar wrote:
>
>> I use something like:
>>
>> import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>> ...
>>
>> @Resource
>> private SessionContext sessionContext;
>>
>> ...
>>
>> @SuppressWarnings("unchecked")
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>> Not sure if that's the recommended way but it works well.
>>
>>
>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>
>> Hi
>>
>> I want to be able to update the user password and some preferences from
>> my web app, in order to update some of the user info from my portal i can
>> see in the rest api that you need the user ID.
>> I have a backend with java that should connect to my keycloak server
>> once it gets the token
>>
>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> httpRequest
>> .getAttribute(KeycloakSecurityContext.class.getName());
>>
>> AccessToken accessToken = securityContext.getToken();
>>
>> I dont know how to get info from the accesToken, or does the access
>> token class already has methods to do that. I know this is more of a
>> question of design. This part is not really clear for me.
>>
>> Thanks
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/6e083e44/attachment.html
From peterson.dean at gmail.com Sat Jul 11 00:11:50 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 23:11:50 -0500
Subject: [keycloak-user] 1.2.0.Beta1 to 1.2.0.RC1 root of migration problem
Message-ID:
I went back and tried to upgrade just from 1.2.0.Beta1 to 1.2.0.RC1. I
exported my realm into a json file and tried to import it into a fresh
install of 1.2.0.RC1. I just receive a message that says: "Error! The
Realm cannot be uploaded". There is nothing in the logs. I check to see
if anything is imported. I see only a few bearer token only applications
are present. No client side confidential applications have been imported.
Also, none of the users have been imported. If I give someone my entire
json file (minus most of the user info), can someone please tell me what
might be wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/b7242bd9/attachment.html
From mposolda at redhat.com Sat Jul 11 04:36:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:36:46 +0200
Subject: [keycloak-user] Still getting index error when upgrading to
1.3.1.Final
In-Reply-To:
References:
Message-ID: <55A0D59E.7050001@redhat.com>
I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548
with the reference to the ML thread you created earlier. Will look into
it to have the fix for Keycloak 1.4 release.
Marek
On 10.7.2015 07:30, Dean Peterson wrote:
> I did a fresh install with mongodb 3.0 and everything worked fine
> running 1.3.1.Final. However, I need to upgrade from 1.2.0.Beta1 so I
> tried the same configuration with everything except this time
> migrating the old database data. I get the following error:
>
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> ... 19 more
> Caused by: java.lang.RuntimeException: Failed to update database
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
> at
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
> ... 36 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
> "kcdb/172.17.0.69:27017 " , "nIndexesWas" :
> 1 , "ok" : 0.0 , "errmsg" : "index not found with name
> [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
> ... 37 more
>
> 01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed -
> address: ([("deployment" => "keycloak-server.
>
>
> I mentioned this before and Stian was going to look into it; at the
> time he thought it might be due to using mongodb 3.0. However,
> mongodb 3.0 works fine with a fresh install.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/5979328c/attachment.html
From mposolda at redhat.com Sat Jul 11 04:43:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:43:15 +0200
Subject: [keycloak-user] 1.2.0.Beta1 to 1.2.0.RC1 root of migration
problem
In-Reply-To:
References:
Message-ID: <55A0D723.7030308@redhat.com>
Yeah, please send the JSON to me and I will take a look. The migration
of JSON files is supposed to work too (JSON files should be backwards
compatible), so it might a bug if something doesn't work.
Marek
On 11.7.2015 06:11, Dean Peterson wrote:
> I went back and tried to upgrade just from 1.2.0.Beta1 to 1.2.0.RC1.
> I exported my realm into a json file and tried to import it into a
> fresh install of 1.2.0.RC1. I just receive a message that says:
> "Error! The Realm cannot be uploaded". There is nothing in the logs.
> I check to see if anything is imported. I see only a few bearer token
> only applications are present. No client side confidential
> applications have been imported. Also, none of the users have been
> imported. If I give someone my entire json file (minus most of the
> user info), can someone please tell me what might be wrong?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/bde0d27b/attachment-0001.html
From mposolda at redhat.com Sat Jul 11 04:54:36 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:54:36 +0200
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To:
References: <55A04D09.6060803@xigole.com> <55A0541B.50007@xigole.com>
Message-ID: <55A0D9CC.9040808@redhat.com>
I suggest to look into our demo, which handles this well and shows
various info about user:
https://github.com/keycloak/keycloak/tree/master/examples/demo-template
By default, the User ID can be obtained directly from the principal
(unless you're configure "principal-attribute" in your keycloak.json ) :
String userId = kcPrincipal.getName();
From access token it can be obtained as well:
String userId = accessToken.getSubject()
See the example on how to retrieve more user data (but it's pretty
straightforward from the getter methods. Like getter for email as Scott
pointed)
Marek
On 11.7.2015 01:27, Juan Diego wrote:
> Are you identifying you user mainly by the email?
>
> On Fri, Jul 10, 2015 at 6:24 PM, Scott Dunbar > wrote:
>
> It is injected into the bean - sorry, might not have been enough
> code before. A small example:
>
> import javax.annotation.Resource;
> import javax.annotation.security.RolesAllowed;
> import javax.ejb.SessionContext;
> import javax.ejb.Stateless;
> import javax.ws.rs.GET;
> import javax.ws.rs.Path;
> import javax.ws.rs.Produces;
> import javax.ws.rs.core.MediaType;
> import javax.ws.rs.core.Response;
>
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
> @Path("/user")
> @Stateless
> public class UserService {
> private static final Log log = LogFactory.getLog(UserService.class);
>
> @Resource
> private SessionContext sessionContext;
>
> @Path("/getCurrentUserInfo")
> @Produces({ MediaType.APPLICATION_JSON })
> @GET
> @RolesAllowed({"someRole"})
> public Response getCurrentUser() {
>
> @SuppressWarnings("unchecked")
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
> // your return is likely something more useful
> return Response.ok().build();
> }
> }
>
>
> Your use case might be different but this is how it is working for
> me. Again, there may be a better way.
>
>
>
>
> On 07/10/2015 05:01 PM, Juan Diego wrote:
>> Where do you get sessionContext from?
>>
>> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar > > wrote:
>>
>> I use something like:
>>
>> import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>> ...
>>
>> @Resource
>> private SessionContext sessionContext;
>>
>> ...
>>
>> @SuppressWarnings("unchecked")
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)(sessionContext.getCallerPrincipal());
>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>> Not sure if that's the recommended way but it works well.
>>
>>
>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>> Hi
>>>
>>> I want to be able to update the user password and some
>>> preferences from my web app, in order to update some of the
>>> user info from my portal i can see in the rest api that you
>>> need the user ID.
>>> I have a backend with java that should connect to my
>>> keycloak server once it gets the token
>>>
>>> KeycloakSecurityContext securityContext =
>>> (KeycloakSecurityContext) httpRequest
>>> .getAttribute(KeycloakSecurityContext.class.getName());
>>>
>>> AccessToken accessToken = securityContext.getToken();
>>>
>>> I dont know how to get info from the accesToken, or does the
>>> access token class already has methods to do that. I know
>>> this is more of a question of design. This part is not
>>> really clear for me.
>>>
>>> Thanks
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/fbd5f10d/attachment.html
From peterson.dean at gmail.com Sat Jul 11 07:25:00 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 11 Jul 2015 07:25:00 -0400
Subject: [keycloak-user] Still getting index error when upgrading to
1.3.1.Final
In-Reply-To: <55A0D59E.7050001@redhat.com>
References:
<55A0D59E.7050001@redhat.com>
Message-ID:
Thank you very much! I sent my JSON file to you in another e-mail too.
On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda wrote:
> I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548
> with the reference to the ML thread you created earlier. Will look into it
> to have the fix for Keycloak 1.4 release.
>
> Marek
>
>
> On 10.7.2015 07:30, Dean Peterson wrote:
>
> I did a fresh install with mongodb 3.0 and everything worked fine running
> 1.3.1.Final. However, I need to upgrade from 1.2.0.Beta1 so I tried the
> same configuration with everything except this time migrating the old
> database data. I get the following error:
>
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> ... 19 more
> Caused by: java.lang.RuntimeException: Failed to update database
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
> at
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
> ... 36 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> 172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
> not found with name [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
> ... 37 more
>
> 01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.
>
>
> I mentioned this before and Stian was going to look into it; at the time
> he thought it might be due to using mongodb 3.0. However, mongodb 3.0
> works fine with a fresh install.
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/1838c817/attachment.html
From stephen.more at gmail.com Sat Jul 11 07:33:12 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sat, 11 Jul 2015 07:33:12 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <559CF96A.2020004@redhat.com>
References:
<559BDD56.90308@redhat.com>
<559CF96A.2020004@redhat.com>
Message-ID:
I added:
"realm-management": [ "realm-admin" ],
to:
"clientRoles": {
Now I am getting:
07:25:37,948 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
task-92) Failed executing GET /admin/realms/tenant1/roles:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda wrote:
> It looks like authorization issue. Your user either doesn't have
> required roles or your client is missing scopes (which means that roles are
> not propagated to accessToken).
>
> To just view roles, you need role "view-realm" of client
> "realm-management" .
>
> Marek
>
>
> On 7.7.2015 18:46, Stephen More wrote:
>
> I have tried to add:
> org.keycloak.representations.IDToken idToken =
> principal.getKeycloakSecurityContext().getIdToken();
> org.keycloak.representations.AccessToken token =
> principal.getKeycloakSecurityContext().getToken();
>
> writer.write("
Access Token id: " + token.getId());
> writer.write("
Access Token String: " +
> principal.getKeycloakSecurityContext().getTokenString());
> writer.write("
ID Token id: " + idToken.getId());
> writer.write("
ID Token String: " +
> principal.getKeycloakSecurityContext().getIdTokenString());
>
> writer.write(String.format("
href=\"/multitenant/%s/logout\">Logout", realm));
>
> try
> {
> java.net.URL url = new java.net.URL( "
> http://localhost:8080/auth/admin/realms/" +
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
> java.net.HttpURLConnection conn =
> (java.net.HttpURLConnection)url.openConnection();
> conn.setRequestMethod( "GET" );
> conn.setRequestProperty("Authorization", "Bearer " +
> principal.getKeycloakSecurityContext().getTokenString());
> java.io.BufferedReader in = new java.io.BufferedReader(
> new java.io.InputStreamReader( conn.getInputStream()));
> String line;
> while ((line = in.readLine()) != null)
> {
> writer.write( line );
> }
> in.close();
> }
> catch( Exception e )
> {
> e.printStackTrace();
> }
>
> to
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
> But I am getting an error:
> 12:28:28,317 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
> task-16) Failed executing GET /admin/realms/tenant1/roles:
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have found
> an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out to be
> 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to be
> 865 characters long.
>
>
> What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke wrote:
>
>> The access token should already be available.
>>
>> On 7/7/2015 10:01 AM, Stephen More wrote:
>> > Or perhaps a better question would be: Once a user is already logged
>> > into keycloak, how can a
>> > org.keycloak.representations.AccessTokenResponse without providing a
>> > password a second time ?
>> >
>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More > > > wrote:
>> >
>> > How could I extend the multi-tenant example (
>> > https://github.com/keycloak/keycloak/tree/master/examples/
>> > <
>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>> >multi-tenant
>> > ) to make a Rest admin api call back to keycloak using java ?
>> >
>> > I think this would be a helpful example in upcoming releases.
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/8e24b779/attachment-0001.html
From mposolda at redhat.com Sat Jul 11 13:23:13 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 19:23:13 +0200
Subject: [keycloak-user] Still getting index error when upgrading to
1.3.1.Final
In-Reply-To:
References: <55A0D59E.7050001@redhat.com>
Message-ID: <55A15101.7000506@redhat.com>
np, I've fixed the JSON import issue in latest master
https://issues.jboss.org/browse/KEYCLOAK-1558 and also another related
issue https://issues.jboss.org/browse/KEYCLOAK-1175 .
You should still be able to import the JSON in Keycloak 1.3.1.Final if
you do not import the JSON through admin console but through the import
mechanism. You need to:
- Start keycloak against clean database (to ensure master realm is created)
- Stop keycloak
- Start keycloak again with the system properties like:
-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/tmp/abecorn-realm.json
In latest version you will be able to import directly into clean DB
because of https://issues.jboss.org/browse/KEYCLOAK-1175 fix. But in
1.3.1 it won't yet work, so you need to start+stop first to ensure
master realm is initialized
Cheers,
Marek
On 11.7.2015 13:25, Dean Peterson wrote:
> Thank you very much! I sent my JSON file to you in another e-mail too.
>
> On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda > wrote:
>
> I've already created JIRA
> https://issues.jboss.org/browse/KEYCLOAK-1548 with the reference
> to the ML thread you created earlier. Will look into it to have
> the fix for Keycloak 1.4 release.
>
> Marek
>
>
> On 10.7.2015 07:30, Dean Peterson wrote:
>> I did a fresh install with mongodb 3.0 and everything worked fine
>> running 1.3.1.Final. However, I need to upgrade from 1.2.0.Beta1
>> so I tried the same configuration with everything except this
>> time migrating the old database data. I get the following error:
>>
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>> ... 19 more
>> Caused by: java.lang.RuntimeException: Failed to update database
>> at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
>> at
>> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
>> ... 36 more
>> Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
>> "kcdb/172.17.0.69:27017 " ,
>> "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index not found with
>> name [realmId_1_name_1]"}
>> at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>> at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>> at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>> at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
>> ... 37 more
>>
>> 01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed -
>> address: ([("deployment" => "keycloak-server.
>>
>>
>> I mentioned this before and Stian was going to look into it; at
>> the time he thought it might be due to using mongodb 3.0.
>> However, mongodb 3.0 works fine with a fresh install.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/e8f3b185/attachment.html
From peterson.dean at gmail.com Sun Jul 12 00:28:01 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 11 Jul 2015 23:28:01 -0500
Subject: [keycloak-user] Still getting index error when upgrading to
1.3.1.Final
In-Reply-To: <55A15101.7000506@redhat.com>
References:
<55A0D59E.7050001@redhat.com>
<55A15101.7000506@redhat.com>
Message-ID:
Thank you very much for the help!
On Sat, Jul 11, 2015 at 12:23 PM, Marek Posolda wrote:
> np, I've fixed the JSON import issue in latest master
> https://issues.jboss.org/browse/KEYCLOAK-1558 and also another related
> issue https://issues.jboss.org/browse/KEYCLOAK-1175 .
>
> You should still be able to import the JSON in Keycloak 1.3.1.Final if you
> do not import the JSON through admin console but through the import
> mechanism. You need to:
> - Start keycloak against clean database (to ensure master realm is created)
> - Stop keycloak
> - Start keycloak again with the system properties like:
> -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.file=/tmp/abecorn-realm.json
>
> In latest version you will be able to import directly into clean DB
> because of https://issues.jboss.org/browse/KEYCLOAK-1175 fix. But in
> 1.3.1 it won't yet work, so you need to start+stop first to ensure master
> realm is initialized
>
> Cheers,
> Marek
>
>
> On 11.7.2015 13:25, Dean Peterson wrote:
>
> Thank you very much! I sent my JSON file to you in another e-mail too.
>
> On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda
> wrote:
>
>> I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548
>> with the reference to the ML thread you created earlier. Will look into it
>> to have the fix for Keycloak 1.4 release.
>>
>> Marek
>>
>>
>> On 10.7.2015 07:30, Dean Peterson wrote:
>>
>> I did a fresh install with mongodb 3.0 and everything worked fine
>> running 1.3.1.Final. However, I need to upgrade from 1.2.0.Beta1 so I
>> tried the same configuration with everything except this time migrating the
>> old database data. I get the following error:
>>
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>> ... 19 more
>> Caused by: java.lang.RuntimeException: Failed to update database
>> at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
>> at
>> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
>> ... 36 more
>> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
>> 172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
>> not found with name [realmId_1_name_1]"}
>> at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>> at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>> at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>> at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
>> ... 37 more
>>
>> 01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
>> ([("deployment" => "keycloak-server.
>>
>>
>> I mentioned this before and Stian was going to look into it; at the
>> time he thought it might be due to using mongodb 3.0. However, mongodb 3.0
>> works fine with a fresh install.
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/fbff1c0b/attachment.html
From stephen.more at gmail.com Sun Jul 12 09:32:33 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sun, 12 Jul 2015 09:32:33 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To:
References:
<559BDD56.90308@redhat.com>
<559CF96A.2020004@redhat.com>
Message-ID: