From kalc04 at gmail.com  Wed Jul  1 01:58:00 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Wed, 1 Jul 2015 11:28:00 +0530
Subject: [keycloak-user] Importing an Application (Client) into an
 Existing Realm
In-Reply-To: <559282DC.4010503@redhat.com>
References: <CAPj1eSy_x71tnhLMuNk9mANKkb-rH=8G19nm7CnBLsbVP+9NZA@mail.gmail.com>
	<559282DC.4010503@redhat.com>
Message-ID: <CAPj1eSzoNup7MJzuYrt5Mk3-czjqc4JWOnHfViGQDHw-2svqRw@mail.gmail.com>

Thanks Marek for the suggestion on the client-utility, will evaluate our
options.

However, you haven't answered my question on the 'Import Client' option. Is
that something we could make use of here? I couldn't find any related
documentation, hence the confusion as of now. Appreciate if you could give
some insight.


Regards,
Lohitha.

On Tue, Jun 30, 2015 at 5:21 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  On 30.6.2015 08:37, Lohitha Chiranjeewa wrote:
>
>    Hi,
>
>  We get the need to create applications (clients) from time to time in our
> already existing realm. Since these clients have to be created in all the
> environments (dev, QA, staging, production) we'd like it to be (partly)
> automated rather than creating them through Admin console in each
> environment.
>
> In that case, I would create some admin client utility, which will invoke
> REST endpoints for create new client into each realm (environment) you
> want.
>
>
>  We've seen an 'Import Client' option in the Clients section in the Admin
> console, but not sure how to create the initial client so that it can be
> imported. The only import type is 'SAML 2.0 Entity Descriptor', which we
> aren't sure about as well. Can someone point out how we should continue to
> build the initial client here?
>
>  Also, if there is an option to update the existing realm with the 'Export
> Realm' facility, that would do as well. However that's not possible I
> suppose?
>
> not yet, probably it's something which we can improve. Feel free to create
> JIRA.
>
> Marek
>
>
>
>  Regards,
>  Lohitha.
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/9ff2bed9/attachment.html 

From sonicaaaa at gmail.com  Wed Jul  1 04:07:20 2015
From: sonicaaaa at gmail.com (Paolo Antinori)
Date: Wed, 1 Jul 2015 10:07:20 +0200
Subject: [keycloak-user] problem with keycloak on openshift
Message-ID: <CAO4YhkhwZHh_cFTYsNisDJP6LazxSf1_1_w97cz+Ghr7Kdpstg@mail.gmail.com>

Hi guys, I have deployed an instance of keycloak on openshift
following the steps described here:

https://github.com/keycloak/openshift-keycloak-cartridge

The operation apparently went ok and I have been able to login to the
instance and see kc administrative interface.

Problem is that after a while, I am no longer able to login to the
instance. Not even if I restart it.

This is the error I see when trying:

Bad Request

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

X-Forwarded-Host

/n


And I get that with both ffox and chromium on linux

this from curl:


$ curl -L -v https://kc-paolo.rhcloud.com/
*   Trying 54.89.206.14...
* Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
*     subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
*     start date: Apr 07 00:00:00 2015 GMT
*     expire date: Apr 11 12:00:00 2018 GMT
*     common name: *.rhcloud.com
*     issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: kc-paolo.rhcloud.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Date: Wed, 01 Jul 2015 08:06:46 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 392
< Content-Type: text/html; charset=iso-8859-1
< Connection: close
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
X-Forwarded-Host
</pre>/n</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at localhost Port 80</address>
</body></html>
* Closing connection 0




any idea about what's wrong?

thank you

paolo

From gregj at thesoftwarecottage.com.au  Wed Jul  1 08:41:41 2015
From: gregj at thesoftwarecottage.com.au (Greg Jones)
Date: Wed, 1 Jul 2015 22:41:41 +1000
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <559288F5.7090405@redhat.com>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
	<559288F5.7090405@redhat.com>
Message-ID: <75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>

Hi Marek,

An update on today?s trials:

1. Getting the proxy UserModel to perform the registration is not workable. Our back-end has about 15 required fields, which need to be set in order to register the user. It would be necessary to keep track of each property being set in order to determine when we have enough information to actually register the user. We could call our register method once the last field on the screen has been set, but this creates a very fragile system.

2. I have forked the Keycloak code and made a couple of changes (setting the attributes from the form earlier) that have made it possible to register the user when the provider?s register method is called. I believe this has no side-effects on Keycloak but I will do some further testing before raising a Jira and/or creating a pull request.

3. Throwing a ModelException causes an internal server error to be displayed on the page, rather than being displayed as an error message. I have added a catch statement to the code in LoginActionsService to catch any registration exceptions and display the appropriate error on the registration page. This is with 1.3.1.Final but I don?t think this has changed in master.

Thanks again for your assistance.

Regards,
Greg J.


> On 30 Jun 2015, at 10:17 pm, Marek Posolda <mposolda at redhat.com> wrote:
> 
> On 30.6.2015 08:06, Greg Jones wrote:
>> Hi Team,
>> 
>> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>> 
>> The next step was to use the back-end server for user registrations and this is where we are having problems.
>> 
>> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
> Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA?
> 
> But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32 
> 
>> 
>> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>> 
>> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>> 
>> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
>> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
>> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
> If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ?
> 
> There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register  method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set.
> 
> Marek
>> 
>> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>> 
>> Thanks in advance,
>> Greg Jones
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



From kevin.thorpe at p-i.net  Wed Jul  1 09:09:28 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Wed, 1 Jul 2015 14:09:28 +0100
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <5592996D.8000108@redhat.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
	<CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>
	<5592996D.8000108@redhat.com>
Message-ID: <CAFMa6BbLwYsVnYZr0=hoNra8AYbT5G88hoKvxGDDvOiQOihKCg@mail.gmail.com>

Hi Marek, I'm having problems doing a distribution build. Are you expecting
that to work?

What extra information do you want form me? I am not a java developer so
I'm not sure.

[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 01:58 min
[INFO] Finished at: 2015-07-01T14:06:24+01:00
[INFO] Final Memory: 122M/464M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-surefire-plugin:2.17:test (default-test) on
project arquillian-integration: There are test failures.
[ERROR]
[ERROR] Please refer to
/home/kevin/keycloak/testsuite/integration-arquillian/target/surefire-reports
for the individual test results.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException



*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 30 June 2015 at 14:28, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi Kevin,
>
> in latest master there is support for multiple values of some user
> attribute mapped from LDAP. There is also new switch "multivalued" in admin
> console for User attribute protocol mapper - when it's on, you will see all
> the values of the attribute in the id token (or access token) in your
> application.
>
> Also there is switch "Always read value from LDAP" on User attribute LDAP
> federation mapper. When it's on, the value of attribute is always read from
> LDAP even for the users, which were already added into Keycloak DB before
> you created the LDAP mapper.
>
> I hope this will address the issues you mentioned below and in the
> previous mails last week.
>
> Please let me know if it works or if there are still some issues you're
> seeing.
>
> Thanks,
> Marek
>
>
> On 29.6.2015 14:22, Kevin Thorpe wrote:
>
> There are two mappings here
>
>  Firstly you need an attribute mapper in user federation. This maps an
> LAP attribute to a Keycloak one.
> I don't think this works on existing users though. Try creating a new LDAP
> user and log in as that user to test this.
> Check the log. In my case it's at /var/log/wildfly/console.log but might
> have been moved there by one of our devs.
> Check USER_ATTRIBUTES table in the database. You should have a line for
> your new attribute for your new user.
> I know this doesn't work for multi-attribute values. eg we have an
> 'applications' attribute which users will have several entries.
>
>  Secondly you need to map the user attribute you created above to the JWT
> token
> This is under your client application definition.
> You need a 'user attribute' not 'property' mapper to map the new keycloak
> user attribute to a value in the token(s)
> You also need to turn it on for either the id token or access token
> depending on where your client expects it.
>
>
>
>
>
>
> *Kevin Thorpe *
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 29 June 2015 at 13:02, Adam Daduev <daduev.ad at gmail.com> wrote:
>
>>  Hi.
>> I try use new feature of keycloak 1.3.1, i added new attribute, like
>> department, but i can not get it in my web bean, i try get new attribute
>> from KeycloakSecurityContext, but con not found.
>> How can i get my new added atribute?
>> Thanks!
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0003.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/f6a7bd4e/attachment-0003.jpg 

From mposolda at redhat.com  Wed Jul  1 09:53:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 01 Jul 2015 15:53:15 +0200
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <CAFMa6BbLwYsVnYZr0=hoNra8AYbT5G88hoKvxGDDvOiQOihKCg@mail.gmail.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
	<CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>
	<5592996D.8000108@redhat.com>
	<CAFMa6BbLwYsVnYZr0=hoNra8AYbT5G88hoKvxGDDvOiQOihKCg@mail.gmail.com>
Message-ID: <5593F0CB.5030000@redhat.com>

Hi Kevin,

could you try to attach "-DskipTests=true" as the parameter to the maven 
command during build? Or maybe even just run those commands (assuming 
you are in the directory with latest keycloak master):

mvn clean install -DskipTests=true
cd distribution
mvn clean install

Thanks,
Marek

On 1.7.2015 15:09, Kevin Thorpe wrote:
> Hi Marek, I'm having problems doing a distribution build. Are you 
> expecting that to work?
>
> What extra information do you want form me? I am not a java developer 
> so I'm not sure.
>
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 01:58 min
> [INFO] Finished at: 2015-07-01T14:06:24+01:00
> [INFO] Final Memory: 122M/464M
> [INFO] 
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal 
> org.apache.maven.plugins:maven-surefire-plugin:2.17:test 
> (default-test) on project arquillian-integration: There are test failures.
> [ERROR]
> [ERROR] Please refer to 
> /home/kevin/keycloak/testsuite/integration-arquillian/target/surefire-reports 
> for the individual test results.
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with 
> the -e switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, 
> please read the following articles:
> [ERROR] [Help 1] 
> http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
>
>
> *Kevin Thorpe
> *
> CTO
>
> <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager. This message contains confidential information and 
> is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail if you have received 
> this e-mail by mistake and delete this e-mail from your system. If you 
> are not the intended recipient you are notified that disclosing, 
> copying, distributing or taking any action in reliance on the contents 
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 30 June 2015 at 14:28, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi Kevin,
>
>     in latest master there is support for multiple values of some user
>     attribute mapped from LDAP. There is also new switch "multivalued"
>     in admin console for User attribute protocol mapper - when it's
>     on, you will see all the values of the attribute in the id token
>     (or access token) in your application.
>
>     Also there is switch "Always read value from LDAP" on User
>     attribute LDAP federation mapper. When it's on, the value of
>     attribute is always read from LDAP even for the users, which were
>     already added into Keycloak DB before you created the LDAP mapper.
>
>     I hope this will address the issues you mentioned below and in the
>     previous mails last week.
>
>     Please let me know if it works or if there are still some issues
>     you're seeing.
>
>     Thanks,
>     Marek
>
>
>     On 29.6.2015 14:22, Kevin Thorpe wrote:
>>     There are two mappings here
>>
>>     Firstly you need an attribute mapper in user federation. This
>>     maps an LAP attribute to a Keycloak one.
>>     I don't think this works on existing users though. Try creating a
>>     new LDAP user and log in as that user to test this.
>>     Check the log. In my case it's at /var/log/wildfly/console.log
>>     but might have been moved there by one of our devs.
>>     Check USER_ATTRIBUTES table in the database. You should have a
>>     line for your new attribute for your new user.
>>     I know this doesn't work for multi-attribute values. eg we have
>>     an 'applications' attribute which users will have several entries.
>>
>>     Secondly you need to map the user attribute you created above to
>>     the JWT token
>>     This is under your client application definition.
>>     You need a 'user attribute' not 'property' mapper to map the new
>>     keycloak user attribute to a value in the token(s)
>>     You also need to turn it on for either the id token or access
>>     token depending on where your client expects it.
>>
>>
>>
>>
>>
>>     *Kevin Thorpe
>>     *
>>     CTO
>>
>>     <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>
>>     www.p-i.net <http://www.p-i.net/> | @PI_150
>>     <https://twitter.com/@PI_150>
>>
>>     M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207
>>     730 2635
>>     150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>     **
>>     _____________________________
>>
>>     This email and any files transmitted with it are confidential and
>>     intended solely for the use of the individual or entity to whom
>>     they are addressed. If you have received this email in error
>>     please notify the system manager. This message contains
>>     confidential information and is intended only for the individual
>>     named. If you are not the named addressee you should not
>>     disseminate, distribute or copy this e-mail. Please notify the
>>     sender immediately by e-mail if you have received this e-mail by
>>     mistake and delete this e-mail from your system. If you are not
>>     the intended recipient you are notified that disclosing, copying,
>>     distributing or taking any action in reliance on the contents of
>>     this information is strictly prohibited.
>>
>>     *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>>
>>     On 29 June 2015 at 13:02, Adam Daduev <daduev.ad at gmail.com
>>     <mailto:daduev.ad at gmail.com>> wrote:
>>
>>         Hi.
>>         I try use new feature of keycloak 1.3.1, i added new
>>         attribute, like department, but i can not get it in my web
>>         bean, i try get new attribute from KeycloakSecurityContext,
>>         but con not found.
>>         How can i get my new added atribute?
>>         Thanks!
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150701/13944e00/attachment-0007.jpe 

From mposolda at redhat.com  Wed Jul  1 10:20:37 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 01 Jul 2015 16:20:37 +0200
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
	<559288F5.7090405@redhat.com>
	<75BD196F-BD74-4106-A252-18924D929F44@thesoftwarecottage.com.au>
Message-ID: <5593F735.4030908@redhat.com>

On 1.7.2015 14:41, Greg Jones wrote:
> Hi Marek,
>
> An update on today?s trials:
>
> 1. Getting the proxy UserModel to perform the registration is not workable. Our back-end has about 15 required fields, which need to be set in order to register the user. It would be necessary to keep track of each property being set in order to determine when we have enough information to actually register the user. We could call our register method once the last field on the screen has been set, but this creates a very fragile system.
yeah, what I meant was to not send the user to your backend once the 
"register" method is called, but just return the proxy. Then when you 
see that all fields and attributes are set on the proxy and are valid 
(you may need to implement all the methods like setFirstName, 
setLastName, setEmail, setAttribute etc) you will send the user to be 
registered in your backend. Could this work?
>
> 2. I have forked the Keycloak code and made a couple of changes (setting the attributes from the form earlier) that have made it possible to register the user when the provider?s register method is called. I believe this has no side-effects on Keycloak but I will do some further testing before raising a Jira and/or creating a pull request.
>
> 3. Throwing a ModelException causes an internal server error to be displayed on the page, rather than being displayed as an error message. I have added a catch statement to the code in LoginActionsService to catch any registration exceptions and display the appropriate error on the registration page. This is with 1.3.1.Final but I don?t think this has changed in master.
ah, ok. I believe the registering user through UI of admin console 
should display the message from the ModelException in the UI, but for 
the standard user registration, it maybe doesn't work well.

I wonder that in the case of standard registration, we may need to 
create subclass of ModelException (for example ModelFederationException) 
and catch just this subclass? Because ModelException could indicate some 
error at DB level during persisting user, and it's probably not best 
from the usability perspective to display details about DB error in the 
UI, which is going to be shown to end user.

Marek
>
> Thanks again for your assistance.
>
> Regards,
> Greg J.
>
>
>> On 30 Jun 2015, at 10:17 pm, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> On 30.6.2015 08:06, Greg Jones wrote:
>>> Hi Team,
>>>
>>> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>>>
>>> The next step was to use the back-end server for user registrations and this is where we are having problems.
>>>
>>> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
>> Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA?
>>
>> But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32
>>
>>> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>>>
>>> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>>>
>>> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
>>> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
>>> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
>> If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ?
>>
>> There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register  method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set.
>>
>> Marek
>>> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>>>
>>> Thanks in advance,
>>> Greg Jones
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Jul  2 02:26:51 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 02:26:51 -0400 (EDT)
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To: <BAY168-W85ADBAA90A159FBBEB1612A9AD0@phx.gbl>
References: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>
	<1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
	<BAY168-W85ADBAA90A159FBBEB1612A9AD0@phx.gbl>
Message-ID: <1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>

Send me the json you're updating with an what fields are changed and I'll look into it

----- Original Message -----
> From: "Chamantha De Silva" <chamantha at outlook.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 26 June, 2015 7:18:08 AM
> Subject: RE: [keycloak-user] Update the user only with required fields
> 
> Hi Stain,
> 
> Thank you for your response, we are using Keycloak 1.2.0 final and in that
> version we do have that problem. If we update only particular element in
> user update call it will truncate (turn to default values in some cases eg :
> boolean).
> 
> Best Regards,
> Chamantha
> 
> > Date: Thu, 25 Jun 2015 10:20:53 -0400
> > From: stian at redhat.com
> > To: chamantha at outlook.com
> > CC: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Update the user only with required fields
> > 
> > You can just send the user json and only include the attributes you want to
> > change.
> > 
> > ----- Original Message -----
> > > From: "Chamantha De Silva" <chamantha at outlook.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 25 June, 2015 1:22:31 AM
> > > Subject: [keycloak-user] Update the user only with required fields
> > > 
> > > Hi Team,
> > > 
> > > There are situations that we use update user rest API, to update just one
> > > element of user (eg: enabled : false etc.) .
> > > This requires a pre fetched user object from the GET user call, other
> > > wise
> > > rest of the user information tend to be truncated after the update call.
> > > 
> > > Is there a possibility to update only specific elements of the user
> > > instead
> > > of sending whole the user object (objective is to avoid the GET call
> > > right
> > > before the update call and avoid possible tendency of data truncations )?
> > > Your kind reply is highly appreciated.
> > > 
> > > Best regards,
> > > Chamantha
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Thu Jul  2 03:40:48 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 03:40:48 -0400 (EDT)
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
 introspection	url
In-Reply-To: <CAPLPygn+QS0cM9zyxUGqiyEPn1Z_RB7u=gu61H4pj6h4CM_5ww@mail.gmail.com>
References: <CAPLPygn+QS0cM9zyxUGqiyEPn1Z_RB7u=gu61H4pj6h4CM_5ww@mail.gmail.com>
Message-ID: <1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>

Keycloak has an endpoint to verify token. URL is:

  /auth/realms/<realm>/protocol/openid-connect/validate

It takes a single query_param 'access_token'. If token is valid the response will be the token as json document, otherwise it'll return an error.

----- Original Message -----
> From: "Niels Bertram" <nielsbne at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 29 June, 2015 5:30:51 PM
> Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection	url
> 
> Hi there,
> 
> I am trying to configure a server side (RP) client which requires a JWT
> introspection URL on the OP. I tried to find such endpoint on the KeyCloak
> server without avail neither did I actually find any url of type
> "introspect" in the OpenID Connect Specification.
> 
> Does anyone know if/how a OAuth2 client can validate a JWT token via a back
> channel with the KeyCloak server?
> 
> The client I am trying to configure is the MITREid client as per
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> 
> Looking at the code, the client will issue a post to the introspection
> endpoint with some form data:
> 
> POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> Host: localhost:8080
> Cache-Control: no-cache
> Content-Type: application/x-www-form-urlencoded
> 
> client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> valid access token]
> 
> Any pointers are much appreciated.
> 
> Kind Regards,
> Niels
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jul  2 06:22:12 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jul 2015 06:22:12 -0400 (EDT)
Subject: [keycloak-user] problem with keycloak on openshift
In-Reply-To: <CAO4YhkhwZHh_cFTYsNisDJP6LazxSf1_1_w97cz+Ghr7Kdpstg@mail.gmail.com>
References: <CAO4YhkhwZHh_cFTYsNisDJP6LazxSf1_1_w97cz+Ghr7Kdpstg@mail.gmail.com>
Message-ID: <670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>

Don't know what's going on here. If you're sending a request directly to 'https://kc-paolo.rhcloud.com/' it's not specific to Keycloak and it's either a WildFly or OpenShift issue. My guess would be the latter so maybe ask on OpenShift forums?

----- Original Message -----
> From: "Paolo Antinori" <sonicaaaa at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 1 July, 2015 10:07:20 AM
> Subject: [keycloak-user] problem with keycloak on openshift
> 
> Hi guys, I have deployed an instance of keycloak on openshift
> following the steps described here:
> 
> https://github.com/keycloak/openshift-keycloak-cartridge
> 
> The operation apparently went ok and I have been able to login to the
> instance and see kc administrative interface.
> 
> Problem is that after a while, I am no longer able to login to the
> instance. Not even if I restart it.
> 
> This is the error I see when trying:
> 
> Bad Request
> 
> Your browser sent a request that this server could not understand.
> Size of a request header field exceeds server limit.
> 
> X-Forwarded-Host
> 
> /n
> 
> 
> And I get that with both ffox and chromium on linux
> 
> this from curl:
> 
> 
> $ curl -L -v https://kc-paolo.rhcloud.com/
> *   Trying 54.89.206.14...
> * Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> * Server certificate:
> *     subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North
> Carolina,C=US
> *     start date: Apr 07 00:00:00 2015 GMT
> *     expire date: Apr 11 12:00:00 2018 GMT
> *     common name: *.rhcloud.com
> *     issuer: CN=DigiCert SHA2 High Assurance Server
> CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> > GET / HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: kc-paolo.rhcloud.com
> > Accept: */*
> >
> < HTTP/1.1 400 Bad Request
> < Date: Wed, 01 Jul 2015 08:06:46 GMT
> < Server: Apache/2.2.15 (Red Hat)
> < Content-Length: 392
> < Content-Type: text/html; charset=iso-8859-1
> < Connection: close
> <
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> Size of a request header field exceeds server limit.<br />
> <pre>
> X-Forwarded-Host
> </pre>/n</p>
> <hr>
> <address>Apache/2.2.15 (Red Hat) Server at localhost Port 80</address>
> </body></html>
> * Closing connection 0
> 
> 
> 
> 
> any idea about what's wrong?
> 
> thank you
> 
> paolo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From sonicaaaa at gmail.com  Thu Jul  2 08:21:21 2015
From: sonicaaaa at gmail.com (Paolo Antinori)
Date: Thu, 2 Jul 2015 14:21:21 +0200
Subject: [keycloak-user] problem with keycloak on openshift
In-Reply-To: <670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>
References: <CAO4YhkhwZHh_cFTYsNisDJP6LazxSf1_1_w97cz+Ghr7Kdpstg@mail.gmail.com>
	<670903255.30851448.1435832532163.JavaMail.zimbra@redhat.com>
Message-ID: <CAO4Yhkh3=WF2a2cd0YO+spMQ9W3MxQYgvty9tVvTN+-BoyfpWg@mail.gmail.com>

Thank you. After confirming it's anything known or that I'm doing
anything obviously stupid on Keycloak side I will verify with the OS
guys.

I'll report the finding just for cross linking.


thank you!

paolo

On Thu, Jul 2, 2015 at 12:22 PM, Stian Thorgersen <stian at redhat.com> wrote:
> Don't know what's going on here. If you're sending a request directly to 'https://kc-paolo.rhcloud.com/' it's not specific to Keycloak and it's either a WildFly or OpenShift issue. My guess would be the latter so maybe ask on OpenShift forums?
>
> ----- Original Message -----
>> From: "Paolo Antinori" <sonicaaaa at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Wednesday, 1 July, 2015 10:07:20 AM
>> Subject: [keycloak-user] problem with keycloak on openshift
>>
>> Hi guys, I have deployed an instance of keycloak on openshift
>> following the steps described here:
>>
>> https://github.com/keycloak/openshift-keycloak-cartridge
>>
>> The operation apparently went ok and I have been able to login to the
>> instance and see kc administrative interface.
>>
>> Problem is that after a while, I am no longer able to login to the
>> instance. Not even if I restart it.
>>
>> This is the error I see when trying:
>>
>> Bad Request
>>
>> Your browser sent a request that this server could not understand.
>> Size of a request header field exceeds server limit.
>>
>> X-Forwarded-Host
>>
>> /n
>>
>>
>> And I get that with both ffox and chromium on linux
>>
>> this from curl:
>>
>>
>> $ curl -L -v https://kc-paolo.rhcloud.com/
>> *   Trying 54.89.206.14...
>> * Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>   CApath: none
>> * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> * Server certificate:
>> *     subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North
>> Carolina,C=US
>> *     start date: Apr 07 00:00:00 2015 GMT
>> *     expire date: Apr 11 12:00:00 2018 GMT
>> *     common name: *.rhcloud.com
>> *     issuer: CN=DigiCert SHA2 High Assurance Server
>> CA,OU=www.digicert.com,O=DigiCert Inc,C=US
>> > GET / HTTP/1.1
>> > User-Agent: curl/7.40.0
>> > Host: kc-paolo.rhcloud.com
>> > Accept: */*
>> >
>> < HTTP/1.1 400 Bad Request
>> < Date: Wed, 01 Jul 2015 08:06:46 GMT
>> < Server: Apache/2.2.15 (Red Hat)
>> < Content-Length: 392
>> < Content-Type: text/html; charset=iso-8859-1
>> < Connection: close
>> <
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <html><head>
>> <title>400 Bad Request</title>
>> </head><body>
>> <h1>Bad Request</h1>
>> <p>Your browser sent a request that this server could not understand.<br />
>> Size of a request header field exceeds server limit.<br />
>> <pre>
>> X-Forwarded-Host
>> </pre>/n</p>
>> <hr>
>> <address>Apache/2.2.15 (Red Hat) Server at localhost Port 80</address>
>> </body></html>
>> * Closing connection 0
>>
>>
>>
>>
>> any idea about what's wrong?
>>
>> thank you
>>
>> paolo
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

From roman.usatenko at gmail.com  Thu Jul  2 21:35:12 2015
From: roman.usatenko at gmail.com (Roman Usatenko)
Date: Thu, 2 Jul 2015 18:35:12 -0700
Subject: [keycloak-user] Login problems in cluster mode with keycloak
	1.2.0.Final
Message-ID: <CAP2q_vMO1ZMOkkskE=89iWTkSAUqp9FmSMFv_CKP9vN9B5we-A@mail.gmail.com>

Hello,

I have HA set up of keycloak 1.2.0.Final - two instances in cluster behind
load-balancer. Sometimes (not every time) I cannot log in and have this
exception in log file on one of the boxes.

Is this a known issue or did I something wrong?

Thank you,
Roman Usatenko.

=====================================================================================
2015-07-02 23:42:24,811 ERROR [io.undertow.request] (default task-15)
UT005023: Exception handling request to
/realms/master/login-actions/request/login: java.lang.RuntimeException:
request path: /realms/master/login-actions/request/login
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_79]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_79]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
Caused by: org.jboss.resteasy.spi.UnhandledException:
org.infinispan.commons.CacheException: java.lang.RuntimeException: Failure
to marshal argument(s)
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        ... 28 more
Caused by: org.infinispan.commons.CacheException:
java.lang.RuntimeException: Failure to marshal argument(s)
        at
org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
        at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:141)
        at
org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:524)
        at
org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
        at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.invokeClusterGetCommandRemotely(BaseDistributionInterceptor.java:130)
        at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.retrieveFromRemoteSource(BaseDistributionInterceptor.java:118)
        at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.remoteGetCacheEntry(NonTxDistributionInterceptor.java:161)
        at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.visitGetKeyValueCommand(NonTxDistributionInterceptor.java:48)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.interceptors.EntryWrappingInterceptor.visitGetKeyValueCommand(EntryWrappingInterceptor.java:116)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitGetKeyValueCommand(NonTransactionalLockingInterceptor.java:32)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
        at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
        at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:263)
        at
org.infinispan.statetransfer.StateTransferInterceptor.handleDefault(StateTransferInterceptor.java:247)
        at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.interceptors.CacheMgmtInterceptor.visitGetKeyValueCommand(CacheMgmtInterceptor.java:92)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
        at
org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:110)
        at
org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:73)
        at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
        at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
        at
org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:333)
        at org.infinispan.CacheImpl.get(CacheImpl.java:377)
        at org.infinispan.CacheImpl.get(CacheImpl.java:369)
        at
org.infinispan.AbstractDelegatingCache.get(AbstractDelegatingCache.java:271)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:283)
[keycloak-model-sessions-infinispan-1.2.0.Final.jar:1.2.0.Final]
        at
org.keycloak.services.managers.BruteForceProtector.isTemporarilyDisabled(BruteForceProtector.java:241)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        at
org.keycloak.services.managers.AuthenticationManager.authenticateForm(AuthenticationManager.java:587)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        at
org.keycloak.services.resources.LoginActionsService.processLogin(LoginActionsService.java:345)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_79]
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_79]
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_79]
        at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_79]
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.10.Final.jar:]
        ... 39 more
Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
        at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
        at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processCalls(CommandAwareRpcDispatcher.java:407)
        at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:132)
        ... 91 more
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
Caused by: an exception which occurred:
        in object
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at a1289374
        in object
org.infinispan.commands.remote.ClusteredGetCommand at a1289374

=====================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150702/15868518/attachment-0001.html 

From nielsbne at gmail.com  Thu Jul  2 23:19:27 2015
From: nielsbne at gmail.com (Niels Bertram)
Date: Fri, 3 Jul 2015 13:19:27 +1000
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
	introspection url
In-Reply-To: <1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
References: <CAPLPygn+QS0cM9zyxUGqiyEPn1Z_RB7u=gu61H4pj6h4CM_5ww@mail.gmail.com>
	<1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
Message-ID: <CAPLPygn_65thHsB+kxqD3ObvsFfNtornRd9B9vqHkss=WHL=YA@mail.gmail.com>

Thanks Stian, got it to work.

Strangely enough this validation endpoint is not returned in the keycloak
response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
tried to find any standard reference in the OpenID Connect 1.0
specification and there is no mentioning of this mechanism. So I assume its
not a standard OpenID method right?

Kind Regards,
Niels

On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Keycloak has an endpoint to verify token. URL is:
>
>   /auth/realms/<realm>/protocol/openid-connect/validate
>
> It takes a single query_param 'access_token'. If token is valid the
> response will be the token as json document, otherwise it'll return an
> error.
>
> ----- Original Message -----
> > From: "Niels Bertram" <nielsbne at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 29 June, 2015 5:30:51 PM
> > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> introspection    url
> >
> > Hi there,
> >
> > I am trying to configure a server side (RP) client which requires a JWT
> > introspection URL on the OP. I tried to find such endpoint on the
> KeyCloak
> > server without avail neither did I actually find any url of type
> > "introspect" in the OpenID Connect Specification.
> >
> > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> back
> > channel with the KeyCloak server?
> >
> > The client I am trying to configure is the MITREid client as per
> >
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> >
> > Looking at the code, the client will issue a post to the introspection
> > endpoint with some form data:
> >
> > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > Host: localhost:8080
> > Cache-Control: no-cache
> > Content-Type: application/x-www-form-urlencoded
> >
> > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > valid access token]
> >
> > Any pointers are much appreciated.
> >
> > Kind Regards,
> > Niels
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150703/e27fca09/attachment.html 

From stian at redhat.com  Fri Jul  3 02:46:23 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jul 2015 02:46:23 -0400 (EDT)
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
 introspection url
In-Reply-To: <CAPLPygn_65thHsB+kxqD3ObvsFfNtornRd9B9vqHkss=WHL=YA@mail.gmail.com>
References: <CAPLPygn+QS0cM9zyxUGqiyEPn1Z_RB7u=gu61H4pj6h4CM_5ww@mail.gmail.com>
	<1255309225.30761760.1435822848801.JavaMail.zimbra@redhat.com>
	<CAPLPygn_65thHsB+kxqD3ObvsFfNtornRd9B9vqHkss=WHL=YA@mail.gmail.com>
Message-ID: <941174148.31521785.1435905983117.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Niels Bertram" <nielsbne at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 3 July, 2015 5:19:27 AM
> Subject: Re: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
> 
> Thanks Stian, got it to work.
> 
> Strangely enough this validation endpoint is not returned in the keycloak
> response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
> tried to find any standard reference in the OpenID Connect 1.0
> specification and there is no mentioning of this mechanism. So I assume its
> not a standard OpenID method right?

As far as I know you're right there's no standard endpoint for verifying the token. Not sure it makes sense for us to add non-standard endpoints to the openid-configuration endpoint.

It's long overdue, but we do plan to provide some better docs with regards to OpenID Connect, including the "extensions" we've added.

> 
> Kind Regards,
> Niels
> 
> On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Keycloak has an endpoint to verify token. URL is:
> >
> >   /auth/realms/<realm>/protocol/openid-connect/validate
> >
> > It takes a single query_param 'access_token'. If token is valid the
> > response will be the token as json document, otherwise it'll return an
> > error.
> >
> > ----- Original Message -----
> > > From: "Niels Bertram" <nielsbne at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 29 June, 2015 5:30:51 PM
> > > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> > introspection    url
> > >
> > > Hi there,
> > >
> > > I am trying to configure a server side (RP) client which requires a JWT
> > > introspection URL on the OP. I tried to find such endpoint on the
> > KeyCloak
> > > server without avail neither did I actually find any url of type
> > > "introspect" in the OpenID Connect Specification.
> > >
> > > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> > back
> > > channel with the KeyCloak server?
> > >
> > > The client I am trying to configure is the MITREid client as per
> > >
> > https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> > >
> > > Looking at the code, the client will issue a post to the introspection
> > > endpoint with some form data:
> > >
> > > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > > Host: localhost:8080
> > > Cache-Control: no-cache
> > > Content-Type: application/x-www-form-urlencoded
> > >
> > > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > > valid access token]
> > >
> > > Any pointers are much appreciated.
> > >
> > > Kind Regards,
> > > Niels
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From stian at redhat.com  Fri Jul  3 03:14:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jul 2015 03:14:14 -0400 (EDT)
Subject: [keycloak-user] Login problems in cluster mode with
	keycloak	1.2.0.Final
In-Reply-To: <CAP2q_vMO1ZMOkkskE=89iWTkSAUqp9FmSMFv_CKP9vN9B5we-A@mail.gmail.com>
References: <CAP2q_vMO1ZMOkkskE=89iWTkSAUqp9FmSMFv_CKP9vN9B5we-A@mail.gmail.com>
Message-ID: <823741506.31539290.1435907654801.JavaMail.zimbra@redhat.com>

It's a known issue - if you enable brute force protection and clustering. It's fixed in 1.3.1 (https://issues.jboss.org/browse/KEYCLOAK-1333).


----- Original Message -----
> From: "Roman Usatenko" <roman.usatenko at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 3 July, 2015 3:35:12 AM
> Subject: [keycloak-user] Login problems in cluster mode with keycloak	1.2.0.Final
> 
> Hello,
> 
> I have HA set up of keycloak 1.2.0.Final - two instances in cluster behind
> load-balancer. Sometimes (not every time) I cannot log in and have this
> exception in log file on one of the boxes.
> 
> Is this a known issue or did I something wrong?
> 
> Thank you,
> Roman Usatenko.
> 
> =====================================================================================
> 2015-07-02 23:42:24,811 ERROR [io.undertow.request] (default task-15)
> UT005023: Exception handling request to
> /realms/master/login-actions/request/login: java.lang.RuntimeException:
> request path: /realms/master/login-actions/request/login
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_79]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_79]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> org.infinispan.commons.CacheException: java.lang.RuntimeException: Failure
> to marshal argument(s)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> ... 28 more
> Caused by: org.infinispan.commons.CacheException: java.lang.RuntimeException:
> Failure to marshal argument(s)
> at org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:141)
> at
> org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:524)
> at
> org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
> at
> org.infinispan.interceptors.distribution.BaseDistributionInterceptor.invokeClusterGetCommandRemotely(BaseDistributionInterceptor.java:130)
> at
> org.infinispan.interceptors.distribution.BaseDistributionInterceptor.retrieveFromRemoteSource(BaseDistributionInterceptor.java:118)
> at
> org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.remoteGetCacheEntry(NonTxDistributionInterceptor.java:161)
> at
> org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.visitGetKeyValueCommand(NonTxDistributionInterceptor.java:48)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.EntryWrappingInterceptor.visitGetKeyValueCommand(EntryWrappingInterceptor.java:116)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitGetKeyValueCommand(NonTransactionalLockingInterceptor.java:32)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:263)
> at
> org.infinispan.statetransfer.StateTransferInterceptor.handleDefault(StateTransferInterceptor.java:247)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.CacheMgmtInterceptor.visitGetKeyValueCommand(CacheMgmtInterceptor.java:92)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
> at
> org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:110)
> at
> org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:73)
> at
> org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
> at
> org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
> at
> org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:333)
> at org.infinispan.CacheImpl.get(CacheImpl.java:377)
> at org.infinispan.CacheImpl.get(CacheImpl.java:369)
> at
> org.infinispan.AbstractDelegatingCache.get(AbstractDelegatingCache.java:271)
> at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:283)
> [keycloak-model-sessions-infinispan-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.managers.BruteForceProtector.isTemporarilyDisabled(BruteForceProtector.java:241)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.managers.AuthenticationManager.authenticateForm(AuthenticationManager.java:587)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at
> org.keycloak.services.resources.LoginActionsService.processLogin(LoginActionsService.java:345)
> [keycloak-services-1.2.0.Final.jar:1.2.0.Final]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_79]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_79]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_79]
> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.10.Final.jar:]
> ... 39 more
> Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processCalls(CommandAwareRpcDispatcher.java:407)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:132)
> ... 91 more
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> Caused by: an exception which occurred:
> in object
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at a1289374
> in object org.infinispan.commands.remote.ClusteredGetCommand at a1289374
> 
> =====================================================================================
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chamantha at outlook.com  Sun Jul  5 10:25:40 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Sun, 5 Jul 2015 20:25:40 +0600
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To: <1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>
References: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>
	<1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
	<BAY168-W85ADBAA90A159FBBEB1612A9AD0@phx.gbl>,
	<1345668622.30684695.1435818411834.JavaMail.zimbra@redhat.com>
Message-ID: <BAY168-W38C84B4177A8AF732CB0ADA9940@phx.gbl>

Hi Stain,

I included a sample scenario as follows, in that I have updated only one field which is "enabled" field. But this is common for rest of the fields and attributes as well. 

1. Before the update (test user's original information):

{
    "id":"c2279ae4-99b7-403c-9ac7-0ff838ff1b83",
    "username":"test-user",
    "enabled":true,
    "totp":false,
    "emailVerified":false,
    "firstName":"test",
    "lastName":"user",
    "email":"test-user at test.com",
    "attributes":{
        "locality":"Redwood city",
        "country":"USA",
        "region":"CA",
        "postal_code":"94065",
        "street":"Holly St"
    },
    "requiredActions":[

    ]
}

2. Update user as following : 
Update user with just one field
API call :  PUT /auth/admin/realms/leapset/users/test-user

Headers :
Accept: application/json
content-type: application/json
Authorization: Bearer TOKEN

Request body : 
{"enabled":false}

After the update fields like email, firstname, lastname are missing 

{
    "id":"c2279ae4-99b7-403c-9ac7-0ff838ff1b83",
    "username":"test-user",
    "enabled":false,
    "totp":false,
    "emailVerified":false,
    "attributes":{
        "locality":"Redwood city",
        "country":"USA",
        "region":"CA",
        "postal_code":"94065",
        "street":"Holly St"
    },
    "requiredActions":[

    ]
}  

> Date: Thu, 2 Jul 2015 02:26:51 -0400
> From: stian at redhat.com
> To: chamantha at outlook.com
> CC: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Update the user only with required fields
> 
> Send me the json you're updating with an what fields are changed and I'll look into it
> 
> ----- Original Message -----
> > From: "Chamantha De Silva" <chamantha at outlook.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 26 June, 2015 7:18:08 AM
> > Subject: RE: [keycloak-user] Update the user only with required fields
> > 
> > Hi Stain,
> > 
> > Thank you for your response, we are using Keycloak 1.2.0 final and in that
> > version we do have that problem. If we update only particular element in
> > user update call it will truncate (turn to default values in some cases eg :
> > boolean).
> > 
> > Best Regards,
> > Chamantha
> > 
> > > Date: Thu, 25 Jun 2015 10:20:53 -0400
> > > From: stian at redhat.com
> > > To: chamantha at outlook.com
> > > CC: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Update the user only with required fields
> > > 
> > > You can just send the user json and only include the attributes you want to
> > > change.
> > > 
> > > ----- Original Message -----
> > > > From: "Chamantha De Silva" <chamantha at outlook.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 25 June, 2015 1:22:31 AM
> > > > Subject: [keycloak-user] Update the user only with required fields
> > > > 
> > > > Hi Team,
> > > > 
> > > > There are situations that we use update user rest API, to update just one
> > > > element of user (eg: enabled : false etc.) .
> > > > This requires a pre fetched user object from the GET user call, other
> > > > wise
> > > > rest of the user information tend to be truncated after the update call.
> > > > 
> > > > Is there a possibility to update only specific elements of the user
> > > > instead
> > > > of sending whole the user object (objective is to avoid the GET call
> > > > right
> > > > before the update call and avoid possible tendency of data truncations )?
> > > > Your kind reply is highly appreciated.
> > > > 
> > > > Best regards,
> > > > Chamantha
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150705/c3b2599b/attachment-0001.html 

From stephen.more at gmail.com  Sun Jul  5 12:00:00 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sun, 5 Jul 2015 12:00:00 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
Message-ID: <CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>

How could I extend the multi-tenant example (
https://github.com/keycloak/keycloak/tree/master/examples/
<https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
) to make a Rest admin api call back to keycloak using java ?

I think this would be a helpful example in upcoming releases.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150705/836390bf/attachment.html 

From Maurice.Quaedackers at planonsoftware.com  Mon Jul  6 04:29:29 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Mon, 6 Jul 2015 10:29:29 +0200
Subject: [keycloak-user] Keycloak and Microsoft ADFS
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>

Hello all,

Has anybody experience with the combination keycloak and an SAML2 Identity Provider which is running on Microsoft ADFS?

On both sides I am not able to import the metadata xml files.

-          Within keycloak when I try to import the ADFS IDP metadata.xml the message import was succesfull comes but no fields are filled in.

-          Within ADFS when I try to import the keycloak SP metadata.xml an message comes that the xml file is not a valid format.


With kind regards / Met vriendelijke groet,


Maurice Quaedackers
Planon Cloud Center
_____________________

Planon B.V.
Postbus 38074
6503 AB Nijmegen

Wijchenseweg 8
6537 TL Nijmegen

Nederland
T: +31 (0) 24 641 3135
F: +31 (0) 24 642 2942

E: maurice.quaedackers at planonsoftware.com<mailto:maurice.quaedackers at planonsoftware.com>
W: www.planonsoftware.com<http://www.planonsoftware.com/>

Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt, bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle bijlagen en kopie?n onmiddellijk en informeer de afzender.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/1034f6f6/attachment.html 

From orestis.tsakiridis at telestax.com  Mon Jul  6 07:33:14 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 6 Jul 2015 14:33:14 +0300
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
Message-ID: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>

Hello,

I'm securing a REST bearer-only application using keycloak.

Is there any way to change keycloak.json adapter config file on the fly so
that it can take effect without restarting the container?

Will just editing keycloak.json work? I guess not.

What i want to do is complete an administrative task that will provide the
information needed for keycloak.json such as 'resource', edit keycloak.json
and then make this configuration effective for the REST api.


Best regards

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/105d028a/attachment.html 

From bburke at redhat.com  Mon Jul  6 08:53:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 06 Jul 2015 08:53:30 -0400
Subject: [keycloak-user] Keycloak and Microsoft ADFS
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE0ECF1A@NL-MAIL02.planon-fm.com>
Message-ID: <559A7A4A.9060308@redhat.com>

Can you log a jira and attach the ADFS IDP metadata.xml file?


On 7/6/2015 4:29 AM, Maurice Quaedackers wrote:
> Hello all,
>
> Has anybody experience with the combination keycloak and an SAML2
> Identity Provider which is running on Microsoft ADFS?
>
> On both sides I am not able to import the metadata xml files.
>
> -Within keycloak when I try to import the ADFS IDP metadata.xml the
> message import was succesfull comes but no fields are filled in.
>
> -Within ADFS when I try to import the keycloak SP metadata.xml an
> message comes that the xml file is not a valid format.
>
> With kind regards / Met vriendelijke groet,
>
>
> Maurice Quaedackers
> Planon Cloud Center
> _____________________
>
> Planon B.V.
> Postbus 38074
> 6503 AB Nijmegen
>
> Wijchenseweg 8
> 6537 TL Nijmegen
>
> Nederland
> T: +31 (0) 24 641 3135
> F: +31 (0) 24 642 2942
>
> E: maurice.quaedackers at planonsoftware.com
> <mailto:maurice.quaedackers at planonsoftware.com>
> W: www.planonsoftware.com <http://www.planonsoftware.com/>
>
>
> Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde
> ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke
> informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt,
> bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is.
> Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle
> bijlagen en kopie?n onmiddellijk en informeer de afzender.
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Jul  6 08:59:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 06 Jul 2015 08:59:21 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
References: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
Message-ID: <559A7BA9.3010608@redhat.com>

If your client is JBoss/Wildfly, then you can call the JBoss CLI and 
edit the config.

http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918

Otherwise, you'll have to implement this yourself using a config 
resolver.  I think you can adapt the multitenancy support:

http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy


On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly
> so that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide
> the information needed for keycloak.json such as 'resource', edit
> keycloak.json and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ssilvert at redhat.com  Mon Jul  6 09:09:04 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 06 Jul 2015 09:09:04 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <559A7BA9.3010608@redhat.com>
References: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
	<559A7BA9.3010608@redhat.com>
Message-ID: <559A7DF0.30307@redhat.com>

On 7/6/2015 8:59 AM, Bill Burke wrote:
> If your client is JBoss/Wildfly, then you can call the JBoss CLI and
> edit the config.
>
> http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918
For this solution you will also need to redeploy the application. So 
after you make changes to the secure-deployment  you use CLI to redeploy:
/deployment=myapp.war/:redeploy

  You don't have to restart the whole container though.
>
> Otherwise, you'll have to implement this yourself using a config
> resolver.  I think you can adapt the multitenancy support:
>
> http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy
>
>
> On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
>> Hello,
>>
>> I'm securing a REST bearer-only application using keycloak.
>>
>> Is there any way to change keycloak.json adapter config file on the fly
>> so that it can take effect without restarting the container?
>>
>> Will just editing keycloak.json work? I guess not.
>>
>> What i want to do is complete an administrative task that will provide
>> the information needed for keycloak.json such as 'resource', edit
>> keycloak.json and then make this configuration effective for the REST api.
>>
>>
>> Best regards
>>
>> Orestis
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From srossillo at smartling.com  Mon Jul  6 09:52:57 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 6 Jul 2015 09:52:57 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
References: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
Message-ID: <CALAqdu-Pinyt3W8LDW7x5m52VydEkyXhUQ9O+_erjUmi8BNUQQ@mail.gmail.com>

Well, the keycloak.json config is just a means to configure
a KeycloakDeployment from an AdapterConfig object. Specifically for the the
Spring adapter, the AdapterDeploymentContextBean would have to be aware
that the deployment changed. There would be a minimal amount of code needed
to support that and we can modify AdapterDeploymentContextBean to be more
flexible.

Just so I understand what you're asking for: you want to be able to update
a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
keycloak.json can be configured at startup via either environment variables
on command like properties, correct? You have to change at runtime?

I think the AdapterDeploymentContextBean should be as flexible as possible,
however I have a small concern about the security of allowing certain
properties to be swapped at runtime (e.g. the realm-public-key and
the auth-server-url).

Best,
Scott


On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly so
> that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide the
> information needed for keycloak.json such as 'resource', edit keycloak.json
> and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/63307723/attachment-0001.html 

From srossillo at smartling.com  Mon Jul  6 09:54:43 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 6 Jul 2015 09:54:43 -0400
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <CALAqdu-Pinyt3W8LDW7x5m52VydEkyXhUQ9O+_erjUmi8BNUQQ@mail.gmail.com>
References: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
	<CALAqdu-Pinyt3W8LDW7x5m52VydEkyXhUQ9O+_erjUmi8BNUQQ@mail.gmail.com>
Message-ID: <CALAqdu_0KJq5cAVa0Nj0JTOS15pExikqru5BDFFxucZDRV6kYQ@mail.gmail.com>

Sorry, just re-read the whole thread. Which adapter are you using?

On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo <srossillo at smartling.com>
wrote:

> Well, the keycloak.json config is just a means to configure
> a KeycloakDeployment from an AdapterConfig object. Specifically for the the
> Spring adapter, the AdapterDeploymentContextBean would have to be aware
> that the deployment changed. There would be a minimal amount of code needed
> to support that and we can modify AdapterDeploymentContextBean to be more
> flexible.
>
> Just so I understand what you're asking for: you want to be able to update
> a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
> keycloak.json can be configured at startup via either environment variables
> on command like properties, correct? You have to change at runtime?
>
> I think the AdapterDeploymentContextBean should be as flexible as
> possible, however I have a small concern about the security of allowing
> certain properties to be swapped at runtime (e.g. the realm-public-key and
> the auth-server-url).
>
> Best,
> Scott
>
>
> On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Hello,
>>
>> I'm securing a REST bearer-only application using keycloak.
>>
>> Is there any way to change keycloak.json adapter config file on the fly
>> so that it can take effect without restarting the container?
>>
>> Will just editing keycloak.json work? I guess not.
>>
>> What i want to do is complete an administrative task that will provide
>> the information needed for keycloak.json such as 'resource', edit
>> keycloak.json and then make this configuration effective for the REST api.
>>
>>
>> Best regards
>>
>> Orestis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/2843ccf8/attachment.html 

From orestis.tsakiridis at telestax.com  Mon Jul  6 10:41:53 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 6 Jul 2015 17:41:53 +0300
Subject: [keycloak-user] Change keycloak.json adapter config on the fly
In-Reply-To: <CALAqdu_0KJq5cAVa0Nj0JTOS15pExikqru5BDFFxucZDRV6kYQ@mail.gmail.com>
References: <CABjN7695xt4zATGseOX0yTbAZVA+Km3q7qyTGuiu-Of9C-5nkw@mail.gmail.com>
	<CALAqdu-Pinyt3W8LDW7x5m52VydEkyXhUQ9O+_erjUmi8BNUQQ@mail.gmail.com>
	<CALAqdu_0KJq5cAVa0Nj0JTOS15pExikqru5BDFFxucZDRV6kYQ@mail.gmail.com>
Message-ID: <CABjN7695ONTZuVSHU0RdBEE9KsbdJ2cxRTBJjH0h0fFMJdqFOQ@mail.gmail.com>

Thanks all for your responses!


I'm using the JBoss/Wildfly adapter.

So, my case can be reduced to the following:

I have a java REST bearer-only web application (no Spring context here)
that is protected using keycloak1.json

I need to switch on the fly (at runtime, without container restart or
re-deploying) to another keycloak2.json adapter config.

It seems that the multitenancy solution suggested by Bill should work.


Best regards

Orestis

On Mon, Jul 6, 2015 at 4:54 PM, Scott Rossillo <srossillo at smartling.com>
wrote:

> Sorry, just re-read the whole thread. Which adapter are you using?
>
> On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
>> Well, the keycloak.json config is just a means to configure
>> a KeycloakDeployment from an AdapterConfig object. Specifically for the the
>> Spring adapter, the AdapterDeploymentContextBean would have to be aware
>> that the deployment changed. There would be a minimal amount of code needed
>> to support that and we can modify AdapterDeploymentContextBean to be more
>> flexible.
>>
>> Just so I understand what you're asking for: you want to be able to
>> update a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
>> keycloak.json can be configured at startup via either environment variables
>> on command like properties, correct? You have to change at runtime?
>>
>> I think the AdapterDeploymentContextBean should be as flexible as
>> possible, however I have a small concern about the security of allowing
>> certain properties to be swapped at runtime (e.g. the realm-public-key and
>> the auth-server-url).
>>
>> Best,
>> Scott
>>
>>
>> On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello,
>>>
>>> I'm securing a REST bearer-only application using keycloak.
>>>
>>> Is there any way to change keycloak.json adapter config file on the fly
>>> so that it can take effect without restarting the container?
>>>
>>> Will just editing keycloak.json work? I guess not.
>>>
>>> What i want to do is complete an administrative task that will provide
>>> the information needed for keycloak.json such as 'resource', edit
>>> keycloak.json and then make this configuration effective for the REST api.
>>>
>>>
>>> Best regards
>>>
>>> Orestis
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/d1bc27f4/attachment.html 

From fmrage at hotmail.com  Mon Jul  6 16:04:27 2015
From: fmrage at hotmail.com (Fabio Monteiro)
Date: Mon, 6 Jul 2015 22:04:27 +0200
Subject: [keycloak-user] =?windows-1256?q?Is_it_possible_to_make_the_login?=
 =?windows-1256?q?_keycloak_page_look_different_between_several_applicatio?=
 =?windows-1256?q?ns=3F=FE?=
In-Reply-To: <DUB131-W43CA3A2955B718F1265852D5930@phx.gbl>
References: <DUB131-W43CA3A2955B718F1265852D5930@phx.gbl>
Message-ID: <DUB131-W3D8D4EB3EE249BA9B5A6CD5930@phx.gbl>

Hi there, We have a client that uses KeyCloak as a centralized server solution for grant and security access. We would like to know if it is possible to make the login page of KeyCloak look COMPLETELY different and different between several apps ? Even better, is it possible to simply use ONLY REST communications from a business app to handle everything Keycloak has to offer in terms of security and identity ?? 
Thanks a lot for your help, we are not sure about how to handle all this.  Fabio Mfmrage at hotmail.com 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150706/cf4ddbb5/attachment.html 

From eugene.chow.ct at gmail.com  Mon Jul  6 23:51:43 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 7 Jul 2015 11:51:43 +0800
Subject: [keycloak-user] Error decoding JSON response from custom identity
	provider
Message-ID: <787C4D43-23BB-4FB8-8D10-037647565ED3@gmail.com>

Hi all,

I?m trying to integrate Keycloak with a custom OpenID Connect identity provider. I got to the point where the server returned Keycloak a JSON response.

I got the following error:
2015-07-07 02:39:46,013 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-12) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.
?
...
Caused by: org.codehaus.jackson.JsonParseException: Unexpected character (',' (code 44)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') at [Source: java.io.StringReader at 183b074c; line: 3, column: 10]

Is there a way to peek at the content of the JSON response? I tried switching on debug mode in Wildfly, but the token wasn?t printed in the logs.


Thanks!
Eugene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/86b56391/attachment.html 

From rajat.nair at hp.com  Tue Jul  7 07:44:36 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Tue, 7 Jul 2015 11:44:36 +0000
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
	v1.3.1/v1.2.0)
Message-ID: <E8E85ED231DB984CA315C4439410229A1F03029D@G9W0758.americas.hpqcorp.net>

Hi,

I have setup LDAP server and configured Keycloak (under User Federation) to communicate with LDAP. Test connection and test authentication both work and Keycloak "seems" to be communicating with LDAP successfully, but when I try to sync users, no data is imported to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final. Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but still no luck.

I'm attaching my LDAP setting (from phpLdap) and my Keycloak settings - could this be configuration issues?

On Keycloak logs, I can see -
06:32:57,286 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users from LDAP to local store: realm: 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
06:32:57,301 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users finished: 0 imported users, 0 updated users, 0 removed users

Any way I can debug further to figure out what is going on? Currently, Keycloak and LDAP are setup on different boxes.

-- Rajat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Comm.LDAP.Settings.PNG
Type: image/png
Size: 72370 bytes
Desc: Comm.LDAP.Settings.PNG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Comm.phpLDAP.Settings.PNG
Type: image/png
Size: 45265 bytes
Desc: Comm.phpLDAP.Settings.PNG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/c73e70b5/attachment-0003.png 

From bburke at redhat.com  Tue Jul  7 08:48:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 08:48:53 -0400
Subject: [keycloak-user]
 =?utf-8?q?Is_it_possible_to_make_the_login_keyclo?=
 =?utf-8?q?ak_page_look_different_between_several_applications=3F=E2=80=8F?=
In-Reply-To: <DUB131-W3D8D4EB3EE249BA9B5A6CD5930@phx.gbl>
References: <DUB131-W43CA3A2955B718F1265852D5930@phx.gbl>
	<DUB131-W3D8D4EB3EE249BA9B5A6CD5930@phx.gbl>
Message-ID: <559BCAB5.8080906@redhat.com>

Thought I already answered this?

It is possible to make keycloak login look entirely different.  The 
login pages all use Freemarker templates and you have the ability to 
override anything you want piecemeal, or you can entirely change the 
look and feel.  Here's a good example of that:

https://developers.redhat.com/auth/realms/rhd/account

Here's the documentation on themes:

http://keycloak.github.io/docs/userguide/html/themes.html

Now, can you make it look completely different for different apps?  Our 
theme framework does not have this capability.  But, the client making 
the call is available in the login.ftl template as a variable, you could 
have a bunch of #if statements everywhere.  Would look really ugly and 
hard to maintain, but it would work.


On 7/6/2015 4:04 PM, Fabio Monteiro wrote:
> Hi there,
>
> We have a client that uses KeyCloak as a centralized server solution for
> grant and security access. We would like to know if it is possible to
> make the login page of KeyCloak look COMPLETELY different and different
> between several apps ?
>
> Even better, is it possible to simply use ONLY REST communications from
> a business app to handle everything Keycloak has to offer in terms of
> security and identity ??
>

Keycloak has a REST interface, but you are losing a lot of functionality 
if you just use that.  Keycloak just becomes a backend store in that 
scenario...


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stephen.more at gmail.com  Tue Jul  7 10:01:50 2015
From: stephen.more at gmail.com (Stephen More)
Date: Tue, 7 Jul 2015 10:01:50 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
Message-ID: <CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>

Or perhaps a better question would be: Once a user is already logged into
keycloak, how can a org.keycloak.representations.AccessTokenResponse
without providing a password a second time ?

On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com>
wrote:

> How could I extend the multi-tenant example (
> https://github.com/keycloak/keycloak/tree/master/examples/
> <https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
> ) to make a Rest admin api call back to keycloak using java ?
>
> I think this would be a helpful example in upcoming releases.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/2baf546c/attachment.html 

From bburke at redhat.com  Tue Jul  7 10:08:22 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 10:08:22 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
	<CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>
Message-ID: <559BDD56.90308@redhat.com>

The access token should already be available.

On 7/7/2015 10:01 AM, Stephen More wrote:
> Or perhaps a better question would be: Once a user is already logged
> into keycloak, how can a
> org.keycloak.representations.AccessTokenResponse without providing a
> password a second time ?
>
> On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
> <mailto:stephen.more at gmail.com>> wrote:
>
>     How could I extend the multi-tenant example (
>     https://github.com/keycloak/keycloak/tree/master/examples/
>     <https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
>     ) to make a Rest admin api call back to keycloak using java ?
>
>     I think this would be a helpful example in upcoming releases.
>
>     Thanks
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thiago.addevico at gmail.com  Tue Jul  7 10:57:00 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 7 Jul 2015 11:57:00 -0300
Subject: [keycloak-user] Testing JSR-250 annotated EJBs with Keycloak and
	Arquillian
Message-ID: <CAHDpToVQ88BOtBAv69K9i+WntHPAGW66n5E4y6g0x8+7wtz68w@mail.gmail.com>

Hi there,

Is there any documentation or examples on testing JSR-250 annotated EJBs
with Keycloak and Arquillian? I've found [1], but couldn't figure out how
to use it in a test environment.

Best Regards,
Thiago Presa


[1] -
https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule.java
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/000b0461/attachment.html 

From stephen.more at gmail.com  Tue Jul  7 12:46:34 2015
From: stephen.more at gmail.com (Stephen More)
Date: Tue, 7 Jul 2015 12:46:34 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <559BDD56.90308@redhat.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
	<CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>
	<559BDD56.90308@redhat.com>
Message-ID: <CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com>

I have tried to add:
        org.keycloak.representations.IDToken idToken =
principal.getKeycloakSecurityContext().getIdToken();
        org.keycloak.representations.AccessToken token =
principal.getKeycloakSecurityContext().getToken();

        writer.write("<br/>Access Token id: " + token.getId());
        writer.write("<br/>Access Token String: " +
principal.getKeycloakSecurityContext().getTokenString());
        writer.write("<br/>ID Token id: " + idToken.getId());
        writer.write("<br/>ID Token String: " +
principal.getKeycloakSecurityContext().getIdTokenString());

        writer.write(String.format("<br/><a
href=\"/multitenant/%s/logout\">Logout</a>", realm));

        try
        {
                java.net.URL url = new java.net.URL( "
http://localhost:8080/auth/admin/realms/" +
principal.getKeycloakSecurityContext().getRealm() + "/roles" );
                java.net.HttpURLConnection conn =
(java.net.HttpURLConnection)url.openConnection();
                conn.setRequestMethod( "GET" );
                conn.setRequestProperty("Authorization", "Bearer " +
principal.getKeycloakSecurityContext().getTokenString());
                java.io.BufferedReader in = new java.io.BufferedReader( new
java.io.InputStreamReader( conn.getInputStream()));
                String line;
                while ((line = in.readLine()) != null)
                {
                    writer.write( line );
                }
                in.close();
        }
        catch( Exception e )
        {
                e.printStackTrace();
        }

to
keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java

But I am getting an error:
12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
task-16) Failed executing GET /admin/realms/tenant1/roles:
org.keycloak.services.ForbiddenException


In stepping through the AdminClient of the admin-access-app I have found an
example bearer token was 1157 characters long.

principal.getKeycloakSecurityContext().getIdTokenString() turned out to be
645 characters long.

principal.getKeycloakSecurityContext().getTokenString() turned out to be
865 characters long.


What is it that I am missing ?

On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:

> The access token should already be available.
>
> On 7/7/2015 10:01 AM, Stephen More wrote:
> > Or perhaps a better question would be: Once a user is already logged
> > into keycloak, how can a
> > org.keycloak.representations.AccessTokenResponse without providing a
> > password a second time ?
> >
> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
> > <mailto:stephen.more at gmail.com>> wrote:
> >
> >     How could I extend the multi-tenant example (
> >     https://github.com/keycloak/keycloak/tree/master/examples/
> >     <
> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
> >multi-tenant
> >     ) to make a Rest admin api call back to keycloak using java ?
> >
> >     I think this would be a helpful example in upcoming releases.
> >
> >     Thanks
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150707/e5648cf7/attachment.html 

From bburke at redhat.com  Tue Jul  7 13:33:34 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 07 Jul 2015 13:33:34 -0400
Subject: [keycloak-user] Testing JSR-250 annotated EJBs with Keycloak
 and Arquillian
In-Reply-To: <CAHDpToVQ88BOtBAv69K9i+WntHPAGW66n5E4y6g0x8+7wtz68w@mail.gmail.com>
References: <CAHDpToVQ88BOtBAv69K9i+WntHPAGW66n5E4y6g0x8+7wtz68w@mail.gmail.com>
Message-ID: <559C0D6E.7060206@redhat.com>

You mean RolesAllowed and stuff?  It should just work:

http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter

Search for EJB.  You have to create a security domain to propagate the 
security context, but its a simple step.

On 7/7/2015 10:57 AM, Thiago Presa wrote:
> Hi there,
>
> Is there any documentation or examples on testing JSR-250 annotated EJBs
> with Keycloak and Arquillian? I've found [1], but couldn't figure out
> how to use it in a test environment.
>
> Best Regards,
> Thiago Presa
>
>
> [1] -
> https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule.java
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Wed Jul  8 06:20:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 08 Jul 2015 12:20:26 +0200
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>	<CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>	<559BDD56.90308@redhat.com>
	<CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com>
Message-ID: <559CF96A.2020004@redhat.com>

It looks like authorization issue. Your user either doesn't have 
required roles or your client is missing scopes (which means that roles 
are not propagated to accessToken).

To just view roles, you need role "view-realm" of client 
"realm-management" .

Marek

On 7.7.2015 18:46, Stephen More wrote:
> I have tried to add:
>         org.keycloak.representations.IDToken idToken = 
> principal.getKeycloakSecurityContext().getIdToken();
>         org.keycloak.representations.AccessToken token = 
> principal.getKeycloakSecurityContext().getToken();
>
>         writer.write("<br/>Access Token id: " + token.getId());
>         writer.write("<br/>Access Token String: " + 
> principal.getKeycloakSecurityContext().getTokenString());
>         writer.write("<br/>ID Token id: " + idToken.getId());
>         writer.write("<br/>ID Token String: " + 
> principal.getKeycloakSecurityContext().getIdTokenString());
>
>         writer.write(String.format("<br/><a 
> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>
>         try
>         {
>                 java.net.URL url = new java.net.URL( 
> "http://localhost:8080/auth/admin/realms/" + 
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>                 java.net.HttpURLConnection conn = 
> (java.net.HttpURLConnection)url.openConnection();
>                 conn.setRequestMethod( "GET" );
>                 conn.setRequestProperty("Authorization", "Bearer " + 
> principal.getKeycloakSecurityContext().getTokenString());
>                 java.io.BufferedReader in = new 
> java.io.BufferedReader( new java.io.InputStreamReader( 
> conn.getInputStream()));
>                 String line;
>                 while ((line = in.readLine()) != null)
>                 {
>                     writer.write( line );
>                 }
>                 in.close();
>         }
>         catch( Exception e )
>         {
>                 e.printStackTrace();
>         }
>
> to 
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
> But I am getting an error:
> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default 
> task-16) Failed executing GET /admin/realms/tenant1/roles: 
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have 
> found an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out 
> to be 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to 
> be 865 characters long.
>
>
> What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     The access token should already be available.
>
>     On 7/7/2015 10:01 AM, Stephen More wrote:
>     > Or perhaps a better question would be: Once a user is already logged
>     > into keycloak, how can a
>     > org.keycloak.representations.AccessTokenResponse without providing a
>     > password a second time ?
>     >
>     > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More
>     <stephen.more at gmail.com <mailto:stephen.more at gmail.com>
>     > <mailto:stephen.more at gmail.com <mailto:stephen.more at gmail.com>>> wrote:
>     >
>     >     How could I extend the multi-tenant example (
>     > https://github.com/keycloak/keycloak/tree/master/examples/
>     >   
>      <https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant>multi-tenant
>     >     ) to make a Rest admin api call back to keycloak using java ?
>     >
>     >     I think this would be a helpful example in upcoming releases.
>     >
>     >     Thanks
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/b20e494f/attachment-0001.html 

From mposolda at redhat.com  Wed Jul  8 06:31:39 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 08 Jul 2015 12:31:39 +0200
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
	v1.3.1/v1.2.0)
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F03029D@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F03029D@G9W0758.americas.hpqcorp.net>
Message-ID: <559CFC0B.20104@redhat.com>

On 7.7.2015 13:44, Nair, Rajat wrote:
>
> Hi,
>
> I have setup LDAP server and configured Keycloak (under User 
> Federation) to communicate with LDAP. Test connection and test 
> authentication both work and Keycloak ?seems? to be communicating with 
> LDAP successfully, but when I try to sync users, no data is imported 
> to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final. 
> Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but 
> still no luck.
>
> I?m attaching my LDAP setting (from phpLdap) and my Keycloak settings 
> ? could this be configuration issues?
>
Yes, for "User Object classes" you are supposed to enter all values of 
objectClass attribute of your typical user record in LDAP. For your 
case, it might be sufficient to enter just value "inetOrgPerson" .

In latest master, I've improved the description of User Object classes 
tooltip a bit to clearify this a bit more.  Let me know if still seeing 
issues.

Thanks,
Marek
>
> On Keycloak logs, I can see ?
>
> 06:32:57,286 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default 
> task-15) Sync all users from LDAP to local store: realm: 
> 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
>
> 06:32:57,301 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default 
> task-15) Sync all users finished: 0 imported users, 0 updated users, 0 
> removed users
>
> Any way I can debug further to figure out what is going on? Currently, 
> Keycloak and LDAP are setup on different boxes.
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/7dbbcf34/attachment.html 

From rajat.nair at hp.com  Wed Jul  8 06:36:18 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 8 Jul 2015 10:36:18 +0000
Subject: [keycloak-user] Issues syncing users with LDAP (Keycloak
 v1.3.1/v1.2.0)
In-Reply-To: <559CFC0B.20104@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F03029D@G9W0758.americas.hpqcorp.net>
	<559CFC0B.20104@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F03114E@G9W0758.americas.hpqcorp.net>

Thanks for the tip Marek. That was the issue.

Adding this information as a tooltip will positively help future users.

-- Rajat

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, July 08, 2015 4:02 PM
To: Nair, Rajat; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Issues syncing users with LDAP (Keycloak v1.3.1/v1.2.0)

On 7.7.2015 13:44, Nair, Rajat wrote:
Hi,

I have setup LDAP server and configured Keycloak (under User Federation) to communicate with LDAP. Test connection and test authentication both work and Keycloak "seems" to be communicating with LDAP successfully, but when I try to sync users, no data is imported to Keycloak. I have tried with Keycloak release 1.3.1 and 1.2.0 Final. Also tried with simple LDAP schema (ou=customers,dc=xyz,dc=com) but still no luck.

I'm attaching my LDAP setting (from phpLdap) and my Keycloak settings - could this be configuration issues?
Yes, for "User Object classes" you are supposed to enter all values of objectClass attribute of your typical user record in LDAP. For your case, it might be sufficient to enter just value "inetOrgPerson" .

In latest master, I've improved the description of User Object classes tooltip a bit to clearify this a bit more.  Let me know if still seeing issues.

Thanks,
Marek


On Keycloak logs, I can see -
06:32:57,286 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users from LDAP to local store: realm: 4b921ecb-e068-41d0-956d-fea12f2706cf, federation provider: myldapserver
06:32:57,301 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-15) Sync all users finished: 0 imported users, 0 updated users, 0 removed users

Any way I can debug further to figure out what is going on? Currently, Keycloak and LDAP are setup on different boxes.

-- Rajat





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/73054abe/attachment.html 

From rajat.nair at hp.com  Wed Jul  8 12:26:42 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 8 Jul 2015 16:26:42 +0000
Subject: [keycloak-user] Errors while running LDAP integration test
Message-ID: <E8E85ED231DB984CA315C4439410229A1F031469@G9W0758.americas.hpqcorp.net>

Hi,

During LDAP integration with Keycloak (v1.3.1), we get to see a "Unique index or primary key violation" exception while trying to login with an LDAP using on Keycloak's account service site. I setup latest Keycloak source (from Github) to debug this issue. During build, I saw the same error when LDAP integration tests were running. Here are the logs -

21:40:24,624 INFO  [org.keycloak.testsuite.KeycloakServer] Imported realm test
21:40:24,709 INFO  [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] Creating new LDAP based partition manager for the Federation provider: test-ldap, LDAP Configuration: {bindDn=uid=admin,ou=system, userObjectClasses=null, baseDn=dc=keycloak,dc=org, usersDn=ou=People,dc=keycloak,dc=org, vendor=other, kerberosRealm=KEYCLOAK.ORG, syncRegistrations=false, userAccountControlsAfterPasswordUpdate=false, debug=true, connectionPooling=true, serverPrincipal=HTTP/localhost at KEYCLOAK.ORG, usernameLDAPAttribute=null, allowKerberosAuthentication=false, useKerberosForPasswordAuthentication=false, rdnLDAPAttribute=null, keyTab=/home/USER/apps/keycloak/testsuite/integration/target/test-classes/kerberos/http.keytab, batchSizeForSync=3, connectionUrl=ldap://localhost:10389, allowPasswordAuthentication=true, editMode=WRITABLE, updateProfileFirstLogin=true, pagination=true}
21:40:25,790 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:25,845 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 5 imported users, 0 updated users, 0 removed users
21:40:26,862 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync changed users from LDAP to local store: realm: test, federation provider: test-ldap, last sync time: Wed Jul 08 21:40:25 IST 2015
21:40:26,900 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync changed users finished: 1 imported users, 1 updated users, 0 removed users
21:40:26,920 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:26,962 WARN  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] User 'user7' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider 'test-ldap'
21:40:26,969 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 0 imported users, 6 updated users, 0 removed users, 1 users failed sync! See server log for more details
21:40:26,981 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:27,054 ERROR [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Failed during import user from LDAP
org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
         at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)
         at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:30)
         at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:58)
         at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:247)
         at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
         at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
         at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
         at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
         at org.keycloak.testsuite.federation.SyncProvidersTest.test02duplicateUsernameSync(SyncProvidersTest.java:200)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
         at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
         at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
         at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
         at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
         at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
         at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
         at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
         at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
         at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
         at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
         at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
         at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
         at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
         at org.junit.rules.RunRules.evaluate(RunRules.java:20)
         at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
         at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)
         at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
         at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)
         at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)
         at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)
         at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
         at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1361)
         at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1289)
         at org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:78)
         at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:28)
         ... 33 more
Caused by: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
         at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)
         at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
         at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)
         at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)
         at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)
         at org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)
         at com.sun.proxy.$Proxy54.executeUpdate(Unknown Source)
         at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:56)
         at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3006)
         at org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2908)
         at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3237)
         at org.hibernate.action.internal.EntityUpdateAction.execute(EntityUpdateAction.java:113)
         at org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:272)
         at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:264)
         at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:187)
         at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)
         at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)
         at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1081)
         at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:315)
         at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.beforeTransactionCommit(JdbcTransaction.java:101)
         at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.commit(AbstractTransactionImpl.java:175)
         at org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:73)
         ... 34 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:
update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? [23505-187]
         at org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
         at org.h2.message.DbException.get(DbException.java:179)
         at org.h2.message.DbException.get(DbException.java:155)
         at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:102)
         at org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:233)
         at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:191)
         at org.h2.mvstore.db.MVTable.addRow(MVTable.java:638)
         at org.h2.table.Table.updateRows(Table.java:478)
         at org.h2.command.dml.Update.update(Update.java:145)
         at org.h2.command.CommandContainer.update(CommandContainer.java:78)
         at org.h2.command.Command.executeUpdate(Command.java:254)
         at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:157)
         at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:143)
         at sun.reflect.GeneratedMethodAccessor261.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)
         ... 51 more
21:40:27,103 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 1 imported users, 6 updated users, 0 removed users, 1 users failed sync! See server log for more details
21:40:27,110 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users from LDAP to local store: realm: test, federation provider: test-ldap
21:40:27,167 INFO  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all users finished: 1 imported users, 6 updated users, 0 removed users
21:40:28,175 INFO  [org.keycloak.testsuite.DummyUserFederationProviderFactory] syncChangedUsers invoked


Is this a known issue?


-- Rajat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150708/aead4c34/attachment-0001.html 

From mposolda at redhat.com  Thu Jul  9 02:25:02 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 08:25:02 +0200
Subject: [keycloak-user] Errors while running LDAP integration test
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F031469@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F031469@G9W0758.americas.hpqcorp.net>
Message-ID: <559E13BE.8090901@redhat.com>

Hi,

this is actually expected. I've added new test for fix syncing bugs with 
duplicated username or email. Test asserts that user is not synced from 
LDAP if there is already other user with same username or email in 
Keycloak database. And the test also asserts that just the syncing of 
"duplicated" user fails but other users are successfully synced (not 
whole sync transaction is broken as it was in 1.3.1 ).

As I can see in your log, it works as expected and the test is passing, 
is it correct?

Yesterday I've added some more fixes (now there is not 
ConstraintException thrown from DB but there is check for duplications 
triggered earlier from Keycloak). So I suggest to update to latest 
master and try it now. Please let me know if still seeing issues.

I will do a bit more testing and will add the LDAP example today, so 
there might be still some changes, but I hope that not much.

Thanks,
Marek


On 8.7.2015 18:26, Nair, Rajat wrote:
>
> Hi,
>
> During LDAP integration with Keycloak (v1.3.1), we get to see a 
> ?/Unique index or primary key violation? /exception while trying to 
> login with an LDAP using on Keycloak?s account service site. I setup 
> latest Keycloak source (from Github) to debug this issue. During 
> build, I saw the same error when LDAP integration tests were running. 
> Here are the logs ?
>
> /21:40:24,624 INFO  [org.keycloak.testsuite.KeycloakServer] Imported 
> realm test/
>
> /21:40:24,709 INFO 
> [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] Creating new 
> LDAP based partition manager for the Federation provider: test-ldap, 
> LDAP Configuration: {bindDn=uid=admin,ou=system, 
> userObjectClasses=null, baseDn=dc=keycloak,dc=org, 
> usersDn=ou=People,dc=keycloak,dc=org, vendor=other, 
> kerberosRealm=KEYCLOAK.ORG, syncRegistrations=false, 
> userAccountControlsAfterPasswordUpdate=false, debug=true, 
> connectionPooling=true, serverPrincipal=HTTP/localhost at KEYCLOAK.ORG, 
> usernameLDAPAttribute=null, allowKerberosAuthentication=false, 
> useKerberosForPasswordAuthentication=false, rdnLDAPAttribute=null, 
> keyTab=/home/USER/apps/keycloak/testsuite/integration/target/test-classes/kerberos/http.keytab, 
> batchSizeForSync=3, connectionUrl=ldap://localhost:10389, 
> allowPasswordAuthentication=true, editMode=WRITABLE, 
> updateProfileFirstLogin=true, pagination=true}/
>
> /21:40:25,790 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users from LDAP to local store: realm: test, federation provider: 
> test-ldap/
>
> /21:40:25,845 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users finished: 5 imported users, 0 updated users, 0 removed users/
>
> /21:40:26,862 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync 
> changed users from LDAP to local store: realm: test, federation 
> provider: test-ldap, last sync time: Wed Jul 08 21:40:25 IST 2015/
>
> /21:40:26,900 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync 
> changed users finished: 1 imported users, 1 updated users, 0 removed 
> users/
>
> /21:40:26,920 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users from LDAP to local store: realm: test, federation provider: 
> test-ldap/
>
> /21:40:26,962 WARN 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] User 
> 'user7' is not updated during sync as he already exists in Keycloak 
> database but is not linked to federation provider 'test-ldap'/
>
> /21:40:26,969 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users finished: 0 imported users, 6 updated users, 0 removed users, 1 
> users failed sync! See server log for more details/
>
> /21:40:26,981 INFO 
>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users from LDAP to local store: realm: test, federation provider: 
> test-ldap/
>
> /21:40:27,054 ERROR 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Failed 
> during import user from LDAP/
>
> /org.keycloak.models.ModelDuplicateException: 
> javax.persistence.PersistenceException: 
> org.hibernate.exception.ConstraintViolationException: Unique index or 
> primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON 
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, 
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, 
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? 
> [23505-187]/
>
> /         at 
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)/
>
> /         at 
> org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:30)/
>
> /         at 
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:58)/
>
> /         at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:247)/
>
> /         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)/
>
> /         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)/
>
> /         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)/
>
> /         at 
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)/
>
> /         at 
> org.keycloak.testsuite.federation.SyncProvidersTest.test02duplicateUsernameSync(SyncProvidersTest.java:200)/
>
> /         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)/
>
> /         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)/
>
> /         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)/
>
> /         at java.lang.reflect.Method.invoke(Method.java:606)/
>
> /         at 
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)/
>
> /         at 
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)/
>
> /         at 
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)/
>
> /         at 
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)/
>
> /         at 
> org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)/
>
> /         at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)/
>
> /         at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)/
>
> /         at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)/
>
> /         at 
> org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)/
>
> /         at 
> org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)/
>
> /         at 
> org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)/
>
> /         at 
> org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)/
>
> /         at 
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)/
>
> /         at 
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)/
>
> /         at org.junit.rules.RunRules.evaluate(RunRules.java:20)/
>
> /         at org.junit.runners.ParentRunner.run(ParentRunner.java:363)/
>
> /         at 
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)/
>
> /         at 
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)/
>
> /         at 
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)/
>
> /         at 
> org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)/
>
> /         at 
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)/
>
> /         at 
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)/
>
> /Caused by: javax.persistence.PersistenceException: 
> org.hibernate.exception.ConstraintViolationException: Unique index or 
> primary key violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON 
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, 
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, 
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? 
> [23505-187]/
>
> /         at 
> org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1361)/
>
> /         at 
> org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1289)/
>
> /         at 
> org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:78)/
>
> /         at 
> org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:28)/
>
> /         ... 33 more/
>
> /Caused by: org.hibernate.exception.ConstraintViolationException: 
> Unique index or primary key violation: 
> "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON PUBLIC.USER_ENTITY(REALM_ID, 
> EMAIL_CONSTRAINT) VALUES ('test', 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, 
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, 
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? 
> [23505-187]/
>
> /         at 
> org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)/
>
> /         at 
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)/
>
> /         at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)/
>
> /         at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)/
>
> /         at 
> org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)/
>
> /         at 
> org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)/
>
> /         at com.sun.proxy.$Proxy54.executeUpdate(Unknown Source)/
>
> /         at 
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:56)/
>
> /         at 
> org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3006)/
>
> /         at 
> org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2908)/
>
> /         at 
> org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:3237)/
>
> /         at 
> org.hibernate.action.internal.EntityUpdateAction.execute(EntityUpdateAction.java:113)/
>
> /         at 
> org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:272)/
>
> /         at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:264)/
>
> /         at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:187)/
>
> /         at 
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)/
>
> /         at 
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)/
>
> /         at 
> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1081)/
>
> /         at 
> org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:315)/
>
> /         at 
> org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.beforeTransactionCommit(JdbcTransaction.java:101)/
>
> /         at 
> org.hibernate.engine.transaction.spi.AbstractTransactionImpl.commit(AbstractTransactionImpl.java:175)/
>
> /         at 
> org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:73)/
>
> /         ... 34 more/
>
> /Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key 
> violation: "UK_DYKN684SL8UP1CRFEI6ECKHD7_INDEX_D ON 
> PUBLIC.USER_ENTITY(REALM_ID, EMAIL_CONSTRAINT) VALUES ('test', 
> 'user7 at email.org', 21)"; SQL statement:/
>
> /update USER_ENTITY set CREATED_TIMESTAMP=?, EMAIL=?, 
> EMAIL_CONSTRAINT=?, EMAIL_VERIFIED=?, ENABLED=?, federation_link=?, 
> FIRST_NAME=?, LAST_NAME=?, REALM_ID=?, TOTP=?, USERNAME=? where ID=? 
> [23505-187]/
>
> /         at 
> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)/
>
> /         at org.h2.message.DbException.get(DbException.java:179)/
>
> /         at org.h2.message.DbException.get(DbException.java:155)/
>
> /         at 
> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:102)/
>
> /         at 
> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:233)/
>
> /         at 
> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:191)/
>
> /         at org.h2.mvstore.db.MVTable.addRow(MVTable.java:638)/
>
> /         at org.h2.table.Table.updateRows(Table.java:478)/
>
> /         at org.h2.command.dml.Update.update(Update.java:145)/
>
> /         at 
> org.h2.command.CommandContainer.update(CommandContainer.java:78)/
>
> /         at org.h2.command.Command.executeUpdate(Command.java:254)/
>
> /         at 
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:157)/
>
> /         at 
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:143)/
>
> /         at sun.reflect.GeneratedMethodAccessor261.invoke(Unknown 
> Source)/
>
> /         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)/
>
> /         at java.lang.reflect.Method.invoke(Method.java:606)/
>
> /         at 
> org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)/
>
> /         ... 51 more/
>
> /21:40:27,103 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users finished: 1 imported users, 6 updated users, 0 removed users, 1 
> users failed sync! See server log for more details/
>
> /21:40:27,110 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users from LDAP to local store: realm: test, federation provider: 
> test-ldap/
>
> /21:40:27,167 INFO 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] Sync all 
> users finished: 1 imported users, 6 updated users, 0 removed users/
>
> /21:40:28,175 INFO 
> [org.keycloak.testsuite.DummyUserFederationProviderFactory] 
> syncChangedUsers invoked/
>
> Is this a known issue?
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/2a8c694d/attachment-0001.html 

From Maurice.Quaedackers at planonsoftware.com  Thu Jul  9 05:34:11 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 9 Jul 2015 11:34:11 +0200
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>

Hello,

Is a GitHub repository of Keycloak 1.3.1 available?

When I visit https://github.com/keycloak I can find the https://github.com/keycloak/openshift-keycloak-cartridge repository but that there is no 1.3.1 version available

Can a 1.3.1 version be added or can you point me into the correct direction.

Thank you very much in advance,

Best regards
Maurice Quaedackers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/719c99e7/attachment.html 

From favez.steve at gmail.com  Thu Jul  9 06:03:28 2015
From: favez.steve at gmail.com (Steve Favez)
Date: Thu, 9 Jul 2015 12:03:28 +0200
Subject: [keycloak-user] Oauth2 Saml Bearer Assertion support
Message-ID: <CAO71Ve=K29m4z1L+vTcF4T_VynQhmXcvBGizikL9S2zA9zvt2Q@mail.gmail.com>

Hi all,
Quick question regarding Keycloak 1.3.1. Does it already support Oauth2
Saml Bearer Assertions ?
Our use case would be the following :
One Angular js app authenticating user using keycloak, then invoking odata
/ restful services published by SAP NetWeaver Gateway protected using the
Oauth2 Saml Bearer Assertion (see sample here :
http://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
).

Thanks in advance for your help

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/d5115286/attachment.html 

From favez.steve at gmail.com  Thu Jul  9 06:58:30 2015
From: favez.steve at gmail.com (Steve Favez)
Date: Thu, 9 Jul 2015 12:58:30 +0200
Subject: [keycloak-user] authentication level / chaining realms
Message-ID: <CAO71Ve=K7R+A1YhOFPVHyinY85eZnyawVTwAiXSfzB6WBUawdQ@mail.gmail.com>

Hi keycloak's experts,



I'm wondering if it's possible to chain realm's invocation in keycloak (and
also, if it's a good practice or not).

The use case is the following :

     Keycloak is used as an SSO identity server for a set of application
with different security policies, but for the same users. (so, same user
directory).

   - some applications require only "user / password" authentication.
      - some applications require a second authentication factor. (for
      example sms, or any other systems).

     My idea was the following :

   - we've a first realm - let's name it "simple realm", that require only
      user / password
      - we've a second realm - let's name it "2fa realm" that require a
      token from "simple realm" and the second authentication factor.
      - If I connect to an application secured by the "2fa realm", my
      application will redirect to the "2fa realm", then, as it can't found any
      simple token, the realm dispatch the invocation to the "simple
realm", and
      then ask for the second authentication factor.

So, a user authenticated against the "2fa realm" get two tokens : the
simple realm token and the 2FA token.



Thanks in advance for your valuable comments , ideas or critics.



Best regards.


Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/81bfcf9f/attachment.html 

From Maurice.Quaedackers at planonsoftware.com  Thu Jul  9 08:34:02 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 9 Jul 2015 14:34:02 +0200
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>

Sorry,

I forgot to mention that I am looking for a Keycloak Openshift 1.3.1 cartridge.

Best regards,

Maurice Quaedackers

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Maurice Quaedackers
Sent: donderdag 9 juli 2015 11:34
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge

Hello,

Is a GitHub repository of Keycloak 1.3.1 available?

When I visit https://github.com/keycloak I can find the https://github.com/keycloak/openshift-keycloak-cartridge repository but that there is no 1.3.1 version available

Can a 1.3.1 version be added or can you point me into the correct direction.

Thank you very much in advance,

Best regards
Maurice Quaedackers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/58be89bc/attachment.html 

From bburke at redhat.com  Thu Jul  9 08:55:24 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 09 Jul 2015 08:55:24 -0400
Subject: [keycloak-user] Oauth2 Saml Bearer Assertion support
In-Reply-To: <CAO71Ve=K29m4z1L+vTcF4T_VynQhmXcvBGizikL9S2zA9zvt2Q@mail.gmail.com>
References: <CAO71Ve=K29m4z1L+vTcF4T_VynQhmXcvBGizikL9S2zA9zvt2Q@mail.gmail.com>
Message-ID: <559E6F3C.1030905@redhat.com>

We do not have support for OAuth2 SAML Bearer Assertions.  Contributions 
would be lovely.  If not, log a jira with the exact link shown below. 
Our queue is pretty big at the moment though...

On 7/9/2015 6:03 AM, Steve Favez wrote:
> Hi all,
> Quick question regarding Keycloak 1.3.1. Does it already support Oauth2
> Saml Bearer Assertions ?
> Our use case would be the following :
> One Angular js app authenticating user using keycloak, then invoking
> odata / restful services published by SAP NetWeaver Gateway protected
> using the Oauth2 Saml Bearer Assertion (see sample here :
> http://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow).
>
> Thanks in advance for your help
>
> Steve
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Jul  9 09:08:44 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 09 Jul 2015 09:08:44 -0400
Subject: [keycloak-user] authentication level / chaining realms
In-Reply-To: <CAO71Ve=K7R+A1YhOFPVHyinY85eZnyawVTwAiXSfzB6WBUawdQ@mail.gmail.com>
References: <CAO71Ve=K7R+A1YhOFPVHyinY85eZnyawVTwAiXSfzB6WBUawdQ@mail.gmail.com>
Message-ID: <559E725C.3050400@redhat.com>

There's no way to do this right now.  This one is actually on the 
roadmap though.

On 7/9/2015 6:58 AM, Steve Favez wrote:
> Hi keycloak's experts,
>
> I'm wondering if it's possible to chain realm's invocation in keycloak
> (and also, if it's a good practice or not).
>
> The use case is the following :
>
>       Keycloak is used as an SSO identity server for a set of
> application with different security policies, but for the same users.
> (so, same user directory).
>
>       o some applications require only "user / password" authentication.
>       o some applications require a second authentication factor. (for
>         example sms, or any other systems).
>
>       My idea was the following :
>
>       o we've a first realm - let's name it "simple realm", that require
>         only user / password
>       o we've a second realm - let's name it "2fa realm" that require a
>         token from "simple realm" and the second authentication factor.
>       o If I connect to an application secured by the "2fa realm", my
>         application will redirect to the "2fa realm", then, as it can't
>         found any simple token, the realm dispatch the invocation to the
>         "simple realm", and then ask for the second authentication factor.
>
> So, a user authenticated against the "2fa realm" get two tokens : the
> simple realm token and the 2FA token.
>
> Thanks in advance for your valuable comments , ideas or critics.
>
> Best regards.
>
>
> Steve
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Thu Jul  9 17:32:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 23:32:46 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an
 LDAP Server
In-Reply-To: <D1B18368.1A789%giovanni.baruzzi@syntlogo.de>
References: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>	<D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
	<D1B18368.1A789%giovanni.baruzzi@syntlogo.de>
Message-ID: <559EE87E.5090308@redhat.com>

I think it should be fixed in latest master. Among LDAP fixes, I've also 
added the example application showing integration with LDAP. It's here: 
https://github.com/keycloak/keycloak/tree/master/examples/ldap

If you have opportunity to try it you can build latest master with the 
commands like this (you need java7, maven 3.1 or later and git):

$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn clean install -DskipTests=true
$ cd distribution
$ mvn clean install

then in 
$KEYCLOAK_HOME/distribution/demo-dist/target/keycloak-demo-1.4.0.Final-SNAPSHOT.zip 
is latest demo distribution (which contains the example) and in 
$KEYCLOAK_HOME/distribution/server-dist/target/keycloak-1.4.0.Final-SNAPSHOT.zip 
is latest server distribution .

Marek

On 25.6.2015 10:10, Giovanni Baruzzi wrote:
> Marek,
>
> Thank you for your attention.
> It is sure in the same area. But as you see I used a very simple LDAP 
> and only the attribute objectClass has multiple values.
> Please tell me if you need further information about my setup.
>
> Regards,
> Giovanni
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/5bf0563d/attachment.html 

From mposolda at redhat.com  Thu Jul  9 17:23:29 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 09 Jul 2015 23:23:29 +0200
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
Message-ID: <559EE651.5050106@redhat.com>

Hi,

I've pushed the LDAP example and some LDAP related fixes into latest 
master. It's here: 
https://github.com/keycloak/keycloak/tree/master/examples/ldap

If you have opportunity to try it you can build latest master with the 
commands like this (you need java7, maven 3.1 or later and git):

$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn clean install -DskipTests=true
$ cd distribution
$ mvn clean install

then in 
$KEYCLOAK_HOME/distribution/demo-dist/target/keycloak-demo-1.4.0.Final-SNAPSHOT.zip 
is latest demo distribution (which contains the example) and in 
$KEYCLOAK_HOME/distribution/server-dist/target/keycloak-1.4.0.Final-SNAPSHOT.zip 
is latest server distribution .

Marek

On 29.6.2015 14:02, Adam Daduev wrote:
> Hi.
> I try use new feature of keycloak 1.3.1, i added new attribute, like 
> department, but i can not get it in my web bean, i try get new 
> attribute from KeycloakSecurityContext, but con not found.
> How can i get my new added atribute?
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/eb92081a/attachment.html 

From jcoria at healthcentrix.com  Thu Jul  9 21:40:55 2015
From: jcoria at healthcentrix.com (Javier Coria)
Date: Thu, 9 Jul 2015 18:40:55 -0700
Subject: [keycloak-user] error creating user
Message-ID: <CALMMv=1Z+NuZWqaWd9yxmn4DW4PDyiZyg4jD10Ga0GwF7hUVHA@mail.gmail.com>

Hello I hope you can help.
When I want to create my user I do follows

Keycloak keycloak = Keycloak.getInstance (getURL (), "MyRealm", "myUser",
"myPassword" clientID);
UserRepresentation userRep = new UserRepresentation ();
userRep.setUsername ("testUser");
CredentialRepresentation CredentialRepresentation credentials = new ();
      credentials.setType ("password");
      credentials.setValue ("t");
      List <CredentialRepresentation> list = new ArrayList ();

      list.add (credentials);

      userRep.setCredentials (list);
        userRep.setEnabled (true);
        userRep.setEmail ("myMail at outlook.com");
        userRep.setEmailVerified (false);
        userRep.setFirstName ("Javier");
        userRep.setLastName ("Javi");

        Map map = new HashMap ();
        userRep.setAttributes (map);

        UsersResource users = keycloak.realm ("MyRealm") users ().;

        Response response = users.create (userRep);





first responds with code 200




- 18:14:09 DEBUG org.apache.http.headers:273
>> POST /auth/realms/prevvy/protocol/openid-connect/token HTTP/1.1

- 18:14:09 DEBUG org.apache.http.impl.conn.DefaultClientConnection:254
Receiving response: HTTP/1.1 200 OK




but at the end responds with a 500 error and I don't know why :(:


- 18:14:10 DEBUG org.apache.http.wire:63
>> "Host: develop.prevvy.co:9095[\r][\n]"

- 18:14:10 DEBUG org.apache.http.wire:63
>> "Connection: Keep-Alive[\r][\n]"

- 18:14:10 DEBUG org.apache.http.wire:63
>> "[\r][\n]"

- 18:14:10 DEBUG org.apache.http.headers:273
>> POST /auth/admin/realms/prevvy/users HTTP/1.1

- 18:14:10 DEBUG org.apache.http.headers:276
>> Accept-Encoding: gzip, deflate

- 18:14:10 DEBUG org.apache.http.headers:276
>> Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3ODgzZmE5ZS1iYzkyLTQzNDQtOWY3Ni02NTdiYWI4YjAzNzkiLCJleHAiOjE0MzY0OTEyMzYsIm5iZiI6MCwiaWF0IjoxNDM2NDkwOTM2LCJpc3MiOiJodHRwOi8vZGV2ZWxvcC5wcmV2dnkuY286OTA5NS9hdXRoL3JlYWxtcy9wcmV2dnkiLCJhdWQiOiJldmVudGhhbmRsZXItY2xpZW50Iiwic3ViIjoiYmIyMDQyZDktNjhlMS00MjQ5LWE5YWQtZTMzZjFkMTA3MGQ4IiwiYXpwIjoiZXZlbnRoYW5kbGVyLWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI0MzZjMTI2Ny1mNzA5LTQwNTEtOTk0YS03OWYyNjExZjM2Y2EiLCJjbGllbnRfc2Vzc2lvbiI6IjkxOGI2NWQ4LTY1YTUtNDljNi04M2JiLWQzOTg4ZGU0ODVlMCIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJtYW5hZ2UtdXNlcnMiXX0sInJlc291cmNlX2FjY2VzcyI6e319.hAfHcOZZJwYBBoTRhlqzPfraesg7n9Gp0IHFQvmLYK-wYQBcFb7XAkAdGNWujW4kh5e7EJmyIggLWn0KnaPq2Qf2f57x34A3wjSklxdlIskUjLRZMVjUmUz65ayCPaFh33rxQIv6mhtST6CPdowZdsRyGfmcE9kKhknU8jjY2tY

- 18:14:10 DEBUG org.apache.http.headers:276
>> Content-Type: application/json

- 18:14:10 DEBUG org.apache.http.headers:276
>> Content-Length: 498

- 18:14:10 DEBUG org.apache.http.headers:276
>> Host: develop.prevvy.co:9095

- 18:14:10 DEBUG org.apache.http.headers:276
>> Connection: Keep-Alive

- 18:14:10 DEBUG org.apache.http.wire:77
>>
"{"self":null,"id":null,"username":"testttt","enabled":true,"totp":false,"emailVerified":false,"firstName":"Javier","lastName":"Coria","email":"
jcoria at healthcentrix.com
","federationLink":null,"attributes":{},"credentials":[{"type":"password","device":null,"value":"t","hashedSaltedValue":null,"salt":null,"hashIterations":null,"temporary":false}],"requiredActions":null,"federatedIdentities":null,"realmRoles":null,"clientRoles":null,"clientConsents":null,"applicationRoles":null,"socialLinks":null}"

- 18:14:10 DEBUG org.apache.http.wire:63
<< "HTTP/1.1 500 Internal Server Error[\r][\n]"



Thank you!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150709/43abac9b/attachment.html 

From peterson.dean at gmail.com  Fri Jul 10 01:30:42 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 01:30:42 -0400
Subject: [keycloak-user] Still getting index error when upgrading to
	1.3.1.Final
Message-ID: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>

I did a fresh install with mongodb 3.0 and everything worked fine running
1.3.1.Final.  However, I need to upgrade from 1.2.0.Beta1 so I tried the
same configuration with everything except this time migrating the old
database data.  I get the following error:

at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more
Caused by: java.lang.RuntimeException: Failed to update database
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
at
org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
... 36 more
Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index not
found with name [realmId_1_name_1]"}
at com.mongodb.CommandResult.getException(CommandResult.java:71)
at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
... 37 more

01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.


I mentioned this before and Stian was going to look into it; at the time he
thought it might be due to using mongodb 3.0.  However, mongodb 3.0 works
fine with a fresh install.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/4042aaf8/attachment-0001.html 

From giriraj.sharma27 at gmail.com  Fri Jul 10 01:41:25 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Fri, 10 Jul 2015 11:11:25 +0530
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
Message-ID: <CAB5vuUxY3Bvy4pzVnvs+a3Q9Bnt5c1t9e_pQgxxsa0KXsmQJYw@mail.gmail.com>

Hi,
The latest version available for Keycloak Openshift 1.3.1 cartridge at
present is Keycloak 1.2.0.Final
I am not sure but the version shall be updated soon.

On Thu, Jul 9, 2015 at 6:04 PM, Maurice Quaedackers <
Maurice.Quaedackers at planonsoftware.com> wrote:

> Sorry,
>
>
>
> I forgot to mention that I am looking for a Keycloak Openshift 1.3.1
> cartridge.
>
>
>
> Best regards,
>
>
>
> Maurice Quaedackers
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Maurice Quaedackers
> *Sent:* donderdag 9 juli 2015 11:34
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] Keycloak 1.3.1 Openshift cartridge
>
>
>
> Hello,
>
>
>
> Is a GitHub repository of Keycloak 1.3.1 available?
>
>
>
> When I visit https://github.com/keycloak I can find the
> https://github.com/keycloak/openshift-keycloak-cartridge repository but
> that there is no 1.3.1 version available
>
>
>
> Can a 1.3.1 version be added or can you point me into the correct
> direction.
>
>
>
> Thank you very much in advance,
>
>
>
> Best regards
>
> Maurice Quaedackers
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/e7dbf11d/attachment.html 

From juandiego83 at gmail.com  Fri Jul 10 12:48:53 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 11:48:53 -0500
Subject: [keycloak-user] params on my url get duplicated on angular app on
	reload
Message-ID: <CAJGEj6e5u0ZNv=fwaK4CC1-=cMpvHVzX7vBG-h3=PtNMJuBY0w@mail.gmail.com>

Hi,

I dont know if it is a problem of my code but for example I see my page

http://localhost/index.html
then I load and I see something like

http://localhost/index.html?prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609

If I keep reloading my page I keep seeing
prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609
added over and over
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/50d7443b/attachment.html 

From peterson.dean at gmail.com  Fri Jul 10 12:53:02 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 11:53:02 -0500
Subject: [keycloak-user] Upgrading is a giant pain
Message-ID: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>

I wish Keycloak had a one button click mechanism for upgrading the
application.  I use Discourse (http://www.discourse.org/) for messaging in
my application.  I run Keycloak inside a Docker container just like
Discourse.  Discourse gives me an admin landing page that tells me every
time I log in if I am up to date.  If I am not, a little sad face tells me
I need to upgrade.  All I have to do to upgrade is click a button and
everything happens automatically.  The data is migrated, the docker
container is updated and the application is redeployed.  It never fails and
takes 5 minutes.  Every time I need to upgrade Keycloak it is a month long
ordeal.  The database migration never works.  I always have to export the
data as json, then upload the file after I manage to get a fresh install of
the latest version up and running.  I understand Keycloak has a lot of
parts and I really like it, but I wish the upgrade process would get some
attention.  It is a very painful process at the moment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/6f5499d6/attachment.html 

From bburke at redhat.com  Fri Jul 10 13:39:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Jul 2015 13:39:04 -0400
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
References: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
Message-ID: <55A00338.4000908@redhat.com>

Yeah, migration is something we will fully nail down before we go into 
product.  The project has been moving too fast and we still have a lot 
of features to get in this year.

That being said, I did read some of your email history.  I don't think 
you should expect migration to work with snapshots from master or from 
betas and alphas though.  I know I've changed the data model multiple 
times in master prior to doing a release.

On 7/10/2015 12:53 PM, Dean Peterson wrote:
> I wish Keycloak had a one button click mechanism for upgrading the
> application.  I use Discourse (http://www.discourse.org/) for messaging
> in my application.  I run Keycloak inside a Docker container just like
> Discourse.  Discourse gives me an admin landing page that tells me every
> time I log in if I am up to date.  If I am not, a little sad face tells
> me I need to upgrade.  All I have to do to upgrade is click a button and
> everything happens automatically.  The data is migrated, the docker
> container is updated and the application is redeployed.  It never fails
> and takes 5 minutes.  Every time I need to upgrade Keycloak it is a
> month long ordeal.  The database migration never works.  I always have
> to export the data as json, then upload the file after I manage to get a
> fresh install of the latest version up and running.  I understand
> Keycloak has a lot of parts and I really like it, but I wish the upgrade
> process would get some attention.  It is a very painful process at the
> moment.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Fri Jul 10 14:22:00 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 13:22:00 -0500
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
References: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
Message-ID: <CAFGzvPkbMY3CjEqU_3HcU8SgCTRLh8dypctgO=A6+BgoSHaKGA@mail.gmail.com>

I no longer pull down masters because the releases have been working for
me.  The documentation says I should be able to upgrade from beta versions
to newer releases.  This latest problem happened even when I was trying to
go from 1.2.0.Beta3 to 1.2.0.Final.  Since that did not work, I waited a
while hoping a later version would improve the situation.  People often do
what they are not supposed to.  Expecting people to only upgrade from Final
release to Final release seems like wishful thinking and may lead to
unhappy customers, even if they are wrong.

On Fri, Jul 10, 2015 at 11:53 AM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I wish Keycloak had a one button click mechanism for upgrading the
> application.  I use Discourse (http://www.discourse.org/) for messaging
> in my application.  I run Keycloak inside a Docker container just like
> Discourse.  Discourse gives me an admin landing page that tells me every
> time I log in if I am up to date.  If I am not, a little sad face tells me
> I need to upgrade.  All I have to do to upgrade is click a button and
> everything happens automatically.  The data is migrated, the docker
> container is updated and the application is redeployed.  It never fails and
> takes 5 minutes.  Every time I need to upgrade Keycloak it is a month long
> ordeal.  The database migration never works.  I always have to export the
> data as json, then upload the file after I manage to get a fresh install of
> the latest version up and running.  I understand Keycloak has a lot of
> parts and I really like it, but I wish the upgrade process would get some
> attention.  It is a very painful process at the moment.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/579b5a31/attachment-0001.html 

From juandiego83 at gmail.com  Fri Jul 10 18:48:44 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 17:48:44 -0500
Subject: [keycloak-user] Getting the user id from the access token
Message-ID: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>

Hi

I want to be able to update the user password and some preferences from my
web app, in order to update some of the user info from my portal i can see
in the rest api that you need the user ID.
I have a backend with java that should connect to my keycloak server once
it gets the token

KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
httpRequest
                .getAttribute(KeycloakSecurityContext.class.getName());

AccessToken accessToken = securityContext.getToken();

I dont know how to get info from the accesToken, or does the access token
class already has methods to do that.  I know this is more of a question of
design.  This part is not really clear for me.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/fdca4052/attachment.html 

From scott at xigole.com  Fri Jul 10 18:54:01 2015
From: scott at xigole.com (Scott Dunbar)
Date: Fri, 10 Jul 2015 16:54:01 -0600
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
Message-ID: <55A04D09.6060803@xigole.com>

I use something like:

import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.representations.IDToken;

...

@Resource
private SessionContext sessionContext;

...

@SuppressWarnings("unchecked")
KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();

log.debug( "email from token is \"" + idToken.getEmail() + "\"" );


Not sure if that's the recommended way but it works well.


On 07/10/2015 04:48 PM, Juan Diego wrote:
> Hi
>
> I want to be able to update the user password and some preferences 
> from my web app, in order to update some of the user info from my 
> portal i can see in the rest api that you need the user ID.
> I have a backend with java that should connect to my keycloak server 
> once it gets the token
>
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext) 
> httpRequest
> .getAttribute(KeycloakSecurityContext.class.getName());
>
> AccessToken accessToken = securityContext.getToken();
>
> I dont know how to get info from the accesToken, or does the access 
> token class already has methods to do that.  I know this is more of a 
> question of design.  This part is not really clear for me.
>
> Thanks
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Scott Dunbar
Xigole Systems, Inc.
Enterprise consulting, development, and hosting
303?667?6343
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/1ac67b07/attachment.html 

From juandiego83 at gmail.com  Fri Jul 10 19:01:07 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:01:07 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <55A04D09.6060803@xigole.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
	<55A04D09.6060803@xigole.com>
Message-ID: <CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>

Where do you get sessionContext from?

On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com> wrote:

>  I use something like:
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
> ...
>
> @Resource
> private SessionContext sessionContext;
>
> ...
>
> @SuppressWarnings("unchecked")
> KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>
> Not sure if that's the recommended way but it works well.
>
>
> On 07/10/2015 04:48 PM, Juan Diego wrote:
>
>   Hi
>
>  I want to be able to update the user password and some preferences from
> my web app, in order to update some of the user info from my portal i can
> see in the rest api that you need the user ID.
>  I have a backend with java that should connect to my keycloak server once
> it gets the token
>
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> httpRequest
>                 .getAttribute(KeycloakSecurityContext.class.getName());
>
> AccessToken accessToken = securityContext.getToken();
>
>  I dont know how to get info from the accesToken, or does the access token
> class already has methods to do that.  I know this is more of a question of
> design.  This part is not really clear for me.
>
>  Thanks
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/8ab143e1/attachment.html 

From juandiego83 at gmail.com  Fri Jul 10 19:10:46 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:10:46 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
	<55A04D09.6060803@xigole.com>
	<CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
Message-ID: <CAJGEj6dkTs24Lz+oM09LY8xpBLPW+NrjZ1QVs=hQJNyuun=8oQ@mail.gmail.com>

Sorry I jus reviewed your code, i am kind of tired, found what I was
looking for

On Fri, Jul 10, 2015 at 6:01 PM, Juan Diego <juandiego83 at gmail.com> wrote:

> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com> wrote:
>
>>  I use something like:
>>
>> import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>> ...
>>
>> @Resource
>> private SessionContext sessionContext;
>>
>> ...
>>
>> @SuppressWarnings("unchecked")
>> KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>> Not sure if that's the recommended way but it works well.
>>
>>
>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>
>>   Hi
>>
>>  I want to be able to update the user password and some preferences from
>> my web app, in order to update some of the user info from my portal i can
>> see in the rest api that you need the user ID.
>>  I have a backend with java that should connect to my keycloak server
>> once it gets the token
>>
>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> httpRequest
>>                 .getAttribute(KeycloakSecurityContext.class.getName());
>>
>> AccessToken accessToken = securityContext.getToken();
>>
>>  I dont know how to get info from the accesToken, or does the access
>> token class already has methods to do that.  I know this is more of a
>> question of design.  This part is not really clear for me.
>>
>>  Thanks
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/3740195a/attachment.html 

From scott at xigole.com  Fri Jul 10 19:24:11 2015
From: scott at xigole.com (Scott Dunbar)
Date: Fri, 10 Jul 2015 17:24:11 -0600
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>	<55A04D09.6060803@xigole.com>
	<CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
Message-ID: <55A0541B.50007@xigole.com>

It is injected into the bean - sorry, might not have been enough code 
before.  A small example:

import javax.annotation.Resource;
import javax.annotation.security.RolesAllowed;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.representations.IDToken;

@Path("/user")
@Stateless
public class UserService {
     private static final Log log = LogFactory.getLog(UserService.class);

     @Resource
     private SessionContext sessionContext;

     @Path("/getCurrentUserInfo")
     @Produces({ MediaType.APPLICATION_JSON })
     @GET
     @RolesAllowed({"someRole"})
     public Response getCurrentUser() {

	@SuppressWarnings("unchecked")
         KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
         IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();

         log.debug( "email from token is \"" + idToken.getEmail() + "\"" );

         // your return is likely something more useful
         return Response.ok().build();
     }
}


Your use case might be different but this is how it is working for me.  
Again, there may be a better way.



On 07/10/2015 05:01 PM, Juan Diego wrote:
> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com 
> <mailto:scott at xigole.com>> wrote:
>
>     I use something like:
>
>     import org.keycloak.KeycloakPrincipal;
>     import org.keycloak.KeycloakSecurityContext;
>     import org.keycloak.representations.IDToken;
>
>     ...
>
>     @Resource
>     private SessionContext sessionContext;
>
>     ...
>
>     @SuppressWarnings("unchecked")
>     KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>     IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
>     log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>
>     Not sure if that's the recommended way but it works well.
>
>
>     On 07/10/2015 04:48 PM, Juan Diego wrote:
>>     Hi
>>
>>     I want to be able to update the user password and some
>>     preferences from my web app, in order to update some of the user
>>     info from my portal i can see in the rest api that you need the
>>     user ID.
>>     I have a backend with java that should connect to my keycloak
>>     server once it gets the token
>>
>>     KeycloakSecurityContext securityContext =
>>     (KeycloakSecurityContext) httpRequest
>>     .getAttribute(KeycloakSecurityContext.class.getName());
>>
>>     AccessToken accessToken = securityContext.getToken();
>>
>>     I dont know how to get info from the accesToken, or does the
>>     access token class already has methods to do that.  I know this
>>     is more of a question of design.  This part is not really clear
>>     for me.
>>
>>     Thanks
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     -- 
>     Scott Dunbar
>     Xigole Systems, Inc.
>     Enterprise consulting, development, and hosting
>     303?667?6343
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Scott Dunbar
Xigole Systems, Inc.
Enterprise consulting, development, and hosting
303?667?6343
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/e24ce140/attachment-0001.html 

From juandiego83 at gmail.com  Fri Jul 10 19:27:19 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 10 Jul 2015 18:27:19 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <55A0541B.50007@xigole.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
	<55A04D09.6060803@xigole.com>
	<CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
	<55A0541B.50007@xigole.com>
Message-ID: <CAJGEj6cJ+Q7OgZRk_hC4EJHjK_ChYHrhJv+Et8ZCni35JjFVwA@mail.gmail.com>

Are you identifying you user mainly by the email?

On Fri, Jul 10, 2015 at 6:24 PM, Scott Dunbar <scott at xigole.com> wrote:

>  It is injected into the bean - sorry, might not have been enough code
> before.  A small example:
>
> import javax.annotation.Resource;
> import javax.annotation.security.RolesAllowed;
> import javax.ejb.SessionContext;
> import javax.ejb.Stateless;
> import javax.ws.rs.GET;
> import javax.ws.rs.Path;
> import javax.ws.rs.Produces;
> import javax.ws.rs.core.MediaType;
> import javax.ws.rs.core.Response;
>
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
>
> import org.keycloak.KeycloakPrincipal;
> import org.keycloak.KeycloakSecurityContext;
> import org.keycloak.representations.IDToken;
>
>  @Path("/user")
> @Stateless
> public class UserService {
>     private static final Log log = LogFactory.getLog(UserService.class);
>
>     @Resource
>     private SessionContext sessionContext;
>
>     @Path("/getCurrentUserInfo")
>     @Produces({ MediaType.APPLICATION_JSON })
>     @GET
>     @RolesAllowed({"someRole"})
>     public Response getCurrentUser() {
>
> 	@SuppressWarnings("unchecked")
>         KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>         IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
>         log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>         // your return is likely something more useful
>         return Response.ok().build();
>     }
> }
>
>
> Your use case might be different but this is how it is working for me.
> Again, there may be a better way.
>
>
>
>
> On 07/10/2015 05:01 PM, Juan Diego wrote:
>
> Where do you get sessionContext from?
>
> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com> wrote:
>
>>  I use something like:
>>
>> import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>> ...
>>
>> @Resource
>> private SessionContext sessionContext;
>>
>> ...
>>
>> @SuppressWarnings("unchecked")
>> KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>> Not sure if that's the recommended way but it works well.
>>
>>
>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>
>>    Hi
>>
>>  I want to be able to update the user password and some preferences from
>> my web app, in order to update some of the user info from my portal i can
>> see in the rest api that you need the user ID.
>>  I have a backend with java that should connect to my keycloak server
>> once it gets the token
>>
>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> httpRequest
>>                 .getAttribute(KeycloakSecurityContext.class.getName());
>>
>> AccessToken accessToken = securityContext.getToken();
>>
>>  I dont know how to get info from the accesToken, or does the access
>> token class already has methods to do that.  I know this is more of a
>> question of design.  This part is not really clear for me.
>>
>>  Thanks
>>
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/6e083e44/attachment.html 

From peterson.dean at gmail.com  Sat Jul 11 00:11:50 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 10 Jul 2015 23:11:50 -0500
Subject: [keycloak-user] 1.2.0.Beta1 to 1.2.0.RC1 root of migration problem
Message-ID: <CAFGzvPnv7Xb=CX=m1sLbHAro=myPWibkAwEY7Lh7OVqcAG2mKQ@mail.gmail.com>

I went back and tried to upgrade just from 1.2.0.Beta1 to 1.2.0.RC1.  I
exported my realm into a json file and tried to import it into a fresh
install of 1.2.0.RC1.  I just receive a message that says: "Error! The
Realm cannot be uploaded".  There is nothing in the logs.  I check to see
if anything is imported. I see only a few bearer token only applications
are present.  No client side confidential applications have been imported.
Also, none of the users have been imported.  If I give someone my entire
json file (minus most of the user info), can someone please tell me what
might be wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150710/b7242bd9/attachment.html 

From mposolda at redhat.com  Sat Jul 11 04:36:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:36:46 +0200
Subject: [keycloak-user] Still getting index error when upgrading to
	1.3.1.Final
In-Reply-To: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>
References: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>
Message-ID: <55A0D59E.7050001@redhat.com>

I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548 
with the reference to the ML thread you created earlier. Will look into 
it to have the fix for Keycloak 1.4 release.

Marek

On 10.7.2015 07:30, Dean Peterson wrote:
> I did a fresh install with mongodb 3.0 and everything worked fine 
> running 1.3.1.Final.  However, I need to upgrade from 1.2.0.Beta1 so I 
> tried the same configuration with everything except this time 
> migrating the old database data.  I get the following error:
>
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at 
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> ... 19 more
> Caused by: java.lang.RuntimeException: Failed to update database
> at 
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
> at 
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
> ... 36 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : 
> "kcdb/172.17.0.69:27017 <http://172.17.0.69:27017>" , "nIndexesWas" : 
> 1 , "ok" : 0.0 , "errmsg" : "index not found with name 
> [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> at 
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> at 
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> at 
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
> ... 37 more
>
> 01:17:00,691 ERROR [org.jboss.as.controller.management-operation] 
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - 
> address: ([("deployment" => "keycloak-server.
>
>
> I mentioned this before and Stian was going to look into it; at the 
> time he thought it might be due to using mongodb 3.0.  However, 
> mongodb 3.0 works fine with a fresh install.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/5979328c/attachment.html 

From mposolda at redhat.com  Sat Jul 11 04:43:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:43:15 +0200
Subject: [keycloak-user] 1.2.0.Beta1 to 1.2.0.RC1 root of migration
	problem
In-Reply-To: <CAFGzvPnv7Xb=CX=m1sLbHAro=myPWibkAwEY7Lh7OVqcAG2mKQ@mail.gmail.com>
References: <CAFGzvPnv7Xb=CX=m1sLbHAro=myPWibkAwEY7Lh7OVqcAG2mKQ@mail.gmail.com>
Message-ID: <55A0D723.7030308@redhat.com>

Yeah, please send the JSON to me and I will take a look. The migration 
of JSON files is supposed to work too (JSON files should be backwards 
compatible), so it might a bug if something doesn't work.

Marek

On 11.7.2015 06:11, Dean Peterson wrote:
> I went back and tried to upgrade just from 1.2.0.Beta1 to 1.2.0.RC1.  
> I exported my realm into a json file and tried to import it into a 
> fresh install of 1.2.0.RC1. I just receive a message that says: 
> "Error! The Realm cannot be uploaded".  There is nothing in the logs.  
> I check to see if anything is imported. I see only a few bearer token 
> only applications are present.  No client side confidential 
> applications have been imported.  Also, none of the users have been 
> imported.  If I give someone my entire json file (minus most of the 
> user info), can someone please tell me what might be wrong?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/bde0d27b/attachment-0001.html 

From mposolda at redhat.com  Sat Jul 11 04:54:36 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 10:54:36 +0200
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <CAJGEj6cJ+Q7OgZRk_hC4EJHjK_ChYHrhJv+Et8ZCni35JjFVwA@mail.gmail.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>	<55A04D09.6060803@xigole.com>	<CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>	<55A0541B.50007@xigole.com>
	<CAJGEj6cJ+Q7OgZRk_hC4EJHjK_ChYHrhJv+Et8ZCni35JjFVwA@mail.gmail.com>
Message-ID: <55A0D9CC.9040808@redhat.com>

I suggest to look into our demo, which handles this well and shows 
various info about user: 
https://github.com/keycloak/keycloak/tree/master/examples/demo-template

By default, the User ID can be obtained directly from the principal 
(unless you're configure "principal-attribute" in your keycloak.json ) :

String userId = kcPrincipal.getName();

 From access token it can be obtained as well:

String userId = accessToken.getSubject()

See the example on how to retrieve more user data (but it's pretty 
straightforward from the getter methods. Like getter for email as Scott 
pointed)

Marek

On 11.7.2015 01:27, Juan Diego wrote:
> Are you identifying you user mainly by the email?
>
> On Fri, Jul 10, 2015 at 6:24 PM, Scott Dunbar <scott at xigole.com 
> <mailto:scott at xigole.com>> wrote:
>
>     It is injected into the bean - sorry, might not have been enough
>     code before. A small example:
>
>     import javax.annotation.Resource;
>     import javax.annotation.security.RolesAllowed;
>     import javax.ejb.SessionContext;
>     import javax.ejb.Stateless;
>     import javax.ws.rs.GET;
>     import javax.ws.rs.Path;
>     import javax.ws.rs.Produces;
>     import javax.ws.rs.core.MediaType;
>     import javax.ws.rs.core.Response;
>
>     import org.apache.commons.logging.Log;
>     import org.apache.commons.logging.LogFactory;
>
>     import org.keycloak.KeycloakPrincipal;
>     import org.keycloak.KeycloakSecurityContext;
>     import org.keycloak.representations.IDToken;
>
>     @Path("/user")
>     @Stateless
>     public class UserService {
>          private static final Log log = LogFactory.getLog(UserService.class);
>
>          @Resource
>          private SessionContext sessionContext;
>
>          @Path("/getCurrentUserInfo")
>          @Produces({ MediaType.APPLICATION_JSON })
>          @GET
>          @RolesAllowed({"someRole"})
>          public Response getCurrentUser() {
>
>     	@SuppressWarnings("unchecked")
>              KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>              IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>
>              log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>
>              // your return is likely something more useful
>              return Response.ok().build();
>          }
>     }
>
>
>     Your use case might be different but this is how it is working for
>     me.  Again, there may be a better way.
>
>
>
>
>     On 07/10/2015 05:01 PM, Juan Diego wrote:
>>     Where do you get sessionContext from?
>>
>>     On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com
>>     <mailto:scott at xigole.com>> wrote:
>>
>>         I use something like:
>>
>>         import org.keycloak.KeycloakPrincipal;
>>         import org.keycloak.KeycloakSecurityContext;
>>         import org.keycloak.representations.IDToken;
>>
>>         ...
>>
>>         @Resource
>>         private SessionContext sessionContext;
>>
>>         ...
>>
>>         @SuppressWarnings("unchecked")
>>         KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>>         IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>>         log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>
>>         Not sure if that's the recommended way but it works well.
>>
>>
>>         On 07/10/2015 04:48 PM, Juan Diego wrote:
>>>         Hi
>>>
>>>         I want to be able to update the user password and some
>>>         preferences from my web app, in order to update some of the
>>>         user info from my portal i can see in the rest api that you
>>>         need the user ID.
>>>         I have a backend with java that should connect to my
>>>         keycloak server once it gets the token
>>>
>>>         KeycloakSecurityContext securityContext =
>>>         (KeycloakSecurityContext) httpRequest
>>>         .getAttribute(KeycloakSecurityContext.class.getName());
>>>
>>>         AccessToken accessToken = securityContext.getToken();
>>>
>>>         I dont know how to get info from the accesToken, or does the
>>>         access token class already has methods to do that.  I know
>>>         this is more of a question of design.  This part is not
>>>         really clear for me.
>>>
>>>         Thanks
>>>
>>>
>>>
>>>         _______________________________________________
>>>         keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>         -- 
>>         Scott Dunbar
>>         Xigole Systems, Inc.
>>         Enterprise consulting, development, and hosting
>>         303?667?6343
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>     -- 
>     Scott Dunbar
>     Xigole Systems, Inc.
>     Enterprise consulting, development, and hosting
>     303?667?6343
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/fbd5f10d/attachment.html 

From peterson.dean at gmail.com  Sat Jul 11 07:25:00 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 11 Jul 2015 07:25:00 -0400
Subject: [keycloak-user] Still getting index error when upgrading to
	1.3.1.Final
In-Reply-To: <55A0D59E.7050001@redhat.com>
References: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>
	<55A0D59E.7050001@redhat.com>
Message-ID: <CAFGzvPmtsUMxO2mztXgOE6ZTg_vonf1A42cYct0PcjPeQDAVmw@mail.gmail.com>

Thank you very much!  I sent my JSON file to you in another e-mail too.

On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548
> with the reference to the ML thread you created earlier. Will look into it
> to have the fix for Keycloak 1.4 release.
>
> Marek
>
>
> On 10.7.2015 07:30, Dean Peterson wrote:
>
> I did a fresh install with mongodb 3.0 and everything worked fine running
> 1.3.1.Final.  However, I need to upgrade from 1.2.0.Beta1 so I tried the
> same configuration with everything except this time migrating the old
> database data.  I get the following error:
>
>   at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>  at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>  ... 19 more
> Caused by: java.lang.RuntimeException: Failed to update database
>  at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
>  at
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
>  ... 36 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> 172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
> not found with name [realmId_1_name_1]"}
>  at com.mongodb.CommandResult.getException(CommandResult.java:71)
>  at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>  at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>  at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>  at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>  at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>  at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
>  ... 37 more
>
>  01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.
>
>
>  I mentioned this before and Stian was going to look into it; at the time
> he thought it might be due to using mongodb 3.0.  However, mongodb 3.0
> works fine with a fresh install.
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/1838c817/attachment.html 

From stephen.more at gmail.com  Sat Jul 11 07:33:12 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sat, 11 Jul 2015 07:33:12 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <559CF96A.2020004@redhat.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
	<CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>
	<559BDD56.90308@redhat.com>
	<CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com>
	<559CF96A.2020004@redhat.com>
Message-ID: <CAL2vA_Px4v24ed+-C0Rn60Ywiq8j6GVMgzbi-Phu5Tcn-YRPNQ@mail.gmail.com>

I added:
   "realm-management": [ "realm-admin" ],
to:
   "clientRoles": {

Now I am getting:
    07:25:37,948 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
task-92) Failed executing GET /admin/realms/tenant1/roles:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
        at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
        at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
        at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)



On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  It looks like authorization issue. Your user either doesn't have
> required roles or your client is missing scopes (which means that roles are
> not propagated to accessToken).
>
> To just view roles, you need role "view-realm" of client
> "realm-management" .
>
> Marek
>
>
> On 7.7.2015 18:46, Stephen More wrote:
>
>  I have tried to add:
>         org.keycloak.representations.IDToken idToken =
> principal.getKeycloakSecurityContext().getIdToken();
>         org.keycloak.representations.AccessToken token =
> principal.getKeycloakSecurityContext().getToken();
>
>         writer.write("<br/>Access Token id: " + token.getId());
>         writer.write("<br/>Access Token String: " +
> principal.getKeycloakSecurityContext().getTokenString());
>         writer.write("<br/>ID Token id: " + idToken.getId());
>         writer.write("<br/>ID Token String: " +
> principal.getKeycloakSecurityContext().getIdTokenString());
>
>         writer.write(String.format("<br/><a
> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>
>         try
>         {
>                 java.net.URL url = new java.net.URL( "
> http://localhost:8080/auth/admin/realms/" +
> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>                 java.net.HttpURLConnection conn =
> (java.net.HttpURLConnection)url.openConnection();
>                 conn.setRequestMethod( "GET" );
>                 conn.setRequestProperty("Authorization", "Bearer " +
> principal.getKeycloakSecurityContext().getTokenString());
>                 java.io.BufferedReader in = new java.io.BufferedReader(
> new java.io.InputStreamReader( conn.getInputStream()));
>                 String line;
>                 while ((line = in.readLine()) != null)
>                 {
>                     writer.write( line );
>                 }
>                 in.close();
>         }
>         catch( Exception e )
>         {
>                 e.printStackTrace();
>         }
>
>  to
> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>
>  But I am getting an error:
> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> task-16) Failed executing GET /admin/realms/tenant1/roles:
> org.keycloak.services.ForbiddenException
>
>
> In stepping through the AdminClient of the admin-access-app I have found
> an example bearer token was 1157 characters long.
>
> principal.getKeycloakSecurityContext().getIdTokenString() turned out to be
> 645 characters long.
>
> principal.getKeycloakSecurityContext().getTokenString() turned out to be
> 865 characters long.
>
>
>  What is it that I am missing ?
>
> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:
>
>> The access token should already be available.
>>
>> On 7/7/2015 10:01 AM, Stephen More wrote:
>> > Or perhaps a better question would be: Once a user is already logged
>> > into keycloak, how can a
>> > org.keycloak.representations.AccessTokenResponse without providing a
>> > password a second time ?
>> >
>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
>> > <mailto:stephen.more at gmail.com>> wrote:
>> >
>> >     How could I extend the multi-tenant example (
>> >     https://github.com/keycloak/keycloak/tree/master/examples/
>> >     <
>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>> >multi-tenant
>> >     ) to make a Rest admin api call back to keycloak using java ?
>> >
>> >     I think this would be a helpful example in upcoming releases.
>> >
>> >     Thanks
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/8e24b779/attachment-0001.html 

From mposolda at redhat.com  Sat Jul 11 13:23:13 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Sat, 11 Jul 2015 19:23:13 +0200
Subject: [keycloak-user] Still getting index error when upgrading to
	1.3.1.Final
In-Reply-To: <CAFGzvPmtsUMxO2mztXgOE6ZTg_vonf1A42cYct0PcjPeQDAVmw@mail.gmail.com>
References: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>	<55A0D59E.7050001@redhat.com>
	<CAFGzvPmtsUMxO2mztXgOE6ZTg_vonf1A42cYct0PcjPeQDAVmw@mail.gmail.com>
Message-ID: <55A15101.7000506@redhat.com>

np, I've fixed the JSON import issue in latest master 
https://issues.jboss.org/browse/KEYCLOAK-1558 and also another related 
issue https://issues.jboss.org/browse/KEYCLOAK-1175 .

You should still be able to import the JSON in Keycloak 1.3.1.Final if 
you do not import the JSON through admin console but through the import 
mechanism. You need to:
- Start keycloak against clean database (to ensure master realm is created)
- Stop keycloak
- Start keycloak again with the system properties like: 
-Dkeycloak.migration.action=import 
-Dkeycloak.migration.provider=singleFile 
-Dkeycloak.migration.file=/tmp/abecorn-realm.json

In latest version you will be able to import directly into clean DB 
because of https://issues.jboss.org/browse/KEYCLOAK-1175 fix. But in 
1.3.1 it won't yet work, so you need to start+stop first to ensure 
master realm is initialized

Cheers,
Marek

On 11.7.2015 13:25, Dean Peterson wrote:
> Thank you very much!  I sent my JSON file to you in another e-mail too.
>
> On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I've already created JIRA
>     https://issues.jboss.org/browse/KEYCLOAK-1548 with the reference
>     to the ML thread you created earlier. Will look into it to have
>     the fix for Keycloak 1.4 release.
>
>     Marek
>
>
>     On 10.7.2015 07:30, Dean Peterson wrote:
>>     I did a fresh install with mongodb 3.0 and everything worked fine
>>     running 1.3.1.Final.  However, I need to upgrade from 1.2.0.Beta1
>>     so I tried the same configuration with everything except this
>>     time migrating the old database data.  I get the following error:
>>
>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>     at
>>     org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>     ... 19 more
>>     Caused by: java.lang.RuntimeException: Failed to update database
>>     at
>>     org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
>>     at
>>     org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
>>     ... 36 more
>>     Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
>>     "kcdb/172.17.0.69:27017 <http://172.17.0.69:27017>" ,
>>     "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index not found with
>>     name [realmId_1_name_1]"}
>>     at com.mongodb.CommandResult.getException(CommandResult.java:71)
>>     at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>>     at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>>     at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>>     at
>>     org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>>     at
>>     org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>>     at
>>     org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
>>     ... 37 more
>>
>>     01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
>>     (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed -
>>     address: ([("deployment" => "keycloak-server.
>>
>>
>>     I mentioned this before and Stian was going to look into it; at
>>     the time he thought it might be due to using mongodb 3.0. 
>>     However, mongodb 3.0 works fine with a fresh install.
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/e8f3b185/attachment.html 

From peterson.dean at gmail.com  Sun Jul 12 00:28:01 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 11 Jul 2015 23:28:01 -0500
Subject: [keycloak-user] Still getting index error when upgrading to
	1.3.1.Final
In-Reply-To: <55A15101.7000506@redhat.com>
References: <CAFGzvPkySU-zXVy8fuBPwYQfPJDu_NA7jm0y6NA7rgOwUKUEHw@mail.gmail.com>
	<55A0D59E.7050001@redhat.com>
	<CAFGzvPmtsUMxO2mztXgOE6ZTg_vonf1A42cYct0PcjPeQDAVmw@mail.gmail.com>
	<55A15101.7000506@redhat.com>
Message-ID: <CAFGzvP=Vc9DmL63HmfVfzkvR52s=XOzVTfmYkepqA9Py66K2Gg@mail.gmail.com>

Thank you very much for the help!

On Sat, Jul 11, 2015 at 12:23 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  np, I've fixed the JSON import issue in latest master
> https://issues.jboss.org/browse/KEYCLOAK-1558 and also another related
> issue https://issues.jboss.org/browse/KEYCLOAK-1175 .
>
> You should still be able to import the JSON in Keycloak 1.3.1.Final if you
> do not import the JSON through admin console but through the import
> mechanism. You need to:
> - Start keycloak against clean database (to ensure master realm is created)
> - Stop keycloak
> - Start keycloak again with the system properties like:
> -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.file=/tmp/abecorn-realm.json
>
> In latest version you will be able to import directly into clean DB
> because of https://issues.jboss.org/browse/KEYCLOAK-1175 fix. But in
> 1.3.1 it won't yet work, so you need to start+stop first to ensure master
> realm is initialized
>
> Cheers,
> Marek
>
>
> On 11.7.2015 13:25, Dean Peterson wrote:
>
> Thank you very much!  I sent my JSON file to you in another e-mail too.
>
> On Sat, Jul 11, 2015 at 4:36 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>>  I've already created JIRA https://issues.jboss.org/browse/KEYCLOAK-1548
>> with the reference to the ML thread you created earlier. Will look into it
>> to have the fix for Keycloak 1.4 release.
>>
>> Marek
>>
>>
>> On 10.7.2015 07:30, Dean Peterson wrote:
>>
>>  I did a fresh install with mongodb 3.0 and everything worked fine
>> running 1.3.1.Final.  However, I need to upgrade from 1.2.0.Beta1 so I
>> tried the same configuration with everything except this time migrating the
>> old database data.  I get the following error:
>>
>>   at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>  at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>  ... 19 more
>> Caused by: java.lang.RuntimeException: Failed to update database
>>  at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:90)
>>  at
>> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:99)
>>  ... 36 more
>> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
>> 172.17.0.69:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
>> not found with name [realmId_1_name_1]"}
>>  at com.mongodb.CommandResult.getException(CommandResult.java:71)
>>  at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>>  at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>>  at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>>  at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>>  at
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>>  at
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:79)
>>  ... 37 more
>>
>>  01:17:00,691 ERROR [org.jboss.as.controller.management-operation]
>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
>> ([("deployment" => "keycloak-server.
>>
>>
>>  I mentioned this before and Stian was going to look into it; at the
>> time he thought it might be due to using mongodb 3.0.  However, mongodb 3.0
>> works fine with a fresh install.
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150711/fbff1c0b/attachment.html 

From stephen.more at gmail.com  Sun Jul 12 09:32:33 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sun, 12 Jul 2015 09:32:33 -0400
Subject: [keycloak-user] Multi tenant plus administration Rest api
In-Reply-To: <CAL2vA_Px4v24ed+-C0Rn60Ywiq8j6GVMgzbi-Phu5Tcn-YRPNQ@mail.gmail.com>
References: <CAL2vA_OFoRbb_HVffBdnk4AgEqPBFbunE18gTMZJjOFo1zL2rg@mail.gmail.com>
	<CAL2vA_Pi9CFK7UZX=UHOK0buD_YFk8hnm0=fkvc5taxES0b2PA@mail.gmail.com>
	<CAL2vA_OdT3SC=NA=OdYBCTu-YBLuGjArSHvuExmZa-vdbgiGTA@mail.gmail.com>
	<559BDD56.90308@redhat.com>
	<CAL2vA_OYKyPjZ4fZumas1injw26tpWkTJo0EX1Qg4N2+RejmCw@mail.gmail.com>
	<559CF96A.2020004@redhat.com>
	<CAL2vA_Px4v24ed+-C0Rn60Ywiq8j6GVMgzbi-Phu5Tcn-YRPNQ@mail.gmail.com>
Message-ID: <CAL2vA_MckOoYr_F7+SpvPZmp6RpXVEjOx1mDqDRe_Y0em15-Ww@mail.gmail.com>

Everything seems to be working now. I have created a pull request:
https://github.com/keycloak/keycloak/pull/1445

Hopefully this will help someone else out in the future.
On Jul 11, 2015 7:33 AM, "Stephen More" <stephen.more at gmail.com> wrote:

> I added:
>    "realm-management": [ "realm-admin" ],
> to:
>    "clientRoles": {
>
> Now I am getting:
>     07:25:37,948 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> task-92) Failed executing GET /admin/realms/tenant1/roles:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
>         at
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
>         at
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:183)
>         at sun.reflect.GeneratedMethodAccessor339.invoke(Unknown Source)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>
>
>
> On Wed, Jul 8, 2015 at 6:20 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  It looks like authorization issue. Your user either doesn't have
>> required roles or your client is missing scopes (which means that roles are
>> not propagated to accessToken).
>>
>> To just view roles, you need role "view-realm" of client
>> "realm-management" .
>>
>> Marek
>>
>>
>> On 7.7.2015 18:46, Stephen More wrote:
>>
>>  I have tried to add:
>>         org.keycloak.representations.IDToken idToken =
>> principal.getKeycloakSecurityContext().getIdToken();
>>         org.keycloak.representations.AccessToken token =
>> principal.getKeycloakSecurityContext().getToken();
>>
>>         writer.write("<br/>Access Token id: " + token.getId());
>>         writer.write("<br/>Access Token String: " +
>> principal.getKeycloakSecurityContext().getTokenString());
>>         writer.write("<br/>ID Token id: " + idToken.getId());
>>         writer.write("<br/>ID Token String: " +
>> principal.getKeycloakSecurityContext().getIdTokenString());
>>
>>         writer.write(String.format("<br/><a
>> href=\"/multitenant/%s/logout\">Logout</a>", realm));
>>
>>         try
>>         {
>>                 java.net.URL url = new java.net.URL( "
>> http://localhost:8080/auth/admin/realms/" +
>> principal.getKeycloakSecurityContext().getRealm() + "/roles" );
>>                 java.net.HttpURLConnection conn =
>> (java.net.HttpURLConnection)url.openConnection();
>>                 conn.setRequestMethod( "GET" );
>>                 conn.setRequestProperty("Authorization", "Bearer " +
>> principal.getKeycloakSecurityContext().getTokenString());
>>                 java.io.BufferedReader in = new java.io.BufferedReader(
>> new java.io.InputStreamReader( conn.getInputStream()));
>>                 String line;
>>                 while ((line = in.readLine()) != null)
>>                 {
>>                     writer.write( line );
>>                 }
>>                 in.close();
>>         }
>>         catch( Exception e )
>>         {
>>                 e.printStackTrace();
>>         }
>>
>>  to
>> keycloak-demo-1.3.1.Final/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java
>>
>>  But I am getting an error:
>> 12:28:28,317 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
>> task-16) Failed executing GET /admin/realms/tenant1/roles:
>> org.keycloak.services.ForbiddenException
>>
>>
>> In stepping through the AdminClient of the admin-access-app I have found
>> an example bearer token was 1157 characters long.
>>
>> principal.getKeycloakSecurityContext().getIdTokenString() turned out to
>> be 645 characters long.
>>
>> principal.getKeycloakSecurityContext().getTokenString() turned out to be
>> 865 characters long.
>>
>>
>>  What is it that I am missing ?
>>
>> On Tue, Jul 7, 2015 at 10:08 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> The access token should already be available.
>>>
>>> On 7/7/2015 10:01 AM, Stephen More wrote:
>>> > Or perhaps a better question would be: Once a user is already logged
>>> > into keycloak, how can a
>>> > org.keycloak.representations.AccessTokenResponse without providing a
>>> > password a second time ?
>>> >
>>> > On Sun, Jul 5, 2015 at 12:00 PM, Stephen More <stephen.more at gmail.com
>>> > <mailto:stephen.more at gmail.com>> wrote:
>>> >
>>> >     How could I extend the multi-tenant example (
>>> >     https://github.com/keycloak/keycloak/tree/master/examples/
>>> >     <
>>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>>> >multi-tenant
>>> >     ) to make a Rest admin api call back to keycloak using java ?
>>> >
>>> >     I think this would be a helpful example in upcoming releases.
>>> >
>>> >     Thanks
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150712/c9c23211/attachment-0001.html 

From peterson.dean at gmail.com  Sun Jul 12 21:48:36 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 12 Jul 2015 20:48:36 -0500
Subject: [keycloak-user] Steam OpenId
Message-ID: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>

This question is for a side project I am working on.  I am trying to set up
Keycloak to allow users to log in with their OpenId Steam account.  Steam
uses OpenId 2.0.  It seems they do not require or even have client ids and
secrets.  Only the authorization endpoint is needed.  Is Keycloak capable
of implementing log ins and linking existing Keycloak accounts with Steam
accounts?  Keycloak required I enter a client id and client secret but
Steam does not have such a thing.

http://steamcommunity.com/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150712/ab416fff/attachment.html 

From eugene.chow.ct at gmail.com  Mon Jul 13 05:20:55 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Mon, 13 Jul 2015 17:20:55 +0800
Subject: [keycloak-user] Dump user profile data from Social Identity Provider
Message-ID: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>

Hi,

i have a Keycloak 1.2.0 installation that authenticates against a custom OpenID Connect provider. I need to see the JSON response from the social provider. The documentation says to set org.keycloak.social.user_profile_dump to DEBUG.

I?ve added the following to standalone.xml as such, but I don?t see any JSON output in the log. Is this configuration correct?

    <profile>
        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
            <logger category="org.keycloak.social.user_profile_dump">
                <level name="DEBUG"/>
            </logger>
?
...
    </profile>


Thanks!
Eugene

From stian at redhat.com  Mon Jul 13 05:56:47 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 05:56:47 -0400 (EDT)
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To: <CAFGzvPkbMY3CjEqU_3HcU8SgCTRLh8dypctgO=A6+BgoSHaKGA@mail.gmail.com>
References: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
	<CAFGzvPkbMY3CjEqU_3HcU8SgCTRLh8dypctgO=A6+BgoSHaKGA@mail.gmail.com>
Message-ID: <1236400059.37029798.1436781407483.JavaMail.zimbra@redhat.com>

Upgrading from Beta to Final is expected to work. So if you have a problem with that create a jira and we'll fix it.

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 10 July, 2015 8:22:00 PM
> Subject: Re: [keycloak-user] Upgrading is a giant pain
> 
> I no longer pull down masters because the releases have been working for me.
> The documentation says I should be able to upgrade from beta versions to
> newer releases. This latest problem happened even when I was trying to go
> from 1.2.0.Beta3 to 1.2.0.Final. Since that did not work, I waited a while
> hoping a later version would improve the situation. People often do what
> they are not supposed to. Expecting people to only upgrade from Final
> release to Final release seems like wishful thinking and may lead to unhappy
> customers, even if they are wrong.
> 
> On Fri, Jul 10, 2015 at 11:53 AM, Dean Peterson < peterson.dean at gmail.com >
> wrote:
> 
> 
> 
> I wish Keycloak had a one button click mechanism for upgrading the
> application. I use Discourse ( http://www.discourse.org/ ) for messaging in
> my application. I run Keycloak inside a Docker container just like
> Discourse. Discourse gives me an admin landing page that tells me every time
> I log in if I am up to date. If I am not, a little sad face tells me I need
> to upgrade. All I have to do to upgrade is click a button and everything
> happens automatically. The data is migrated, the docker container is updated
> and the application is redeployed. It never fails and takes 5 minutes. Every
> time I need to upgrade Keycloak it is a month long ordeal. The database
> migration never works. I always have to export the data as json, then upload
> the file after I manage to get a fresh install of the latest version up and
> running. I understand Keycloak has a lot of parts and I really like it, but
> I wish the upgrade process would get some attention. It is a very painful
> process at the moment.
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Jul 13 06:02:12 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 06:02:12 -0400 (EDT)
Subject: [keycloak-user] Steam OpenId
In-Reply-To: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>
References: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>
Message-ID: <314258313.37031246.1436781732731.JavaMail.zimbra@redhat.com>

We don't support OpenID 2.0 and won't add it as it's been superseded by OpenID Connect. However, you should be able add a custom identity provider for Steam or OpenID 2 yourself.

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 3:48:36 AM
> Subject: [keycloak-user] Steam OpenId
> 
> This question is for a side project I am working on. I am trying to set up
> Keycloak to allow users to log in with their OpenId Steam account. Steam
> uses OpenId 2.0. It seems they do not require or even have client ids and
> secrets. Only the authorization endpoint is needed. Is Keycloak capable of
> implementing log ins and linking existing Keycloak accounts with Steam
> accounts? Keycloak required I enter a client id and client secret but Steam
> does not have such a thing.
> 
> http://steamcommunity.com/dev
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Jul 13 06:04:31 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 06:04:31 -0400 (EDT)
Subject: [keycloak-user] params on my url get duplicated on angular app
 on	reload
In-Reply-To: <CAJGEj6e5u0ZNv=fwaK4CC1-=cMpvHVzX7vBG-h3=PtNMJuBY0w@mail.gmail.com>
References: <CAJGEj6e5u0ZNv=fwaK4CC1-=cMpvHVzX7vBG-h3=PtNMJuBY0w@mail.gmail.com>
Message-ID: <883772991.37031647.1436781871727.JavaMail.zimbra@redhat.com>

Are you using keycloak.js? The code and state params should be stripped from the url after login by keycloak.js.

----- Original Message -----
> From: "Juan Diego" <juandiego83 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, 10 July, 2015 6:48:53 PM
> Subject: [keycloak-user] params on my url get duplicated on angular app on	reload
> 
> Hi,
> 
> I dont know if it is a problem of my code but for example I see my page
> 
> http://localhost/index.html
> then I load and I see something like
> 
> http://localhost/index.html?prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609
> 
> If I keep reloading my page I keep seeing
> prompt=none&code=jYy-h3j8F8O6hruPRUF0lO8eisDwbrRAtA3yzag0epg.05b27843-6c0b-4be6-83fc-a27afe108c50&state=80c3e263-0a89-4853-86b2-61e7f675b609
> added over and over
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From peterson.dean at gmail.com  Mon Jul 13 07:33:18 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 13 Jul 2015 07:33:18 -0400
Subject: [keycloak-user] Upgrading is a giant pain
In-Reply-To: <1236400059.37029798.1436781407483.JavaMail.zimbra@redhat.com>
References: <CAFGzvPmcxnyGwV33nPeMaJhjKQtZTUq6BC6xscvbDSb-vsM9cw@mail.gmail.com>
	<CAFGzvPkbMY3CjEqU_3HcU8SgCTRLh8dypctgO=A6+BgoSHaKGA@mail.gmail.com>
	<1236400059.37029798.1436781407483.JavaMail.zimbra@redhat.com>
Message-ID: <CAFGzvPniF2UGFC_hbTS8frA-1dX1qD=JzOvfHo=_3OnRybmOkw@mail.gmail.com>

Marek already fixed my problem.
On Jul 13, 2015 4:56 AM, "Stian Thorgersen" <stian at redhat.com> wrote:

> Upgrading from Beta to Final is expected to work. So if you have a problem
> with that create a jira and we'll fix it.
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 10 July, 2015 8:22:00 PM
> > Subject: Re: [keycloak-user] Upgrading is a giant pain
> >
> > I no longer pull down masters because the releases have been working for
> me.
> > The documentation says I should be able to upgrade from beta versions to
> > newer releases. This latest problem happened even when I was trying to go
> > from 1.2.0.Beta3 to 1.2.0.Final. Since that did not work, I waited a
> while
> > hoping a later version would improve the situation. People often do what
> > they are not supposed to. Expecting people to only upgrade from Final
> > release to Final release seems like wishful thinking and may lead to
> unhappy
> > customers, even if they are wrong.
> >
> > On Fri, Jul 10, 2015 at 11:53 AM, Dean Peterson <
> peterson.dean at gmail.com >
> > wrote:
> >
> >
> >
> > I wish Keycloak had a one button click mechanism for upgrading the
> > application. I use Discourse ( http://www.discourse.org/ ) for
> messaging in
> > my application. I run Keycloak inside a Docker container just like
> > Discourse. Discourse gives me an admin landing page that tells me every
> time
> > I log in if I am up to date. If I am not, a little sad face tells me I
> need
> > to upgrade. All I have to do to upgrade is click a button and everything
> > happens automatically. The data is migrated, the docker container is
> updated
> > and the application is redeployed. It never fails and takes 5 minutes.
> Every
> > time I need to upgrade Keycloak it is a month long ordeal. The database
> > migration never works. I always have to export the data as json, then
> upload
> > the file after I manage to get a fresh install of the latest version up
> and
> > running. I understand Keycloak has a lot of parts and I really like it,
> but
> > I wish the upgrade process would get some attention. It is a very painful
> > process at the moment.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/4b5ceb6f/attachment.html 

From peterson.dean at gmail.com  Mon Jul 13 07:43:28 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 13 Jul 2015 07:43:28 -0400
Subject: [keycloak-user] Steam OpenId
In-Reply-To: <314258313.37031246.1436781732731.JavaMail.zimbra@redhat.com>
References: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>
	<314258313.37031246.1436781732731.JavaMail.zimbra@redhat.com>
Message-ID: <CAFGzvPmfkiK7T2bFuAzJ4uKCT2_qXrKLSBmoe87=w23VbZJT0g@mail.gmail.com>

Ah yes, I see you have a nice way to add custom implementations without
having to modify Keycloak directly. Thanks!
On Jul 13, 2015 5:02 AM, "Stian Thorgersen" <stian at redhat.com> wrote:

> We don't support OpenID 2.0 and won't add it as it's been superseded by
> OpenID Connect. However, you should be able add a custom identity provider
> for Steam or OpenID 2 yourself.
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 13 July, 2015 3:48:36 AM
> > Subject: [keycloak-user] Steam OpenId
> >
> > This question is for a side project I am working on. I am trying to set
> up
> > Keycloak to allow users to log in with their OpenId Steam account. Steam
> > uses OpenId 2.0. It seems they do not require or even have client ids and
> > secrets. Only the authorization endpoint is needed. Is Keycloak capable
> of
> > implementing log ins and linking existing Keycloak accounts with Steam
> > accounts? Keycloak required I enter a client id and client secret but
> Steam
> > does not have such a thing.
> >
> > http://steamcommunity.com/dev
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/c11b2760/attachment-0001.html 

From bburke at redhat.com  Mon Jul 13 08:24:40 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jul 2015 08:24:40 -0400
Subject: [keycloak-user] Steam OpenId
In-Reply-To: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>
References: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>
Message-ID: <55A3AE08.4090704@redhat.com>

OpenID is different than OpenID Connect.  We don't support OpenID.

On 7/12/2015 9:48 PM, Dean Peterson wrote:
> This question is for a side project I am working on.  I am trying to set
> up Keycloak to allow users to log in with their OpenId Steam account.
> Steam uses OpenId 2.0.  It seems they do not require or even have client
> ids and secrets.  Only the authorization endpoint is needed.  Is
> Keycloak capable of implementing log ins and linking existing Keycloak
> accounts with Steam accounts?  Keycloak required I enter a client id and
> client secret but Steam does not have such a thing.
>
> http://steamcommunity.com/dev
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Jul 13 08:26:01 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jul 2015 08:26:01 -0400
Subject: [keycloak-user] Steam OpenId
In-Reply-To: <CAFGzvPmfkiK7T2bFuAzJ4uKCT2_qXrKLSBmoe87=w23VbZJT0g@mail.gmail.com>
References: <CAFGzvPmHw-Kya_wa276m9JPm_yhC6rpMfhOEJ0nS+n+nDT3v+g@mail.gmail.com>	<314258313.37031246.1436781732731.JavaMail.zimbra@redhat.com>
	<CAFGzvPmfkiK7T2bFuAzJ4uKCT2_qXrKLSBmoe87=w23VbZJT0g@mail.gmail.com>
Message-ID: <55A3AE59.3080007@redhat.com>

Its not really that nice, but yeah, we have it :)

On 7/13/2015 7:43 AM, Dean Peterson wrote:
> Ah yes, I see you have a nice way to add custom implementations without
> having to modify Keycloak directly. Thanks!
>
> On Jul 13, 2015 5:02 AM, "Stian Thorgersen" <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
>     We don't support OpenID 2.0 and won't add it as it's been superseded
>     by OpenID Connect. However, you should be able add a custom identity
>     provider for Steam or OpenID 2 yourself.
>
>     ----- Original Message -----
>      > From: "Dean Peterson" <peterson.dean at gmail.com
>     <mailto:peterson.dean at gmail.com>>
>      > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > Sent: Monday, 13 July, 2015 3:48:36 AM
>      > Subject: [keycloak-user] Steam OpenId
>      >
>      > This question is for a side project I am working on. I am trying
>     to set up
>      > Keycloak to allow users to log in with their OpenId Steam
>     account. Steam
>      > uses OpenId 2.0. It seems they do not require or even have client
>     ids and
>      > secrets. Only the authorization endpoint is needed. Is Keycloak
>     capable of
>      > implementing log ins and linking existing Keycloak accounts with
>     Steam
>      > accounts? Keycloak required I enter a client id and client secret
>     but Steam
>      > does not have such a thing.
>      >
>      > http://steamcommunity.com/dev
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Mon Jul 13 08:33:44 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Mon, 13 Jul 2015 20:33:44 +0800
Subject: [keycloak-user] IDP User Attributes
Message-ID: <A47C6687-B9B0-4C7C-B134-0C7FC63ED25A@izeno.com>

hi,

kindly share how to set the user attributes and retrieve it from sp side using http session?


https://docs.jboss.org/author/display/PLINK/SAML2AttributeHandler

Regards,
CK Yap

From bburke at redhat.com  Mon Jul 13 08:41:41 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jul 2015 08:41:41 -0400
Subject: [keycloak-user] IDP User Attributes
In-Reply-To: <A47C6687-B9B0-4C7C-B134-0C7FC63ED25A@izeno.com>
References: <A47C6687-B9B0-4C7C-B134-0C7FC63ED25A@izeno.com>
Message-ID: <55A3B205.1050901@redhat.com>

Go to your client in the admin console.  Click on Mappers.  Mappers 
allow you to map user attributes to SAML attributes.

Keycloak does not yet have a SAML client adapter, so you still need to 
use Picketlink's.

On 7/13/2015 8:33 AM, chenkeong.yap at izeno.com wrote:
> hi,
>
> kindly share how to set the user attributes and retrieve it from sp side using http session?
>
>
> https://docs.jboss.org/author/display/PLINK/SAML2AttributeHandler
>
> Regards,
> CK Yap
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Mon Jul 13 08:56:31 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Mon, 13 Jul 2015 20:56:31 +0800
Subject: [keycloak-user] IDP User Attributes
In-Reply-To: <55A3B205.1050901@redhat.com>
References: <A47C6687-B9B0-4C7C-B134-0C7FC63ED25A@izeno.com>
	<55A3B205.1050901@redhat.com>
Message-ID: <DBC8A538-DE35-432D-8E3C-998F64D16C3A@izeno.com>

but we are using keycloak 1.1.0 beta 2 and upgrade is not allowed. please advise if we need to modify the codes? 

Regards,
CK Yap

> On 13 Jul 2015, at 8:41 pm, Bill Burke <bburke at redhat.com> wrote:
> 
> Go to your client in the admin console.  Click on Mappers.  Mappers 
> allow you to map user attributes to SAML attributes.
> 
> Keycloak does not yet have a SAML client adapter, so you still need to 
> use Picketlink's.
> 
>> On 7/13/2015 8:33 AM, chenkeong.yap at izeno.com wrote:
>> hi,
>> 
>> kindly share how to set the user attributes and retrieve it from sp side using http session?
>> 
>> 
>> https://docs.jboss.org/author/display/PLINK/SAML2AttributeHandler
>> 
>> Regards,
>> CK Yap
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Mon Jul 13 08:58:45 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jul 2015 08:58:45 -0400
Subject: [keycloak-user] IDP User Attributes
In-Reply-To: <DBC8A538-DE35-432D-8E3C-998F64D16C3A@izeno.com>
References: <A47C6687-B9B0-4C7C-B134-0C7FC63ED25A@izeno.com>
	<55A3B205.1050901@redhat.com>
	<DBC8A538-DE35-432D-8E3C-998F64D16C3A@izeno.com>
Message-ID: <55A3B605.30907@redhat.com>

We just don't have a way to do this in 1.1.0.  Tell your superiors it is 
more work and more risky to hack Keycloak 1.1 than to upgrade to 1.3.1.

On 7/13/2015 8:56 AM, chenkeong.yap at izeno.com wrote:
> but we are using keycloak 1.1.0 beta 2 and upgrade is not allowed. please advise if we need to modify the codes?
>
> Regards,
> CK Yap
>
>> On 13 Jul 2015, at 8:41 pm, Bill Burke <bburke at redhat.com> wrote:
>>
>> Go to your client in the admin console.  Click on Mappers.  Mappers
>> allow you to map user attributes to SAML attributes.
>>
>> Keycloak does not yet have a SAML client adapter, so you still need to
>> use Picketlink's.
>>
>>> On 7/13/2015 8:33 AM, chenkeong.yap at izeno.com wrote:
>>> hi,
>>>
>>> kindly share how to set the user attributes and retrieve it from sp side using http session?
>>>
>>>
>>> https://docs.jboss.org/author/display/PLINK/SAML2AttributeHandler
>>>
>>> Regards,
>>> CK Yap
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Gregor.Tudan at cofinpro.de  Mon Jul 13 09:03:06 2015
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Mon, 13 Jul 2015 13:03:06 +0000
Subject: [keycloak-user] CORS Header for direct grants
Message-ID: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>

Hi,

I?m having trouble getting correct Access-Control Headers for requests to the openid-connect token endpoint. When asking for a token by code, everything seems fine:


     *   POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host: fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 303 Origin: http://fe01e.tech.visualvest.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type: application/x-www-form-urlencoded Accept: */* DNT: 1 Referer: http://fe01e.tech.<snip>.de/app/depot/ Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: KEYCLOAK_LOCALE=de; KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ; KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9

Content:

  1.  code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>

But when I request a token by direct grant, the CORS-Headers are missing:


  1.  POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host: fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69 Accept: application/json Origin: http://localhost:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type: application/x-www-form-urlencoded DNT: 1 Referer: http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

Content

  1.  username=dirk&password=dirk&client_id=vv-frontend&grant_type=password

Am I missing something?

Thanks,
Gregor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/3d71624b/attachment-0001.html 

From stian at redhat.com  Mon Jul 13 09:14:36 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 09:14:36 -0400 (EDT)
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
Message-ID: <218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>

Did you add http://localhost:8000 to the clients web origins?

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 3:03:06 PM
> Subject: [keycloak-user] CORS Header for direct grants
> 
> Hi,
> 
> I?m having trouble getting correct Access-Control Headers for requests to the
> openid-connect token endpoint. When asking for a token by code, everything
> seems fine:
> 
> 
> 
> 
> 
>         1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
>         fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 303
>         Origin: http://fe01e.tech.visualvest.de User-Agent: Mozilla/5.0
>         (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like
>         Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
>         application/x-www-form-urlencoded Accept: */* DNT: 1 Referer:
>         http://fe01e.tech.<snip>.de/app/depot/ Accept-Encoding: gzip,
>         deflate Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Cookie:
>         KEYCLOAK_LOCALE=de;
>         KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
>         KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> 
> Content:
> 
> 
>     1.
>     code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> But when I request a token by direct grant, the CORS-Headers are missing:
> 
> 
> 
>     1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
>     fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
>     Accept: application/json Origin: http://localhost:8000 User-Agent:
>     Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
>     (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
>     application/x-www-form-urlencoded DNT: 1 Referer:
>     http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
>     Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> Content
> 
> 
>     1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> Am I missing something?
> 
> Thanks,
> Gregor
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Gregor.Tudan at cofinpro.de  Mon Jul 13 10:07:12 2015
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Mon, 13 Jul 2015 14:07:12 +0000
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
Message-ID: <etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>

Hi Stian,

I?m aware that I?m comparing different request here (code vs. password - I just had them at hands). But is that relevant relevant in terms of the CORS-Headers returned?

Thanks,
Gregor



Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen (stian at redhat.com<mailto:stian at redhat.com>) schrieb:

20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> But when I request a token by direct grant, the CORS-Headers are missing:
>
>
>
> 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> Accept: application/json Origin: http://localhost:8000 User-Agent:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> application/x-www-form-urlencoded DNT: 1 Referer:
> http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> Content
>
>
> 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> Am I missing something?
>
> Thanks,
> Gregor
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
OCALE=de;
> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
>
> Content:
>
>
> 1.
> code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> But when I request a token by direct grant, the CORS-Headers are missing:
>
>
>
> 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> Accept: application/json Origin: http://localhost:8000 User-Agent:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> application/x-www-form-urlencoded DNT: 1 Referer:
> http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> Content
>
>
> 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> Am I missing something?
>
> Thanks,
> Gregor
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/fa1dfb0e/attachment.html 

From stian at redhat.com  Mon Jul 13 10:22:29 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 10:22:29 -0400 (EDT)
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
	<etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
Message-ID: <995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>

Ah, sorry missed that. We don't currently add CORS headers for the user credential grant flow as it shouldn't be used by a web application.

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 4:07:12 PM
> Subject: Re: [keycloak-user] CORS Header for direct grants
> 
> Hi Stian,
> 
> I?m aware that I?m comparing different request here (code vs. password - I
> just had them at hands). But is that relevant relevant in terms of the
> CORS-Headers returned?
> 
> Thanks,
> Gregor
> 
> 
> 
> 
> 
> 
> Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen ( stian at redhat.com ) schrieb:
> 
> 
> 20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > But when I request a token by direct grant, the CORS-Headers are missing:
> > 
> > 
> > 
> > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > application/x-www-form-urlencoded DNT: 1 Referer:
> > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > Content
> > 
> > 
> > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > Am I missing something?
> > 
> > Thanks,
> > Gregor
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> OCALE=de;
> > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> > KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> > 
> > Content:
> > 
> > 
> > 1.
> > code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > But when I request a token by direct grant, the CORS-Headers are missing:
> > 
> > 
> > 
> > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > application/x-www-form-urlencoded DNT: 1 Referer:
> > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > Content
> > 
> > 
> > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > Am I missing something?
> > 
> > Thanks,
> > Gregor
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Gregor.Tudan at cofinpro.de  Mon Jul 13 10:37:24 2015
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Mon, 13 Jul 2015 14:37:24 +0000
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
	<etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
	<995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>
Message-ID: <etPan.55a3cd24.598de9c1.14f@nb102-coinor.coinor.local>

I see, so I?ll need to think of something else then - I know that this is a stupid use-case, but we have a requirement where the application has to request a token by credentials supplied from elsewhere. :-(

Thanks again,
Gregor


Am 13. Juli 2015 bei 16:22:34, Stian Thorgersen (stian at redhat.com<mailto:stian at redhat.com>) schrieb:

Ah, sorry missed that. We don't currently add CORS headers for the user credential grant flow as it shouldn't be used by a web application.

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 4:07:12 PM
> Subject: Re: [keycloak-user] CORS Header for direct grants
>
> Hi Stian,
>
> I?m aware that I?m comparing different request here (code vs. password - I
> just had them at hands). But is that relevant relevant in terms of the
> CORS-Headers returned?
>
> Thanks,
> Gregor
>
>
>
>
>
>
> Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen ( stian at redhat.com ) schrieb:
>
>
> 20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > But when I request a token by direct grant, the CORS-Headers are missing:
> >
> >
> >
> > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > application/x-www-form-urlencoded DNT: 1 Referer:
> > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > Content
> >
> >
> > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > Am I missing something?
> >
> > Thanks,
> > Gregor
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> OCALE=de;
> > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> > KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> >
> > Content:
> >
> >
> > 1.
> > code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > But when I request a token by direct grant, the CORS-Headers are missing:
> >
> >
> >
> > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > application/x-www-form-urlencoded DNT: 1 Referer:
> > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > Content
> >
> >
> > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > Am I missing something?
> >
> > Thanks,
> > Gregor
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/b42b7ef1/attachment-0001.html 

From stian at redhat.com  Mon Jul 13 10:44:44 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jul 2015 10:44:44 -0400 (EDT)
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <etPan.55a3cd24.598de9c1.14f@nb102-coinor.coinor.local>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
	<etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
	<995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>
	<etPan.55a3cd24.598de9c1.14f@nb102-coinor.coinor.local>
Message-ID: <1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>

It's not a big deal to add CORS support for it, so create a JIRA for it. Even better provide a PR and it'll be included for the 1.4 release

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 4:37:24 PM
> Subject: Re: [keycloak-user] CORS Header for direct grants
> 
> I see, so I?ll need to think of something else then - I know that this is a
> stupid use-case, but we have a requirement where the application has to
> request a token by credentials supplied from elsewhere. :-(
> 
> Thanks again,
> Gregor
> 
> 
> Am 13. Juli 2015 bei 16:22:34, Stian Thorgersen
> (stian at redhat.com<mailto:stian at redhat.com>) schrieb:
> 
> Ah, sorry missed that. We don't currently add CORS headers for the user
> credential grant flow as it shouldn't be used by a web application.
> 
> ----- Original Message -----
> > From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 13 July, 2015 4:07:12 PM
> > Subject: Re: [keycloak-user] CORS Header for direct grants
> >
> > Hi Stian,
> >
> > I?m aware that I?m comparing different request here (code vs. password - I
> > just had them at hands). But is that relevant relevant in terms of the
> > CORS-Headers returned?
> >
> > Thanks,
> > Gregor
> >
> >
> >
> >
> >
> >
> > Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen ( stian at redhat.com )
> > schrieb:
> >
> >
> > 20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > But when I request a token by direct grant, the CORS-Headers are missing:
> > >
> > >
> > >
> > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > Content
> > >
> > >
> > > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > Am I missing something?
> > >
> > > Thanks,
> > > Gregor
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > OCALE=de;
> > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> > > KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> > >
> > > Content:
> > >
> > >
> > > 1.
> > > code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > But when I request a token by direct grant, the CORS-Headers are missing:
> > >
> > >
> > >
> > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > Content
> > >
> > >
> > > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > Am I missing something?
> > >
> > > Thanks,
> > > Gregor
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From juandiego83 at gmail.com  Mon Jul 13 12:57:07 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Mon, 13 Jul 2015 11:57:07 -0500
Subject: [keycloak-user] Getting the user id from the access token
In-Reply-To: <55A0D9CC.9040808@redhat.com>
References: <CAJGEj6dzN_LYWZQ6A81zL7-1uG-GvHOzXRrUhXOOsYfHK6MBsw@mail.gmail.com>
	<55A04D09.6060803@xigole.com>
	<CAJGEj6egUn4J3C7XCk7+R_NGEVbZCcQLKQPwA1_Bgx18TTPSOw@mail.gmail.com>
	<55A0541B.50007@xigole.com>
	<CAJGEj6cJ+Q7OgZRk_hC4EJHjK_ChYHrhJv+Et8ZCni35JjFVwA@mail.gmail.com>
	<55A0D9CC.9040808@redhat.com>
Message-ID: <CAJGEj6dCzO9_4M9b8N0mcCzpPVVipujsM4oZCEVVVVJxeqarpQ@mail.gmail.com>

Ok, I was using getId() ok got it

On Sat, Jul 11, 2015 at 3:54 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  I suggest to look into our demo, which handles this well and shows
> various info about user:
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template
>
> By default, the User ID can be obtained directly from the principal
> (unless you're configure "principal-attribute" in your keycloak.json ) :
>
> String userId = kcPrincipal.getName();
>
> From access token it can be obtained as well:
>
> String userId = accessToken.getSubject()
>
> See the example on how to retrieve more user data (but it's pretty
> straightforward from the getter methods. Like getter for email as Scott
> pointed)
>
> Marek
>
>
> On 11.7.2015 01:27, Juan Diego wrote:
>
> Are you identifying you user mainly by the email?
>
> On Fri, Jul 10, 2015 at 6:24 PM, Scott Dunbar <scott at xigole.com> wrote:
>
>>  It is injected into the bean - sorry, might not have been enough code
>> before.  A small example:
>>
>> import javax.annotation.Resource;
>> import javax.annotation.security.RolesAllowed;
>> import javax.ejb.SessionContext;
>> import javax.ejb.Stateless;
>> import javax.ws.rs.GET;
>> import javax.ws.rs.Path;
>> import javax.ws.rs.Produces;
>> import javax.ws.rs.core.MediaType;
>> import javax.ws.rs.core.Response;
>>
>> import org.apache.commons.logging.Log;
>> import org.apache.commons.logging.LogFactory;
>>
>>  import org.keycloak.KeycloakPrincipal;
>> import org.keycloak.KeycloakSecurityContext;
>> import org.keycloak.representations.IDToken;
>>
>>  @Path("/user")
>> @Stateless
>> public class UserService {
>>     private static final Log log = LogFactory.getLog(UserService.class);
>>
>>     @Resource
>>     private SessionContext sessionContext;
>>
>>     @Path("/getCurrentUserInfo")
>>     @Produces({ MediaType.APPLICATION_JSON })
>>     @GET
>>     @RolesAllowed({"someRole"})
>>     public Response getCurrentUser() {
>>
>> 	@SuppressWarnings("unchecked")
>>         KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>>         IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>
>>         log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>
>>         // your return is likely something more useful
>>         return Response.ok().build();
>>     }
>> }
>>
>>
>> Your use case might be different but this is how it is working for me.
>> Again, there may be a better way.
>>
>>
>>
>>
>> On 07/10/2015 05:01 PM, Juan Diego wrote:
>>
>> Where do you get sessionContext from?
>>
>> On Fri, Jul 10, 2015 at 5:54 PM, Scott Dunbar <scott at xigole.com> wrote:
>>
>>>  I use something like:
>>>
>>> import org.keycloak.KeycloakPrincipal;
>>> import org.keycloak.KeycloakSecurityContext;
>>> import org.keycloak.representations.IDToken;
>>>
>>> ...
>>>
>>> @Resource
>>> private SessionContext sessionContext;
>>>
>>> ...
>>>
>>> @SuppressWarnings("unchecked")
>>> KeycloakPrincipal<KeycloakSecurityContext> kcPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>)(sessionContext.getCallerPrincipal());
>>> IDToken idToken = kcPrincipal.getKeycloakSecurityContext().getIdToken();
>>>
>>> log.debug( "email from token is \"" + idToken.getEmail() + "\"" );
>>>
>>>
>>> Not sure if that's the recommended way but it works well.
>>>
>>>
>>> On 07/10/2015 04:48 PM, Juan Diego wrote:
>>>
>>>    Hi
>>>
>>>  I want to be able to update the user password and some preferences from
>>> my web app, in order to update some of the user info from my portal i can
>>> see in the rest api that you need the user ID.
>>>  I have a backend with java that should connect to my keycloak server
>>> once it gets the token
>>>
>>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>>> httpRequest
>>>                 .getAttribute(KeycloakSecurityContext.class.getName());
>>>
>>> AccessToken accessToken = securityContext.getToken();
>>>
>>>  I dont know how to get info from the accesToken, or does the access
>>> token class already has methods to do that.  I know this is more of a
>>> question of design.  This part is not really clear for me.
>>>
>>>  Thanks
>>>
>>>
>>>
>>>  _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> --
>>> Scott Dunbar
>>> Xigole Systems, Inc.
>>> Enterprise consulting, development, and hosting
>>> 303?667?6343
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Scott Dunbar
>> Xigole Systems, Inc.
>> Enterprise consulting, development, and hosting
>> 303?667?6343
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/aef8e3b3/attachment.html 

From j.kamal at ymail.com  Mon Jul 13 17:39:48 2015
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Mon, 13 Jul 2015 21:39:48 +0000 (UTC)
Subject: [keycloak-user] Use case of Deprovisioning a user in Federated IDP
Message-ID: <1530729198.1407830.1436823588762.JavaMail.yahoo@mail.yahoo.com>

Hello,? I would like to know how De-provisioning of user in Federated IDP case being handled in Keycloak.How frequently Keycloak validates the federated user status before reissuing the new access token to the already authenticated user.Is there plans to support SCIM (System for Cross-domain Identity Management) in Keycloak roadmap?
Following is our use case
1. There are few processes that will be authenticated with Federated IDP using SAML just after user(A) registration is complete (one time login manually).2. Subsequently SP will issue the token pair to these processes to use as long as Refresh token lifetime is valid.3. Within this refresh token lifetime (if it too long) and in the case user(A) is de-provisioned/removed, how would SP be aware to block this token renewal.

Please share your thoughts.
BestKamal




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150713/240e6389/attachment-0001.html 

From bburke at redhat.com  Mon Jul 13 18:37:59 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jul 2015 18:37:59 -0400
Subject: [keycloak-user] Use case of Deprovisioning a user in Federated
 IDP
In-Reply-To: <1530729198.1407830.1436823588762.JavaMail.yahoo@mail.yahoo.com>
References: <1530729198.1407830.1436823588762.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <55A43DC7.5010105@redhat.com>

What do you mean by federated user?  We have the concept of federating 
between IDPs, where Keycloak is the child and an external IDP is teh 
parent.  In this case, we do not check the status of the external user 
at all.  I'm not currently aware of any standard we can use to do this.

On 7/13/2015 5:39 PM, Kamal Jagadevan wrote:
> Hello,
>    I would like to know how De-provisioning of user in Federated IDP
> case being handled in Keycloak.
> How frequently Keycloak validates the federated user status before
> reissuing the new access token to the already authenticated user.
> Is there plans to support SCIM (System for Cross-domain Identity
> Management) in Keycloak roadmap?
>
> _Following is our use case
> _
> 1. There are few processes that will be authenticated with Federated IDP
> using SAML just after *user**(A)* registration is complete (one time
> login manually).
> 2. Subsequently SP will issue the token pair to these processes to use
> as long as Refresh token lifetime is valid.
> 3. Within this refresh token lifetime (if it too long) and in the case
> *user(A)* is de-provisioned/removed, how would *_SP be aware to block
> this token renewal_*.
>
>
> Please share your thoughts.
>
> Best
> Kamal
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From eugene.chow.ct at gmail.com  Tue Jul 14 01:59:03 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 14 Jul 2015 13:59:03 +0800
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
Message-ID: <AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>

Hi Stian/Marek,

Can you please advise on the following? I used the instructions from this page - http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954 <http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954>. I?m not sure if I have included it in the correct location as it doesn?t work.

I need this to debug the JSON response from a custom OpenID Connect backend.


Thanks a lot!
Eugene

> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com> wrote:
> 
> Hi,
> 
> i have a Keycloak 1.2.0 installation that authenticates against a custom OpenID Connect provider. I need to see the JSON response from the social provider. The documentation says to set org.keycloak.social.user_profile_dump to DEBUG.
> 
> I?ve added the following to standalone.xml as such, but I don?t see any JSON output in the log. Is this configuration correct?
> 
>    <profile>
>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>            <logger category="org.keycloak.social.user_profile_dump">
>                <level name="DEBUG"/>
>            </logger>
> ?
> ...
>    </profile>
> 
> 
> Thanks!
> Eugene

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/c68c054c/attachment.html 

From Gregor.Tudan at cofinpro.de  Tue Jul 14 02:49:55 2015
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Tue, 14 Jul 2015 06:49:55 +0000
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
	<etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
	<995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>
	<etPan.55a3cd24.598de9c1.14f@nb102-coinor.coinor.local>
	<1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>
	<1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>
Message-ID: <etPan.55a4b0ad.665f2d0a.14f@Gregors-MacBook-Pro.local>

Here?s the JIRA with the PR linked: https://issues.jboss.org/browse/KEYCLOAK-1564

This fixes the issue on my setup, so thanks Stian for your advice.


Am 13. Juli 2015 bei 16:44:48, Stian Thorgersen (stian at redhat.com<mailto:stian at redhat.com>) schrieb:

It's not a big deal to add CORS support for it, so create a JIRA for it. Even better provide a PR and it'll be included for the 1.4 release

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 13 July, 2015 4:37:24 PM
> Subject: Re: [keycloak-user] CORS Header for direct grants
>
> I see, so I?ll need to think of something else then - I know that this is a
> stupid use-case, but we have a requirement where the application has to
> request a token by credentials supplied from elsewhere. :-(
>
> Thanks again,
> Gregor
>
>
> Am 13. Juli 2015 bei 16:22:34, Stian Thorgersen
> (stian at redhat.com<mailto:stian at redhat.com>) schrieb:
>
> Ah, sorry missed that. We don't currently add CORS headers for the user
> credential grant flow as it shouldn't be used by a web application.
>
> ----- Original Message -----
> > From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 13 July, 2015 4:07:12 PM
> > Subject: Re: [keycloak-user] CORS Header for direct grants
> >
> > Hi Stian,
> >
> > I?m aware that I?m comparing different request here (code vs. password - I
> > just had them at hands). But is that relevant relevant in terms of the
> > CORS-Headers returned?
> >
> > Thanks,
> > Gregor
> >
> >
> >
> >
> >
> >
> > Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen ( stian at redhat.com )
> > schrieb:
> >
> >
> > 20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > But when I request a token by direct grant, the CORS-Headers are missing:
> > >
> > >
> > >
> > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > Content
> > >
> > >
> > > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > Am I missing something?
> > >
> > > Thanks,
> > > Gregor
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > OCALE=de;
> > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> > > KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> > >
> > > Content:
> > >
> > >
> > > 1.
> > > code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > But when I request a token by direct grant, the CORS-Headers are missing:
> > >
> > >
> > >
> > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > Content
> > >
> > >
> > > 1. username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > Am I missing something?
> > >
> > > Thanks,
> > > Gregor
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/63103b54/attachment.html 

From mposolda at redhat.com  Tue Jul 14 02:53:25 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 14 Jul 2015 08:53:25 +0200
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
	<AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
Message-ID: <55A4B1E5.7090205@redhat.com>

Hi,

do you have opportunity to upgrade to latest 1.3.1.Final? It seems that 
this logging was added in this version and is not yet available in 1.2.0.

Marek

On 14.7.2015 07:59, Eugene Chow wrote:
> Hi Stian/Marek,
>
> Can you please advise on the following? I used the instructions from 
> this page - 
> http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954. 
> I?m not sure if I have included it in the correct location as it 
> doesn?t work.
>
> I need this to debug the JSON response from a custom OpenID Connect 
> backend.
>
>
> Thanks a lot!
> Eugene
>
>> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com 
>> <mailto:eugene.chow.ct at gmail.com>> wrote:
>>
>> Hi,
>>
>> i have a Keycloak 1.2.0 installation that authenticates against a 
>> custom OpenID Connect provider. I need to see the JSON response from 
>> the social provider. The documentation says to set 
>> org.keycloak.social.user_profile_dump to DEBUG.
>>
>> I?ve added the following to standalone.xml as such, but I don?t see 
>> any JSON output in the log. Is this configuration correct?
>>
>>    <profile>
>>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>>            <logger category="org.keycloak.social.user_profile_dump">
>>                <level name="DEBUG"/>
>>            </logger>
>> ?
>> ...
>>    </profile>
>>
>>
>> Thanks!
>> Eugene
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/2eda222a/attachment-0001.html 

From eugene.chow.ct at gmail.com  Tue Jul 14 02:59:05 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 14 Jul 2015 14:59:05 +0800
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <55A4B1E5.7090205@redhat.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
	<AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
	<55A4B1E5.7090205@redhat.com>
Message-ID: <A6047550-44B3-49E9-9023-8C543B39F4F5@gmail.com>

Hi Marek,

Thanks for the heads up. I?ll give it a shot.

Eugene

> On 14 Jul 2015, at 14:53, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Hi,
> 
> do you have opportunity to upgrade to latest 1.3.1.Final? It seems that this logging was added in this version and is not yet available in 1.2.0.
> 
> Marek
> 
> On 14.7.2015 07:59, Eugene Chow wrote:
>> Hi Stian/Marek,
>> 
>> Can you please advise on the following? I used the instructions from this page - http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954 <http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954>. I?m not sure if I have included it in the correct location as it doesn?t work.
>> 
>> I need this to debug the JSON response from a custom OpenID Connect backend.
>> 
>> 
>> Thanks a lot!
>> Eugene
>> 
>>> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com <mailto:eugene.chow.ct at gmail.com>> wrote:
>>> 
>>> Hi,
>>> 
>>> i have a Keycloak 1.2.0 installation that authenticates against a custom OpenID Connect provider. I need to see the JSON response from the social provider. The documentation says to set org.keycloak.social.user_profile_dump to DEBUG.
>>> 
>>> I?ve added the following to standalone.xml as such, but I don?t see any JSON output in the log. Is this configuration correct?
>>> 
>>>    <profile>
>>>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>>>            <logger category="org.keycloak.social.user_profile_dump">
>>>                <level name="DEBUG"/>
>>>            </logger>
>>> ?
>>> ...
>>>    </profile>
>>> 
>>> 
>>> Thanks!
>>> Eugene
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/f7fad69e/attachment.html 

From stian at redhat.com  Tue Jul 14 03:27:02 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 14 Jul 2015 03:27:02 -0400 (EDT)
Subject: [keycloak-user] CORS Header for direct grants
In-Reply-To: <etPan.55a4b0ad.665f2d0a.14f@Gregors-MacBook-Pro.local>
References: <etPan.55a3b70a.33e0910.660@nb102-coinor.coinor.local>
	<218758071.37140932.1436793276961.JavaMail.zimbra@redhat.com>
	<etPan.55a3c610.658aad27.14f@nb102-coinor.coinor.local>
	<995762602.37191393.1436797349276.JavaMail.zimbra@redhat.com>
	<etPan.55a3cd24.598de9c1.14f@nb102-coinor.coinor.local>
	<1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>
	<1382673212.37205936.1436798684531.JavaMail.zimbra@redhat.com>
	<etPan.55a4b0ad.665f2d0a.14f@Gregors-MacBook-Pro.local>
Message-ID: <51353120.37885846.1436858822290.JavaMail.zimbra@redhat.com>

Thanks for adding it yourself :)

----- Original Message -----
> From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 July, 2015 8:49:55 AM
> Subject: Re: [keycloak-user] CORS Header for direct grants
> 
> Here?s the JIRA with the PR linked:
> https://issues.jboss.org/browse/KEYCLOAK-1564
> 
> This fixes the issue on my setup, so thanks Stian for your advice.
> 
> 
> Am 13. Juli 2015 bei 16:44:48, Stian Thorgersen
> (stian at redhat.com<mailto:stian at redhat.com>) schrieb:
> 
> It's not a big deal to add CORS support for it, so create a JIRA for it. Even
> better provide a PR and it'll be included for the 1.4 release
> 
> ----- Original Message -----
> > From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 13 July, 2015 4:37:24 PM
> > Subject: Re: [keycloak-user] CORS Header for direct grants
> >
> > I see, so I?ll need to think of something else then - I know that this is a
> > stupid use-case, but we have a requirement where the application has to
> > request a token by credentials supplied from elsewhere. :-(
> >
> > Thanks again,
> > Gregor
> >
> >
> > Am 13. Juli 2015 bei 16:22:34, Stian Thorgersen
> > (stian at redhat.com<mailto:stian at redhat.com>) schrieb:
> >
> > Ah, sorry missed that. We don't currently add CORS headers for the user
> > credential grant flow as it shouldn't be used by a web application.
> >
> > ----- Original Message -----
> > > From: "Gregor Tudan" <Gregor.Tudan at cofinpro.de>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 13 July, 2015 4:07:12 PM
> > > Subject: Re: [keycloak-user] CORS Header for direct grants
> > >
> > > Hi Stian,
> > >
> > > I?m aware that I?m comparing different request here (code vs. password -
> > > I
> > > just had them at hands). But is that relevant relevant in terms of the
> > > CORS-Headers returned?
> > >
> > > Thanks,
> > > Gregor
> > >
> > >
> > >
> > >
> > >
> > >
> > > Am 13. Juli 2015 bei 15:14:42, Stian Thorgersen ( stian at redhat.com )
> > > schrieb:
> > >
> > >
> > > 20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > > But when I request a token by direct grant, the CORS-Headers are
> > > > missing:
> > > >
> > > >
> > > >
> > > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > > Content
> > > >
> > > >
> > > > 1.
> > > > username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > > Am I missing something?
> > > >
> > > > Thanks,
> > > > Gregor
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > OCALE=de;
> > > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1YTI4YTk1MS02ZDY2LTQ1YzEtOTM3Ny0zMjdjYzAwYzA3YjYiLCJleHAiOjE0MzY4MjgyNjIsIm5iZiI6MCwiaWF0IjoxNDM2NzkyMjYyLCJpc3MiOiJodHRwOi8vZnMwMWUudGVjaC52aXN1YWx2ZXN0LmRlL2F1dGgvcmVhbG1zL1ZWIiwic3ViIjoiOWZlNGM3ZWEtYmNjNS00NmY2LWEwMzMtZjllZGE4ZDlmYTVjIiwic2Vzc2lvbl9zdGF0ZSI6ImRkNmE2ZDVjLWRkYjMtNDc3Mi1hZDNkLTk2OGJiMzc1NzdjOSIsInJlc291cmNlX2FjY2VzcyI6e319.PabltPm2_dkWsZ4fwS8jrxTW0qv7nFY2ZkZAjjFozkxP7K8kZcg7We4gzshkqdRF1kfB57_zQFp8BKyRa08hG5zskZk_SmpbOwAoKL2lrME7Zm7ErBSMIF7KZ6ZUIznIu8LTnP0m0mgmReqxNEYtIdim-7sXdfEhws9q-cC4mAQ;
> > > > KEYCLOAK_SESSION=VV/9fe4c7ea-bcc5-46f6-a033-f9eda8d9fa5c/dd6a6d5c-ddb3-4772-ad3d-968bb37577c9
> > > >
> > > > Content:
> > > >
> > > >
> > > > 1.
> > > > code=rDhHgSDNa9MgJl9RSqk7TLOByTto2A20AEZy_EQY5Is.03b568e4-adcd-4c7d-bc81-44fded29be61&grant_type=authorization_code&client_id=vv-frontend&redirect_uri=<snip>
> > > > But when I request a token by direct grant, the CORS-Headers are
> > > > missing:
> > > >
> > > >
> > > >
> > > > 1. POST /auth/realms/VV/protocol/openid-connect/token HTTP/1.1 Host:
> > > > fs01e.tech.visualvest.de Connection: keep-alive Content-Length: 69
> > > > Accept: application/json Origin: http://localhost:8000 User-Agent:
> > > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Content-type:
> > > > application/x-www-form-urlencoded DNT: 1 Referer:
> > > > http://localhost:8000/app/depot/ Accept-Encoding: gzip, deflate
> > > > Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> > > > Content
> > > >
> > > >
> > > > 1.
> > > > username=dirk&password=dirk&client_id=vv-frontend&grant_type=password
> > > > Am I missing something?
> > > >
> > > > Thanks,
> > > > Gregor
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


From eugene.chow.ct at gmail.com  Tue Jul 14 07:19:57 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 14 Jul 2015 19:19:57 +0800
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <A6047550-44B3-49E9-9023-8C543B39F4F5@gmail.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
	<AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
	<55A4B1E5.7090205@redhat.com>
	<A6047550-44B3-49E9-9023-8C543B39F4F5@gmail.com>
Message-ID: <F82A6278-D5CD-4255-BBE6-26E146621547@gmail.com>

Hi Marek,

I managed to set up the logger. Thanks! This is the configuration to dump the userinfo JSON response in the log file and the console.
>         <subsystem xmlns="urn:jboss:domain:logging:3.0">
>             <console-handler name="CONSOLE">
>                 <level name="DEBUG"/>
>                 <formatter>
>                     <named-formatter name="COLOR-PATTERN"/>
>                 </formatter>
>             </console-handler>
> ?
>             <logger category="org.keycloak.social.user_profile_dump">
>                 <level name="DEBUG"/>
>             </logger>
> ...


I have another problem, which is to map the userinfo from the custom OpenID Connect backend. Upon login, it returns this JSON response:
> {"sub":"Christine Chapel","name":"","position":"","preferred_username":"Christine Chapel","address":"Nurse, USS Enterprise"}


I?m trying to map preferred_username to the Last Name field. I tried to map this field, and also sub and address, but all without success:
Name: Fullname
Mapper Type: Attribute Importer
Claim: preferred_username
User Attribute Name: lastName

Is there a specific Claim or User Attribute Name that I need to use for the mapping to work?


Cheers!

> On 14 Jul 2015, at 14:59, Eugene Chow <eugene.chow.ct at gmail.com> wrote:
> 
> Hi Marek,
> 
> Thanks for the heads up. I?ll give it a shot.
> 
> Eugene
> 
>> On 14 Jul 2015, at 14:53, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> 
>> Hi,
>> 
>> do you have opportunity to upgrade to latest 1.3.1.Final? It seems that this logging was added in this version and is not yet available in 1.2.0.
>> 
>> Marek
>> 
>> On 14.7.2015 07:59, Eugene Chow wrote:
>>> Hi Stian/Marek,
>>> 
>>> Can you please advise on the following? I used the instructions from this page - http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954 <http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954>. I?m not sure if I have included it in the correct location as it doesn?t work.
>>> 
>>> I need this to debug the JSON response from a custom OpenID Connect backend.
>>> 
>>> 
>>> Thanks a lot!
>>> Eugene
>>> 
>>>> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com <mailto:eugene.chow.ct at gmail.com>> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> i have a Keycloak 1.2.0 installation that authenticates against a custom OpenID Connect provider. I need to see the JSON response from the social provider. The documentation says to set org.keycloak.social.user_profile_dump to DEBUG.
>>>> 
>>>> I?ve added the following to standalone.xml as such, but I don?t see any JSON output in the log. Is this configuration correct?
>>>> 
>>>>    <profile>
>>>>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>>>>            <logger category="org.keycloak.social.user_profile_dump">
>>>>                <level name="DEBUG"/>
>>>>            </logger>
>>>> ?
>>>> ...
>>>>    </profile>
>>>> 
>>>> 
>>>> Thanks!
>>>> Eugene
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/14e7ef95/attachment-0001.html 

From mposolda at redhat.com  Tue Jul 14 09:26:18 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 14 Jul 2015 15:26:18 +0200
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <F82A6278-D5CD-4255-BBE6-26E146621547@gmail.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
	<AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
	<55A4B1E5.7090205@redhat.com>
	<A6047550-44B3-49E9-9023-8C543B39F4F5@gmail.com>
	<F82A6278-D5CD-4255-BBE6-26E146621547@gmail.com>
Message-ID: <55A50DFA.1040209@redhat.com>

 From looking at the code, it seems that we don't support mapping to 
UserModel properties (ie. firstName, lastName, email) but just custom 
attributes. Could you check your database if there is attribute 
"lastName" in USER_ATTRIBUTE table for this user? If it's the case, then 
it means that mapper added custom attribute "lastName" instead of the 
java property "lastName" from user model . Then feel free to create JIRA 
to support mapping to UserModel properties as well .

Marek

On 14.7.2015 13:19, Eugene Chow wrote:
> Hi Marek,
>
> I managed to set up the logger. Thanks! This is the configuration to 
> dump the userinfo JSON response in the log file and the console.
>>         <subsystem xmlns="urn:jboss:domain:logging:3.0">
>>             <console-handler name="CONSOLE">
>>                 <level name="DEBUG"/>
>>                 <formatter>
>>                     <named-formatter name="COLOR-PATTERN"/>
>>                 </formatter>
>>             </console-handler>
>> ?
>>             <logger category="org.keycloak.social.user_profile_dump">
>>                 <level name="DEBUG"/>
>>             </logger>
>> ...
>
> I have another problem, which is to map the *userinfo* from the custom 
> OpenID Connect backend. Upon login, it returns this JSON response:
>> {"sub":"Christine 
>> Chapel","name":"","position":"","preferred_username":"Christine 
>> Chapel","address":"Nurse, USS Enterprise"}
>
> I?m trying to map *preferred_username* to the *Last Name* field. I 
> tried to map this field, and also *sub* and *address*, but all without 
> success:
> *Name:* Fullname
> *Mapper Type:* Attribute Importer
> *Claim:* preferred_username
> *User Attribute Name:* lastName
>
> Is there a specific *Claim* or *User Attribute Name* that I need to 
> use for the mapping to work?
>
>
> Cheers!
>
>> On 14 Jul 2015, at 14:59, Eugene Chow <eugene.chow.ct at gmail.com 
>> <mailto:eugene.chow.ct at gmail.com>> wrote:
>>
>> Hi Marek,
>>
>> Thanks for the heads up. I?ll give it a shot.
>>
>> Eugene
>>
>>> On 14 Jul 2015, at 14:53, Marek Posolda <mposolda at redhat.com 
>>> <mailto:mposolda at redhat.com>> wrote:
>>>
>>> Hi,
>>>
>>> do you have opportunity to upgrade to latest 1.3.1.Final? It seems 
>>> that this logging was added in this version and is not yet available 
>>> in 1.2.0.
>>>
>>> Marek
>>>
>>> On 14.7.2015 07:59, Eugene Chow wrote:
>>>> Hi Stian/Marek,
>>>>
>>>> Can you please advise on the following? I used the instructions 
>>>> from this page - 
>>>> http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954. 
>>>> I?m not sure if I have included it in the correct location as it 
>>>> doesn?t work.
>>>>
>>>> I need this to debug the JSON response from a custom OpenID Connect 
>>>> backend.
>>>>
>>>>
>>>> Thanks a lot!
>>>> Eugene
>>>>
>>>>> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com 
>>>>> <mailto:eugene.chow.ct at gmail.com>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> i have a Keycloak 1.2.0 installation that authenticates against a 
>>>>> custom OpenID Connect provider. I need to see the JSON response 
>>>>> from the social provider. The documentation says to set 
>>>>> org.keycloak.social.user_profile_dump to DEBUG.
>>>>>
>>>>> I?ve added the following to standalone.xml as such, but I don?t 
>>>>> see any JSON output in the log. Is this configuration correct?
>>>>>
>>>>>    <profile>
>>>>>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>>>>>            <logger category="org.keycloak.social.user_profile_dump">
>>>>>                <level name="DEBUG"/>
>>>>>            </logger>
>>>>> ?
>>>>> ...
>>>>>    </profile>
>>>>>
>>>>>
>>>>> Thanks!
>>>>> Eugene
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/d06d2a05/attachment.html 

From jdcasey at commonjava.org  Tue Jul 14 11:32:45 2015
From: jdcasey at commonjava.org (John Casey)
Date: Tue, 14 Jul 2015 10:32:45 -0500
Subject: [keycloak-user] help with bearer + basic auth
Message-ID: <55A52B9D.9060704@commonjava.org>

Hi,

This is my first post to this list, so please excuse me if this question 
has been asked before. I'm having some trouble finding it via Google if 
so...

I have a REST server with an Angular.js UI. I also access this REST 
server via "raw" http calls (via curl, other utilities) and via a Java 
client API that I control.

I'm trying to setup Keycloak to protect it, such that the UI does its 
own authentication via the Keycloak javascript adapter, then sends the 
bearer token to the REST server. At the same time, I don't want to 
complicate things for scripts and such that just want to make one or two 
calls to the server using python's httplib2 or curl or something like 
that...I'd like those to use BASIC authentication.

When I setup my server's keycloak.json, it seems the only thing that 
will work for granting access via the UI is to have it set to:

   "bearer-only": true

However, this obviously doesn't work for basic auth via curl.

I get a 400 Bad Request in the UI try to set the server's keycloak.json to:

   "enable-basic-auth": true

...but then curl works as expected.

I've looked at the example here:

https://github.com/keycloak/keycloak/tree/master/examples/basic-auth

...but it doesn't seem to have a javascript UI or anything using bearer 
tokens to verify that it works that way.

My codebase is here:

https://github.com/jdcasey/aprox/tree/keycloak-refactor

And my keycloak files are here:

https://github.com/jdcasey/aprox/tree/keycloak-refactor/subsys/keycloak/src/main/conf/keycloak

Any insight / hints would be very much appreciated!

Thanks in advance,

-john

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From eugene.chow.ct at gmail.com  Tue Jul 14 11:38:08 2015
From: eugene.chow.ct at gmail.com (Eugene Chow)
Date: Tue, 14 Jul 2015 23:38:08 +0800
Subject: [keycloak-user] Dump user profile data from Social Identity
	Provider
In-Reply-To: <55A50DFA.1040209@redhat.com>
References: <BEF53CDE-E8E6-4907-9A2F-6E19311CD1BD@gmail.com>
	<AF0EF6CE-9A56-4831-A9FE-52D8D6C5E6AD@gmail.com>
	<55A4B1E5.7090205@redhat.com>
	<A6047550-44B3-49E9-9023-8C543B39F4F5@gmail.com>
	<F82A6278-D5CD-4255-BBE6-26E146621547@gmail.com>
	<55A50DFA.1040209@redhat.com>
Message-ID: <55A52CE0.1000600@gmail.com>

I couldn't find the attribute *lastName* in the *user_attribute* table. 
I did find the following though
> COPY idp_mapper_config (idp_mapper_id, value, name) FROM stdin;
> 9871fac6-80ef-4fed-91d2-01a2fa56fd31    street  user.attribute
> 9871fac6-80ef-4fed-91d2-01a2fa56fd31    address claim
> 473e55d3-8266-4507-bc1d-cc3c27d49498    lastName user.attribute
> 49a22d17-4dd5-426b-ba02-cbf6b7de6a84    sub     claim
> 49a22d17-4dd5-426b-ba02-cbf6b7de6a84    firstName user.attribute

It seems that my mappings ended up in *idp_mapper_config*. My mappings are:
> *lastName:* preferred_username
> *firstName: *sub
> *street:* address

This was the JSON response from the OID backend. The interesting thing 
is that Keycloak maps "name" from the OID backend to firstName.
> {"sub":"Christine 
> Chapel","name":"","position":"","preferred_username":"Christine 
> Chapel","address":"Nurse, USS Enterprise"}

Does it mean that Keycloak doesn't support mapping to the UserModel?


Thanks!
Eugene

On 14/7/2015 9:26 PM, Marek Posolda wrote:
> From looking at the code, it seems that we don't support mapping to 
> UserModel properties (ie. firstName, lastName, email) but just custom 
> attributes. Could you check your database if there is attribute 
> "lastName" in USER_ATTRIBUTE table for this user? If it's the case, 
> then it means that mapper added custom attribute "lastName" instead of 
> the java property "lastName" from user model . Then feel free to 
> create JIRA to support mapping to UserModel properties as well .
>
> Marek
>
> On 14.7.2015 13:19, Eugene Chow wrote:
>> Hi Marek,
>>
>> I managed to set up the logger. Thanks! This is the configuration to 
>> dump the userinfo JSON response in the log file and the console.
>>>         <subsystem xmlns="urn:jboss:domain:logging:3.0">
>>>             <console-handler name="CONSOLE">
>>>                 <level name="DEBUG"/>
>>>                 <formatter>
>>>                     <named-formatter name="COLOR-PATTERN"/>
>>>                 </formatter>
>>>             </console-handler>
>>> ?
>>>             <logger category="org.keycloak.social.user_profile_dump">
>>>                 <level name="DEBUG"/>
>>>             </logger>
>>> ...
>>
>> I have another problem, which is to map the *userinfo* from the 
>> custom OpenID Connect backend. Upon login, it returns this JSON response:
>>> {"sub":"Christine 
>>> Chapel","name":"","position":"","preferred_username":"Christine 
>>> Chapel","address":"Nurse, USS Enterprise"}
>>
>> I?m trying to map *preferred_username* to the *Last Name* field. I 
>> tried to map this field, and also *sub* and *address*, but all 
>> without success:
>> *Name:* Fullname
>> *Mapper Type:* Attribute Importer
>> *Claim:* preferred_username
>> *User Attribute Name:* lastName
>>
>> Is there a specific *Claim* or *User Attribute Name* that I need to 
>> use for the mapping to work?
>>
>>
>> Cheers!
>>
>>> On 14 Jul 2015, at 14:59, Eugene Chow <eugene.chow.ct at gmail.com 
>>> <mailto:eugene.chow.ct at gmail.com>> wrote:
>>>
>>> Hi Marek,
>>>
>>> Thanks for the heads up. I?ll give it a shot.
>>>
>>> Eugene
>>>
>>>> On 14 Jul 2015, at 14:53, Marek Posolda <mposolda at redhat.com 
>>>> <mailto:mposolda at redhat.com>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> do you have opportunity to upgrade to latest 1.3.1.Final? It seems 
>>>> that this logging was added in this version and is not yet 
>>>> available in 1.2.0.
>>>>
>>>> Marek
>>>>
>>>> On 14.7.2015 07:59, Eugene Chow wrote:
>>>>> Hi Stian/Marek,
>>>>>
>>>>> Can you please advise on the following? I used the instructions 
>>>>> from this page - 
>>>>> http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1954. 
>>>>> I?m not sure if I have included it in the correct location as it 
>>>>> doesn?t work.
>>>>>
>>>>> I need this to debug the JSON response from a custom OpenID 
>>>>> Connect backend.
>>>>>
>>>>>
>>>>> Thanks a lot!
>>>>> Eugene
>>>>>
>>>>>> On 13 Jul 2015, at 17:20, Eugene Chow <eugene.chow.ct at gmail.com 
>>>>>> <mailto:eugene.chow.ct at gmail.com>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> i have a Keycloak 1.2.0 installation that authenticates against a 
>>>>>> custom OpenID Connect provider. I need to see the JSON response 
>>>>>> from the social provider. The documentation says to set 
>>>>>> org.keycloak.social.user_profile_dump to DEBUG.
>>>>>>
>>>>>> I?ve added the following to standalone.xml as such, but I don?t 
>>>>>> see any JSON output in the log. Is this configuration correct?
>>>>>>
>>>>>>    <profile>
>>>>>>        <subsystem xmlns="urn:jboss:domain:logging:2.0?>
>>>>>>            <logger category="org.keycloak.social.user_profile_dump">
>>>>>>                <level name="DEBUG"/>
>>>>>>            </logger>
>>>>>> ?
>>>>>> ...
>>>>>>    </profile>
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>> Eugene
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/6e322658/attachment-0001.html 

From j.kamal at ymail.com  Tue Jul 14 10:46:25 2015
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Tue, 14 Jul 2015 14:46:25 +0000 (UTC)
Subject: [keycloak-user] Use case of Deprovisioning a user in Federated
	IDP
In-Reply-To: <1530729198.1407830.1436823588762.JavaMail.yahoo@mail.yahoo.com>
References: <1530729198.1407830.1436823588762.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <2019318683.1888708.1436885185134.JavaMail.yahoo@mail.yahoo.com>

Hi Bill,
  Thanks for the quick response. I meant the federated user to be as an user from External IDP.
There are two scenarios in our application which we plan to address using Keycloak

a) An user who interactively logs into the web client 
b) An background process that acts behalf of the user(a) 

In the case(a)every time the user logs into the system, he/she will be authenticated by external IDP. But in the case(b) because it is a background process only once the user logs in with his credential and uses the refresh token (which has very long time to live or never expires), in this scenario after the initial authentication there is no other interaction with external IDP.

There could be situations when the user in the external IDP could be fired/removed, hence Keycloak might have to know if the user is still valid to allow refresh of the tokens to happen. Just wondering if it is handled by any means before reissuing the refresh token? 

In our current implementation, for this purpose SCIM protocol was used to listen any DELETE USER operations at the external IDP end and update the status of the user in SP end. So during token validation, this user status is verified.

Please let me know if there is any similar plan in Keycloak too.

Thanks
Kamal


**************************************


What do you mean by federated user?  We have the concept of federating 
between IDPs, where Keycloak is the child and an external IDP is teh 
parent.  In this case, we do not check the status of the external user 
at all.  I'm not currently aware of any standard we can use to do this.
      From: Kamal Jagadevan <j.kamal at ymail.com>
 To: Keycloak-user <keycloak-user at lists.jboss.org> 
 Sent: Monday, July 13, 2015 5:39 PM
 Subject: Use case of Deprovisioning a user in Federated IDP
   
Hello,? I would like to know how De-provisioning of user in Federated IDP case being handled in Keycloak.How frequently Keycloak validates the federated user status before reissuing the new access token to the already authenticated user.Is there plans to support SCIM (System for Cross-domain Identity Management) in Keycloak roadmap?
Following is our use case
1. There are few processes that will be authenticated with Federated IDP using SAML just after user(A) registration is complete (one time login manually).2. Subsequently SP will issue the token pair to these processes to use as long as Refresh token lifetime is valid.3. Within this refresh token lifetime (if it too long) and in the case user(A) is de-provisioned/removed, how would SP be aware to block this token renewal.

Please share your thoughts.
BestKamal






  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/47af8494/attachment.html 

From juraci at kroehling.de  Tue Jul 14 11:49:25 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Tue, 14 Jul 2015 17:49:25 +0200
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A52B9D.9060704@commonjava.org>
References: <55A52B9D.9060704@commonjava.org>
Message-ID: <55A52F85.3000709@kroehling.de>

On 07/14/2015 05:32 PM, John Casey wrote:
> ...but it doesn't seem to have a javascript UI or anything using bearer
> tokens to verify that it works that way.

Not sure I understood your question, but removing the "bearer-only" and 
adding "enable-basic-auth" should be enough to have your server adapter 
to accept both bearer tokens and basic auth.

We have a similar scenario and this is how we configure it:

Server adapter:
http://git.io/vm3gz

Realm:
http://git.io/vm329


- Juca.

From jdcasey at commonjava.org  Tue Jul 14 12:04:21 2015
From: jdcasey at commonjava.org (John Casey)
Date: Tue, 14 Jul 2015 11:04:21 -0500
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A52F85.3000709@kroehling.de>
References: <55A52B9D.9060704@commonjava.org> <55A52F85.3000709@kroehling.de>
Message-ID: <55A53305.7090403@commonjava.org>

On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
> On 07/14/2015 05:32 PM, John Casey wrote:
>> ...but it doesn't seem to have a javascript UI or anything using bearer
>> tokens to verify that it works that way.
>
> Not sure I understood your question, but removing the "bearer-only" and
> adding "enable-basic-auth" should be enough to have your server adapter
> to accept both bearer tokens and basic auth.
>

This is exactly what I'm trying to do. I've tried removing "bearer-only" 
and replaced it with "enable-basic-auth"...which has two effects:

- basic auth via curl works (it didn't before the change)

- the UI (using javascript adapter + bearer token) gets 400 Bad Request


Are you using the javascript adapter to login for your UI, passing the 
bearer token to the server? I guess what I'm asking is if your 
application actually uses both methods (basic auth and bearer token)?

I'm not sure how to filter my realm json to pare out the unnecessary 
stuff, but here's a gist containing the full file (it's on a test docker 
container, so no worries about security):

https://gist.github.com/jdcasey/3f934fcd4967b99ebb05

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From bburke at redhat.com  Tue Jul 14 12:16:12 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 14 Jul 2015 12:16:12 -0400
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A53305.7090403@commonjava.org>
References: <55A52B9D.9060704@commonjava.org> <55A52F85.3000709@kroehling.de>
	<55A53305.7090403@commonjava.org>
Message-ID: <55A535CC.7080805@redhat.com>

IIRC, the basic auth switch is so that you can send the token via basic 
auth rather than as bearer auth.  This is really only useful when you 
can't use a keycloak adapter, but can implement a LoginModule or 
something.  It has nothing to do with basic auth.

On 7/14/2015 12:04 PM, John Casey wrote:
> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
>> On 07/14/2015 05:32 PM, John Casey wrote:
>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>> tokens to verify that it works that way.
>>
>> Not sure I understood your question, but removing the "bearer-only" and
>> adding "enable-basic-auth" should be enough to have your server adapter
>> to accept both bearer tokens and basic auth.
>>
>
> This is exactly what I'm trying to do. I've tried removing "bearer-only"
> and replaced it with "enable-basic-auth"...which has two effects:
>
> - basic auth via curl works (it didn't before the change)
>
> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>
>
> Are you using the javascript adapter to login for your UI, passing the
> bearer token to the server? I guess what I'm asking is if your
> application actually uses both methods (basic auth and bearer token)?
>
> I'm not sure how to filter my realm json to pare out the unnecessary
> stuff, but here's a gist containing the full file (it's on a test docker
> container, so no worries about security):
>
> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thiago.addevico at gmail.com  Tue Jul 14 14:56:15 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 14 Jul 2015 15:56:15 -0300
Subject: [keycloak-user] Testing JSR-250 annotated EJBs with Keycloak
	and Arquillian
Message-ID: <CAHDpToVrtwR7_ju7kSWhKD3DHUdHZzPW9AzDabqi+0_GH622Vw@mail.gmail.com>

What I meant was how to write an in-container test for an EJB annotated
with @RolesAllowed. How can I programatically log in and create the EJB
session with the roles returned from Keycloak?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/534052ef/attachment.html 

From jdcasey at commonjava.org  Tue Jul 14 15:23:46 2015
From: jdcasey at commonjava.org (John Casey)
Date: Tue, 14 Jul 2015 14:23:46 -0500
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A535CC.7080805@redhat.com>
References: <55A52B9D.9060704@commonjava.org>
	<55A52F85.3000709@kroehling.de>	<55A53305.7090403@commonjava.org>
	<55A535CC.7080805@redhat.com>
Message-ID: <55A561C2.2040708@commonjava.org>

Well, when I use "enable-basic-auth" this works fine:

$ curl -u test -i http://localhost:8081/api/admin/remote
Enter host password for user 'test':
HTTP/1.1 200 OK
...

However, that configuration causes the UI use a 'code' query param and 
encounter 400 responses. In the keycloak server output I see:

19:19:07,524 WARN  [org.keycloak.events] (default task-7) 
type=REFRESH_TOKEN_ERROR, realmId=master, 
clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, 
error=invalid_token

I'm looking through the code keycloak uses to supply an authentication 
mechanism to undertow now, to hopefully come with a way to handle basic 
auth...maybe through a wrapper auth mech around keycloak?

Do you have any samples / hints I might be able to follow? I'll admit, 
this is the first time I've had to look this closely at servlet/web auth 
mechanisms.


On 07/14/2015 11:16 AM, Bill Burke wrote:
> IIRC, the basic auth switch is so that you can send the token via basic
> auth rather than as bearer auth.  This is really only useful when you
> can't use a keycloak adapter, but can implement a LoginModule or
> something.  It has nothing to do with basic auth.
>
> On 7/14/2015 12:04 PM, John Casey wrote:
>> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>> tokens to verify that it works that way.
>>>
>>> Not sure I understood your question, but removing the "bearer-only" and
>>> adding "enable-basic-auth" should be enough to have your server adapter
>>> to accept both bearer tokens and basic auth.
>>>
>>
>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>> and replaced it with "enable-basic-auth"...which has two effects:
>>
>> - basic auth via curl works (it didn't before the change)
>>
>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>
>>
>> Are you using the javascript adapter to login for your UI, passing the
>> bearer token to the server? I guess what I'm asking is if your
>> application actually uses both methods (basic auth and bearer token)?
>>
>> I'm not sure how to filter my realm json to pare out the unnecessary
>> stuff, but here's a gist containing the full file (it's on a test docker
>> container, so no worries about security):
>>
>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>
>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From stian at redhat.com  Wed Jul 15 03:17:55 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 15 Jul 2015 03:17:55 -0400 (EDT)
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A561C2.2040708@commonjava.org>
References: <55A52B9D.9060704@commonjava.org> <55A52F85.3000709@kroehling.de>
	<55A53305.7090403@commonjava.org> <55A535CC.7080805@redhat.com>
	<55A561C2.2040708@commonjava.org>
Message-ID: <699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>

Have a look at basic-auth example, it's included in the examples dl.

----- Original Message -----
> From: "John Casey" <jdcasey at commonjava.org>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 July, 2015 9:23:46 PM
> Subject: Re: [keycloak-user] help with bearer + basic auth
> 
> Well, when I use "enable-basic-auth" this works fine:
> 
> $ curl -u test -i http://localhost:8081/api/admin/remote
> Enter host password for user 'test':
> HTTP/1.1 200 OK
> ...
> 
> However, that configuration causes the UI use a 'code' query param and
> encounter 400 responses. In the keycloak server output I see:
> 
> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
> type=REFRESH_TOKEN_ERROR, realmId=master,
> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
> error=invalid_token
> 
> I'm looking through the code keycloak uses to supply an authentication
> mechanism to undertow now, to hopefully come with a way to handle basic
> auth...maybe through a wrapper auth mech around keycloak?
> 
> Do you have any samples / hints I might be able to follow? I'll admit,
> this is the first time I've had to look this closely at servlet/web auth
> mechanisms.
> 
> 
> On 07/14/2015 11:16 AM, Bill Burke wrote:
> > IIRC, the basic auth switch is so that you can send the token via basic
> > auth rather than as bearer auth.  This is really only useful when you
> > can't use a keycloak adapter, but can implement a LoginModule or
> > something.  It has nothing to do with basic auth.
> >
> > On 7/14/2015 12:04 PM, John Casey wrote:
> >> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
> >>> On 07/14/2015 05:32 PM, John Casey wrote:
> >>>> ...but it doesn't seem to have a javascript UI or anything using bearer
> >>>> tokens to verify that it works that way.
> >>>
> >>> Not sure I understood your question, but removing the "bearer-only" and
> >>> adding "enable-basic-auth" should be enough to have your server adapter
> >>> to accept both bearer tokens and basic auth.
> >>>
> >>
> >> This is exactly what I'm trying to do. I've tried removing "bearer-only"
> >> and replaced it with "enable-basic-auth"...which has two effects:
> >>
> >> - basic auth via curl works (it didn't before the change)
> >>
> >> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
> >>
> >>
> >> Are you using the javascript adapter to login for your UI, passing the
> >> bearer token to the server? I guess what I'm asking is if your
> >> application actually uses both methods (basic auth and bearer token)?
> >>
> >> I'm not sure how to filter my realm json to pare out the unnecessary
> >> stuff, but here's a gist containing the full file (it's on a test docker
> >> container, so no worries about security):
> >>
> >> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
> >>
> >
> 
> --
> John Casey
> ---
> GitHub:  https://github.com/jdcasey/
> Twitter: http://twitter.com/buildchimp
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From juraci at kroehling.de  Wed Jul 15 09:37:10 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 15 Jul 2015 15:37:10 +0200
Subject: [keycloak-user] Login timeout
Message-ID: <55A66206.1040002@kroehling.de>

All,

When an user's session is timed out, the usual approach is to issue a 
logout via the JavaScript adapter, which in turn will redirect the 
browser to the login page at Keycloak.

The problem we are facing is that the user might not be active at this 
time (the session has already timed out, after all), so, it might take a 
while for the user to login again. If the user takes too long to login 
again, Keycloak will display a login error, saying "Login timeout. 
Please login again".

While I understand the technical aspects behind this, I think this is 
problematic from the UXD perspective. Why should the user enter the same 
valid login/password again, if the first ones were just fine?

As a "temporary" solution for Hawkular, we are *not* issuing a logout 
via the JS adapter, but doing a "clearToken" and showing a modal with a 
message like "Your session has timed out, login again", forcing the user 
to click on a "Login" button, which will then redirect the user to the 
login page. This is also not optimal from the UXD perspective, but at 
least won't display an error message to the user.

As we can't possibly be the only ones with this (minor) problem, I'm 
wondering if a set of redirects "in the background" couldn't solve the 
technical issues, while keeping the login process "error free" from the 
user's perspective. Or if we should indeed handle this situation on our 
side.

For reference: https://issues.jboss.org/browse/HAWKULAR-444

- Juca.

From jdcasey at commonjava.org  Wed Jul 15 11:17:46 2015
From: jdcasey at commonjava.org (John Casey)
Date: Wed, 15 Jul 2015 10:17:46 -0500
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>
References: <55A52B9D.9060704@commonjava.org> <55A52F85.3000709@kroehling.de>
	<55A53305.7090403@commonjava.org> <55A535CC.7080805@redhat.com>
	<55A561C2.2040708@commonjava.org>
	<699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>
Message-ID: <55A6799A.2060605@commonjava.org>

Actually, that's where I started before I originally asked this list. 
 From following the configuration examples there, and checking my realm 
configuration against that in the example, I was only able to setup ONE 
OR THE OTHER of the following cases (never both):

- basic authentication worked on the REST server, when using curl as a 
client

- the UI worked, using a bearer token (the javascript adapter was doing 
the actual sign-in)

After taking Bill's advice to look at implementing another LoginModule, 
I came up with this:

http://bit.ly/1CH4kdU

This actually satisfies both cases by doing the BASIC -> Bearer 
translation on the server side, then passing it on to Keycloak's 
authentication mechanisms...but I'm not sure it's the most elegant solution.

On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
> Have a look at basic-auth example, it's included in the examples dl.
>
> ----- Original Message -----
>> From: "John Casey" <jdcasey at commonjava.org>
>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>
>> Well, when I use "enable-basic-auth" this works fine:
>>
>> $ curl -u test -i http://localhost:8081/api/admin/remote
>> Enter host password for user 'test':
>> HTTP/1.1 200 OK
>> ...
>>
>> However, that configuration causes the UI use a 'code' query param and
>> encounter 400 responses. In the keycloak server output I see:
>>
>> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
>> type=REFRESH_TOKEN_ERROR, realmId=master,
>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>> error=invalid_token
>>
>> I'm looking through the code keycloak uses to supply an authentication
>> mechanism to undertow now, to hopefully come with a way to handle basic
>> auth...maybe through a wrapper auth mech around keycloak?
>>
>> Do you have any samples / hints I might be able to follow? I'll admit,
>> this is the first time I've had to look this closely at servlet/web auth
>> mechanisms.
>>
>>
>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>> IIRC, the basic auth switch is so that you can send the token via basic
>>> auth rather than as bearer auth.  This is really only useful when you
>>> can't use a keycloak adapter, but can implement a LoginModule or
>>> something.  It has nothing to do with basic auth.
>>>
>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>> tokens to verify that it works that way.
>>>>>
>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>> to accept both bearer tokens and basic auth.
>>>>>
>>>>
>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>
>>>> - basic auth via curl works (it didn't before the change)
>>>>
>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>
>>>>
>>>> Are you using the javascript adapter to login for your UI, passing the
>>>> bearer token to the server? I guess what I'm asking is if your
>>>> application actually uses both methods (basic auth and bearer token)?
>>>>
>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>> container, so no worries about security):
>>>>
>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>
>>>
>>
>> --
>> John Casey
>> ---
>> GitHub:  https://github.com/jdcasey/
>> Twitter: http://twitter.com/buildchimp
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From juraci at kroehling.de  Wed Jul 15 11:56:30 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 15 Jul 2015 17:56:30 +0200
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A6799A.2060605@commonjava.org>
References: <55A52B9D.9060704@commonjava.org> <55A52F85.3000709@kroehling.de>
	<55A53305.7090403@commonjava.org> <55A535CC.7080805@redhat.com>
	<55A561C2.2040708@commonjava.org>
	<699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>
	<55A6799A.2060605@commonjava.org>
Message-ID: <55A682AE.30400@kroehling.de>

It should *not* be needed. In Hawkular, we don't need to do anything 
extra to get the backend adapter to accept bearer tokens *and* basic 
authentication. I'd say that you are missing some configuration entry.

I'd recommend putting a breakpoint on those places and then following 
the code:

http://git.io/vml9j
http://git.io/vmlXS
http://git.io/vm3Qj

- Juca.

On 07/15/2015 05:17 PM, John Casey wrote:
> Actually, that's where I started before I originally asked this list.
>   From following the configuration examples there, and checking my realm
> configuration against that in the example, I was only able to setup ONE
> OR THE OTHER of the following cases (never both):
>
> - basic authentication worked on the REST server, when using curl as a
> client
>
> - the UI worked, using a bearer token (the javascript adapter was doing
> the actual sign-in)
>
> After taking Bill's advice to look at implementing another LoginModule,
> I came up with this:
>
> http://bit.ly/1CH4kdU
>
> This actually satisfies both cases by doing the BASIC -> Bearer
> translation on the server side, then passing it on to Keycloak's
> authentication mechanisms...but I'm not sure it's the most elegant solution.
>
> On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
>> Have a look at basic-auth example, it's included in the examples dl.
>>
>> ----- Original Message -----
>>> From: "John Casey" <jdcasey at commonjava.org>
>>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>>
>>> Well, when I use "enable-basic-auth" this works fine:
>>>
>>> $ curl -u test -i http://localhost:8081/api/admin/remote
>>> Enter host password for user 'test':
>>> HTTP/1.1 200 OK
>>> ...
>>>
>>> However, that configuration causes the UI use a 'code' query param and
>>> encounter 400 responses. In the keycloak server output I see:
>>>
>>> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
>>> type=REFRESH_TOKEN_ERROR, realmId=master,
>>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>>> error=invalid_token
>>>
>>> I'm looking through the code keycloak uses to supply an authentication
>>> mechanism to undertow now, to hopefully come with a way to handle basic
>>> auth...maybe through a wrapper auth mech around keycloak?
>>>
>>> Do you have any samples / hints I might be able to follow? I'll admit,
>>> this is the first time I've had to look this closely at servlet/web auth
>>> mechanisms.
>>>
>>>
>>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>>> IIRC, the basic auth switch is so that you can send the token via basic
>>>> auth rather than as bearer auth.  This is really only useful when you
>>>> can't use a keycloak adapter, but can implement a LoginModule or
>>>> something.  It has nothing to do with basic auth.
>>>>
>>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>>> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
>>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>>> tokens to verify that it works that way.
>>>>>>
>>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>>> to accept both bearer tokens and basic auth.
>>>>>>
>>>>>
>>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>>
>>>>> - basic auth via curl works (it didn't before the change)
>>>>>
>>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>>
>>>>>
>>>>> Are you using the javascript adapter to login for your UI, passing the
>>>>> bearer token to the server? I guess what I'm asking is if your
>>>>> application actually uses both methods (basic auth and bearer token)?
>>>>>
>>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>>> container, so no worries about security):
>>>>>
>>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>>
>>>>
>>>
>>> --
>>> John Casey
>>> ---
>>> GitHub:  https://github.com/jdcasey/
>>> Twitter: http://twitter.com/buildchimp
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>

From jdcasey at commonjava.org  Wed Jul 15 13:05:52 2015
From: jdcasey at commonjava.org (John Casey)
Date: Wed, 15 Jul 2015 12:05:52 -0500
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A682AE.30400@kroehling.de>
References: <55A52B9D.9060704@commonjava.org>
	<55A52F85.3000709@kroehling.de>	<55A53305.7090403@commonjava.org>
	<55A535CC.7080805@redhat.com>	<55A561C2.2040708@commonjava.org>	<699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>	<55A6799A.2060605@commonjava.org>
	<55A682AE.30400@kroehling.de>
Message-ID: <55A692F0.2000807@commonjava.org>

Looking at this more closely, it seems like it's related to the fact 
that I'm using a different domain for my keycloak server. I'm not sure 
why, but when I switch the server from "bearer-only" to 
"enable-basic-auth" I immediately see a 'code' query param start showing 
up in the URLs my UI uses. At the same time, I start seeing 'No state 
cookie' in the server output.

https://gist.github.com/jdcasey/b6254fb5813136ae8495

Knowing that cookies are tied to the domain in which they're created, 
could it be that redirecting to a different domain for keycloak 
authentication breaks the bearer auth to my REST server? If so, why 
would it (and the use of the 'code' query param) change when going from 
"bearer-only" -> "enable-basic-auth"?

I haven't set breakpoints and debugged this yet. It's not awesome that 
an app user can't determine enough from the (extensive) configuration 
guide to be able to do this without setting up a debugger...Do you have 
a FAQ / Troubleshooting area where these things can be logged so the 
next user doesn't have to spend days on this?



On 07/15/2015 10:56 AM, Juraci Paix?o Kr?hling wrote:
> It should *not* be needed. In Hawkular, we don't need to do anything
> extra to get the backend adapter to accept bearer tokens *and* basic
> authentication. I'd say that you are missing some configuration entry.
>
> I'd recommend putting a breakpoint on those places and then following
> the code:
>
> http://git.io/vml9j
> http://git.io/vmlXS
> http://git.io/vm3Qj
>
> - Juca.
>
> On 07/15/2015 05:17 PM, John Casey wrote:
>> Actually, that's where I started before I originally asked this list.
>>    From following the configuration examples there, and checking my realm
>> configuration against that in the example, I was only able to setup ONE
>> OR THE OTHER of the following cases (never both):
>>
>> - basic authentication worked on the REST server, when using curl as a
>> client
>>
>> - the UI worked, using a bearer token (the javascript adapter was doing
>> the actual sign-in)
>>
>> After taking Bill's advice to look at implementing another LoginModule,
>> I came up with this:
>>
>> http://bit.ly/1CH4kdU
>>
>> This actually satisfies both cases by doing the BASIC -> Bearer
>> translation on the server side, then passing it on to Keycloak's
>> authentication mechanisms...but I'm not sure it's the most elegant solution.
>>
>> On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
>>> Have a look at basic-auth example, it's included in the examples dl.
>>>
>>> ----- Original Message -----
>>>> From: "John Casey" <jdcasey at commonjava.org>
>>>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>>>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>>>
>>>> Well, when I use "enable-basic-auth" this works fine:
>>>>
>>>> $ curl -u test -i http://localhost:8081/api/admin/remote
>>>> Enter host password for user 'test':
>>>> HTTP/1.1 200 OK
>>>> ...
>>>>
>>>> However, that configuration causes the UI use a 'code' query param and
>>>> encounter 400 responses. In the keycloak server output I see:
>>>>
>>>> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
>>>> type=REFRESH_TOKEN_ERROR, realmId=master,
>>>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>>>> error=invalid_token
>>>>
>>>> I'm looking through the code keycloak uses to supply an authentication
>>>> mechanism to undertow now, to hopefully come with a way to handle basic
>>>> auth...maybe through a wrapper auth mech around keycloak?
>>>>
>>>> Do you have any samples / hints I might be able to follow? I'll admit,
>>>> this is the first time I've had to look this closely at servlet/web auth
>>>> mechanisms.
>>>>
>>>>
>>>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>>>> IIRC, the basic auth switch is so that you can send the token via basic
>>>>> auth rather than as bearer auth.  This is really only useful when you
>>>>> can't use a keycloak adapter, but can implement a LoginModule or
>>>>> something.  It has nothing to do with basic auth.
>>>>>
>>>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>>>> On 07/14/2015 10:49 AM, Juraci Paix?o Kr?hling wrote:
>>>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>>>> tokens to verify that it works that way.
>>>>>>>
>>>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>>>> to accept both bearer tokens and basic auth.
>>>>>>>
>>>>>>
>>>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>>>
>>>>>> - basic auth via curl works (it didn't before the change)
>>>>>>
>>>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>>>
>>>>>>
>>>>>> Are you using the javascript adapter to login for your UI, passing the
>>>>>> bearer token to the server? I guess what I'm asking is if your
>>>>>> application actually uses both methods (basic auth and bearer token)?
>>>>>>
>>>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>>>> container, so no worries about security):
>>>>>>
>>>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>>>
>>>>>
>>>>
>>>> --
>>>> John Casey
>>>> ---
>>>> GitHub:  https://github.com/jdcasey/
>>>> Twitter: http://twitter.com/buildchimp
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From bburke at redhat.com  Wed Jul 15 18:07:33 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Jul 2015 18:07:33 -0400
Subject: [keycloak-user] Login timeout
In-Reply-To: <55A66206.1040002@kroehling.de>
References: <55A66206.1040002@kroehling.de>
Message-ID: <55A6D9A5.7030000@redhat.com>



On 7/15/2015 9:37 AM, Juraci Paix?o Kr?hling wrote:
> All,
>
> When an user's session is timed out, the usual approach is to issue a
> logout via the JavaScript adapter, which in turn will redirect the
> browser to the login page at Keycloak.
>
> The problem we are facing is that the user might not be active at this
> time (the session has already timed out, after all), so, it might take a
> while for the user to login again. If the user takes too long to login
> again, Keycloak will display a login error, saying "Login timeout.
> Please login again".
>

Yeah, we are fixing timeouts a little.  There are 2 timeouts:  Timeout 
of a login action.  This happens if you take too long in the login 
process.  In this case the login session is still active in memory. 
What we'll do is just redirect the user to the login screen to start 
over and give them this error message.  "You took too long to login. 
Please restart login process.".

Next one is timeout of the session.  When this happens, we have no 
information on how to complete the login.  Information like the SAML 
Request or OIDC query parameters.  In this case we will be redirecting 
back to the client.  Client will choose whether to restart 
authentication over or not.




> While I understand the technical aspects behind this, I think this is
> problematic from the UXD perspective. Why should the user enter the same
> valid login/password again, if the first ones were just fine?
>

I'm not sure we can fix this.  If there is a session timeout, we have no 
information on how to complete the authentication as this information 
has been wiped out.  So the only option is to redirect back to the 
client in this situation.


> As a "temporary" solution for Hawkular, we are *not* issuing a logout
> via the JS adapter, but doing a "clearToken" and showing a modal with a
> message like "Your session has timed out, login again", forcing the user
> to click on a "Login" button, which will then redirect the user to the
> login page. This is also not optimal from the UXD perspective, but at
> least won't display an error message to the user.
>

I think what you are doing is the best solution.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Maurice.Quaedackers at planonsoftware.com  Thu Jul 16 04:21:04 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 16 Jul 2015 10:21:04 +0200
Subject: [keycloak-user] Unable to log in to master realm with new created
	users
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06D38@NL-MAIL02.planon-fm.com>

Hello,

I have an issue with a running Keycloak 1.2.0.Final instance.

The instance was running all okay but suddenly without changing anything to the installation I am not able to create new users in the Master realm and log in with this new user.

Allready existing users can login to Keycloak, also when I change the password for the user.

As soon as I create a user (planon in this example) , and try to log in with the given credentials I get Invalid username or password prompted and see the line below in the server.log

^[[0m^[[33m08:44:37,204 WARN  [org.keycloak.events] (default task-24) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=2260992e-a2fb-4503-b5a1-f468526fbc9f, ipAddress=84.233.191.62, error=invalid_user_credentials, auth_method=form, response_type=code, redirect_uri=https://fr-authtest.planoncloud.com/auth/admin/master/console/, code_id=b2a5f41b-568c-420a-bd5d-770080c369ab, username=planon

How can I find the rootcause for this issue ? (And a resolution)

With kind regards / Met vriendelijke groet,


Maurice Quaedackers
Planon Cloud Center
_____________________

Planon B.V.
Postbus 38074
6503 AB Nijmegen

Wijchenseweg 8
6537 TL Nijmegen

Nederland
T: +31 (0) 24 641 3135
F: +31 (0) 24 642 2942

E: maurice.quaedackers at planonsoftware.com<mailto:maurice.quaedackers at planonsoftware.com>
W: www.planonsoftware.com<http://www.planonsoftware.com/>

Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt, bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle bijlagen en kopie?n onmiddellijk en informeer de afzender.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150716/167f00fe/attachment-0001.html 

From stian at redhat.com  Thu Jul 16 04:50:05 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 04:50:05 -0400 (EDT)
Subject: [keycloak-user] Unable to log in to master realm with new
 created	users
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06D38@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06D38@NL-MAIL02.planon-fm.com>
Message-ID: <1284544810.39885756.1437036605515.JavaMail.zimbra@redhat.com>

How are you creating the new users? From the error message it looks like you're trying to login as the new user with an invalid password.

----- Original Message -----
> From: "Maurice Quaedackers" <Maurice.Quaedackers at planonsoftware.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 10:21:04 AM
> Subject: [keycloak-user] Unable to log in to master realm with new created	users
> 
> 
> 
> Hello,
> 
> 
> 
> I have an issue with a running Keycloak 1.2.0.Final instance.
> 
> 
> 
> The instance was running all okay but suddenly without changing anything to
> the installation I am not able to create new users in the Master realm and
> log in with this new user.
> 
> 
> 
> Allready existing users can login to Keycloak, also when I change the
> password for the user.
> 
> 
> 
> As soon as I create a user (planon in this example) , and try to log in with
> the given credentials I get Invalid username or password prompted and see
> the line below in the server.log
> 
> 
> 
> ^[[0m^[[33m08:44:37,204 WARN [org.keycloak.events] (default task-24)
> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
> userId=2260992e-a2fb-4503-b5a1-f468526fbc9f, ipAddress=84.233.191.62,
> error=invalid_user_credentials, auth_method=form, response_type=code,
> redirect_uri=https://fr-authtest.planoncloud.com/auth/admin/master/console/,
> code_id=b2a5f41b-568c-420a-bd5d-770080c369ab, username=planon
> 
> 
> 
> How can I find the rootcause for this issue ? (And a resolution)
> 
> 
> 
> With kind regards / Met vriendelijke groet,
> 
> 
> Maurice Quaedackers
> Planon Cloud Center
> _____________________
> 
> Planon B.V.
> Postbus 38074
> 6503 AB Nijmegen
> 
> Wijchenseweg 8
> 6537 TL Nijmegen
> 
> Nederland
> T: +31 (0) 24 641 3135
> F: +31 (0) 24 642 2942
> 
> E: maurice.quaedackers at planonsoftware.com
> W: www.planonsoftware.com
> 
> 
> Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde
> ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke
> informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt,
> bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. Bent u
> niet de beoogde ontvanger,verwijdert u dan deze email met alle bijlagen en
> kopie?n onmiddellijk en informeer de afzender.
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Maurice.Quaedackers at planonsoftware.com  Thu Jul 16 05:13:24 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Thu, 16 Jul 2015 11:13:24 +0200
Subject: [keycloak-user] Unable to log in to master realm with new
 created	users
In-Reply-To: <1284544810.39885756.1437036605515.JavaMail.zimbra@redhat.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06D38@NL-MAIL02.planon-fm.com>
	<1284544810.39885756.1437036605515.JavaMail.zimbra@redhat.com>
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06EAF@NL-MAIL02.planon-fm.com>

I am creating the new user via the Keycloak Gui with the admin account. Reset the password several times for the new users and tried also creating other users results in the same issue.

I see the user being created in the keycloak db. 

Is there a way I can get more logging to see more details other than credentials do not match?

(When I try the same action on other Keycloak instances it works like expected, so the issue is only present in this installation and I am looking why it is occurring now since till the beginning of this week this instance was working fine)

Best regards,

Maurice Quaedackers

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: donderdag 16 juli 2015 10:50
To: Maurice Quaedackers <Maurice.Quaedackers at planonsoftware.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Unable to log in to master realm with new created users

How are you creating the new users? From the error message it looks like you're trying to login as the new user with an invalid password.

----- Original Message -----
> From: "Maurice Quaedackers" <Maurice.Quaedackers at planonsoftware.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 10:21:04 AM
> Subject: [keycloak-user] Unable to log in to master realm with new created	users
> 
> 
> 
> Hello,
> 
> 
> 
> I have an issue with a running Keycloak 1.2.0.Final instance.
> 
> 
> 
> The instance was running all okay but suddenly without changing 
> anything to the installation I am not able to create new users in the 
> Master realm and log in with this new user.
> 
> 
> 
> Allready existing users can login to Keycloak, also when I change the 
> password for the user.
> 
> 
> 
> As soon as I create a user (planon in this example) , and try to log 
> in with the given credentials I get Invalid username or password 
> prompted and see the line below in the server.log
> 
> 
> 
> ^[[0m^[[33m08:44:37,204 WARN [org.keycloak.events] (default task-24) 
> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, 
> userId=2260992e-a2fb-4503-b5a1-f468526fbc9f, ipAddress=84.233.191.62, 
> error=invalid_user_credentials, auth_method=form, response_type=code, 
> redirect_uri=https://fr-authtest.planoncloud.com/auth/admin/master/con
> sole/, code_id=b2a5f41b-568c-420a-bd5d-770080c369ab, username=planon
> 
> 
> 
> How can I find the rootcause for this issue ? (And a resolution)
> 
> 
> 
> With kind regards / Met vriendelijke groet,
> 
> 
> Maurice Quaedackers
> Planon Cloud Center
> _____________________
> 
> Planon B.V.
> Postbus 38074
> 6503 AB Nijmegen
> 
> Wijchenseweg 8
> 6537 TL Nijmegen
> 
> Nederland
> T: +31 (0) 24 641 3135
> F: +31 (0) 24 642 2942
> 
> E: maurice.quaedackers at planonsoftware.com
> W: www.planonsoftware.com
> 
> 
> Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde 
> ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke 
> informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt, 
> bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. 
> Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle 
> bijlagen en kopie?n onmiddellijk en informeer de afzender.
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be 
> copied, disclosed to, retained or used by, any other party. If you are 
> not an intended recipient then please promptly delete this e-mail and 
> any attachment and all copies and inform the sender.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Jul 16 06:54:44 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 06:54:44 -0400 (EDT)
Subject: [keycloak-user] Unable to log in to master realm with new
 created	users
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06EAF@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06D38@NL-MAIL02.planon-fm.com>
	<1284544810.39885756.1437036605515.JavaMail.zimbra@redhat.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E46FEEF06EAF@NL-MAIL02.planon-fm.com>
Message-ID: <1915615216.39921407.1437044084526.JavaMail.zimbra@redhat.com>

Afraid there's not much more debug info available other than remote debugging. Have you made any changes to the db? What db are you using? Have you changed password hash iterations or some other configurations?

----- Original Message -----
> From: "Maurice Quaedackers" <Maurice.Quaedackers at planonsoftware.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 11:13:24 AM
> Subject: RE: [keycloak-user] Unable to log in to master realm with new created	users
> 
> I am creating the new user via the Keycloak Gui with the admin account. Reset
> the password several times for the new users and tried also creating other
> users results in the same issue.
> 
> I see the user being created in the keycloak db.
> 
> Is there a way I can get more logging to see more details other than
> credentials do not match?
> 
> (When I try the same action on other Keycloak instances it works like
> expected, so the issue is only present in this installation and I am looking
> why it is occurring now since till the beginning of this week this instance
> was working fine)
> 
> Best regards,
> 
> Maurice Quaedackers
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: donderdag 16 juli 2015 10:50
> To: Maurice Quaedackers <Maurice.Quaedackers at planonsoftware.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Unable to log in to master realm with new
> created users
> 
> How are you creating the new users? From the error message it looks like
> you're trying to login as the new user with an invalid password.
> 
> ----- Original Message -----
> > From: "Maurice Quaedackers" <Maurice.Quaedackers at planonsoftware.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 16 July, 2015 10:21:04 AM
> > Subject: [keycloak-user] Unable to log in to master realm with new created
> > 	users
> > 
> > 
> > 
> > Hello,
> > 
> > 
> > 
> > I have an issue with a running Keycloak 1.2.0.Final instance.
> > 
> > 
> > 
> > The instance was running all okay but suddenly without changing
> > anything to the installation I am not able to create new users in the
> > Master realm and log in with this new user.
> > 
> > 
> > 
> > Allready existing users can login to Keycloak, also when I change the
> > password for the user.
> > 
> > 
> > 
> > As soon as I create a user (planon in this example) , and try to log
> > in with the given credentials I get Invalid username or password
> > prompted and see the line below in the server.log
> > 
> > 
> > 
> > ^[[0m^[[33m08:44:37,204 WARN [org.keycloak.events] (default task-24)
> > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
> > userId=2260992e-a2fb-4503-b5a1-f468526fbc9f, ipAddress=84.233.191.62,
> > error=invalid_user_credentials, auth_method=form, response_type=code,
> > redirect_uri=https://fr-authtest.planoncloud.com/auth/admin/master/con
> > sole/, code_id=b2a5f41b-568c-420a-bd5d-770080c369ab, username=planon
> > 
> > 
> > 
> > How can I find the rootcause for this issue ? (And a resolution)
> > 
> > 
> > 
> > With kind regards / Met vriendelijke groet,
> > 
> > 
> > Maurice Quaedackers
> > Planon Cloud Center
> > _____________________
> > 
> > Planon B.V.
> > Postbus 38074
> > 6503 AB Nijmegen
> > 
> > Wijchenseweg 8
> > 6537 TL Nijmegen
> > 
> > Nederland
> > T: +31 (0) 24 641 3135
> > F: +31 (0) 24 642 2942
> > 
> > E: maurice.quaedackers at planonsoftware.com
> > W: www.planonsoftware.com
> > 
> > 
> > Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde
> > ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke
> > informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt,
> > bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is.
> > Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle
> > bijlagen en kopie?n onmiddellijk en informeer de afzender.
> > 
> > This e-mail and any attachment is for authorised use by the intended
> > recipient(s) only. It may contain proprietary material, confidential
> > information and/or be subject to legal privilege. It should not be
> > copied, disclosed to, retained or used by, any other party. If you are
> > not an intended recipient then please promptly delete this e-mail and
> > any attachment and all copies and inform the sender.
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From niko at n-k.de  Thu Jul 16 07:45:43 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 16 Jul 2015 13:45:43 +0200
Subject: [keycloak-user] Login user action lifespan
Message-ID: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>

Hi,

you can set the ?login user action lifespan? in realm settings for the time the link is valid for a user to set a password (or other tasks).
This link seems to be valid and working even if the user has clicked on it and has done the tasks.

Is it possible to configure this link to be valid only once during its lifespan ? Or at least to be invalid as soon the user has set his password/done the login actions?
Otherwise this link could be used to change the password again, after the user has already set his password - possibly from third persons who got known of this link. May be a security issue?

Thanks & regards,
- Niko

From stian at redhat.com  Thu Jul 16 07:49:16 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 07:49:16 -0400 (EDT)
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
Message-ID: <1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>

Does it seem that it is valid, or is it valid? It should only be usable once.

----- Original Message -----
> From: "Niko K?bler" <niko at n-k.de>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 1:45:43 PM
> Subject: [keycloak-user] Login user action lifespan
> 
> Hi,
> 
> you can set the ?login user action lifespan? in realm settings for the time
> the link is valid for a user to set a password (or other tasks).
> This link seems to be valid and working even if the user has clicked on it
> and has done the tasks.
> 
> Is it possible to configure this link to be valid only once during its
> lifespan ? Or at least to be invalid as soon the user has set his
> password/done the login actions?
> Otherwise this link could be used to change the password again, after the
> user has already set his password - possibly from third persons who got
> known of this link. May be a security issue?
> 
> Thanks & regards,
> - Niko
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From niko at n-k.de  Thu Jul 16 07:58:21 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 16 Jul 2015 13:58:21 +0200
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
Message-ID: <C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>

It is valid.
I can change my password again and again?


> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> Does it seem that it is valid, or is it valid? It should only be usable once.
> 
> ----- Original Message -----
>> From: "Niko K?bler" <niko at n-k.de>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>> Subject: [keycloak-user] Login user action lifespan
>> 
>> Hi,
>> 
>> you can set the ?login user action lifespan? in realm settings for the time
>> the link is valid for a user to set a password (or other tasks).
>> This link seems to be valid and working even if the user has clicked on it
>> and has done the tasks.
>> 
>> Is it possible to configure this link to be valid only once during its
>> lifespan ? Or at least to be invalid as soon the user has set his
>> password/done the login actions?
>> Otherwise this link could be used to change the password again, after the
>> user has already set his password - possibly from third persons who got
>> known of this link. May be a security issue?
>> 
>> Thanks & regards,
>> - Niko
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From stian at redhat.com  Thu Jul 16 08:00:15 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 08:00:15 -0400 (EDT)
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
Message-ID: <1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>

That's definitively not correct behavior. What version are you on? Can you give me exact steps to reproduce?

----- Original Message -----
> From: "Niko K?bler" <niko at n-k.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 1:58:21 PM
> Subject: Re: [keycloak-user] Login user action lifespan
> 
> It is valid.
> I can change my password again and again?
> 
> 
> > Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
> > 
> > Does it seem that it is valid, or is it valid? It should only be usable
> > once.
> > 
> > ----- Original Message -----
> >> From: "Niko K?bler" <niko at n-k.de>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Thursday, 16 July, 2015 1:45:43 PM
> >> Subject: [keycloak-user] Login user action lifespan
> >> 
> >> Hi,
> >> 
> >> you can set the ?login user action lifespan? in realm settings for the
> >> time
> >> the link is valid for a user to set a password (or other tasks).
> >> This link seems to be valid and working even if the user has clicked on it
> >> and has done the tasks.
> >> 
> >> Is it possible to configure this link to be valid only once during its
> >> lifespan ? Or at least to be invalid as soon the user has set his
> >> password/done the login actions?
> >> Otherwise this link could be used to change the password again, after the
> >> user has already set his password - possibly from third persons who got
> >> known of this link. May be a security issue?
> >> 
> >> Thanks & regards,
> >> - Niko
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 


From niko at n-k.de  Thu Jul 16 08:24:40 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 16 Jul 2015 14:24:40 +0200
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
	<1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
Message-ID: <E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>

We are still on 1.2.0

Steps to reproduce:
- create a user via Admin API
- trigger to send the password-reset mail via Admin API
- click on the link in the mail to set the password
- try to log in -> works
- go back to your mails, click again on the password-reset link in the mail
- change your password
- try to log in with old password -> doesn?t work
- try to log in with new password -> works
- and so on?



> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> That's definitively not correct behavior. What version are you on? Can you give me exact steps to reproduce?
> 
> ----- Original Message -----
>> From: "Niko K?bler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>> 
>> It is valid.
>> I can change my password again and again?
>> 
>> 
>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>> 
>>> Does it seem that it is valid, or is it valid? It should only be usable
>>> once.
>>> 
>>> ----- Original Message -----
>>>> From: "Niko K?bler" <niko at n-k.de>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>> Subject: [keycloak-user] Login user action lifespan
>>>> 
>>>> Hi,
>>>> 
>>>> you can set the ?login user action lifespan? in realm settings for the
>>>> time
>>>> the link is valid for a user to set a password (or other tasks).
>>>> This link seems to be valid and working even if the user has clicked on it
>>>> and has done the tasks.
>>>> 
>>>> Is it possible to configure this link to be valid only once during its
>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>> password/done the login actions?
>>>> Otherwise this link could be used to change the password again, after the
>>>> user has already set his password - possibly from third persons who got
>>>> known of this link. May be a security issue?
>>>> 
>>>> Thanks & regards,
>>>> - Niko
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 



From stian at redhat.com  Thu Jul 16 08:26:17 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 08:26:17 -0400 (EDT)
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
	<1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
	<E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>
Message-ID: <419710240.39951220.1437049577286.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Niko K?bler" <niko at n-k.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:24:40 PM
> Subject: Re: [keycloak-user] Login user action lifespan
> 
> We are still on 1.2.0
> 
> Steps to reproduce:
> - create a user via Admin API
> - trigger to send the password-reset mail via Admin API
> - click on the link in the mail to set the password
> - try to log in -> works

Have you actually changed the password here, or just log in?

> - go back to your mails, click again on the password-reset link in the mail
> - change your password
> - try to log in with old password -> doesn?t work
> - try to log in with new password -> works
> - and so on?
> 
> 
> 
> > Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
> > 
> > That's definitively not correct behavior. What version are you on? Can you
> > give me exact steps to reproduce?
> > 
> > ----- Original Message -----
> >> From: "Niko K?bler" <niko at n-k.de>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-user at lists.jboss.org
> >> Sent: Thursday, 16 July, 2015 1:58:21 PM
> >> Subject: Re: [keycloak-user] Login user action lifespan
> >> 
> >> It is valid.
> >> I can change my password again and again?
> >> 
> >> 
> >>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
> >>> 
> >>> Does it seem that it is valid, or is it valid? It should only be usable
> >>> once.
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Niko K?bler" <niko at n-k.de>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
> >>>> Subject: [keycloak-user] Login user action lifespan
> >>>> 
> >>>> Hi,
> >>>> 
> >>>> you can set the ?login user action lifespan? in realm settings for the
> >>>> time
> >>>> the link is valid for a user to set a password (or other tasks).
> >>>> This link seems to be valid and working even if the user has clicked on
> >>>> it
> >>>> and has done the tasks.
> >>>> 
> >>>> Is it possible to configure this link to be valid only once during its
> >>>> lifespan ? Or at least to be invalid as soon the user has set his
> >>>> password/done the login actions?
> >>>> Otherwise this link could be used to change the password again, after
> >>>> the
> >>>> user has already set his password - possibly from third persons who got
> >>>> known of this link. May be a security issue?
> >>>> 
> >>>> Thanks & regards,
> >>>> - Niko
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> >> 
> 
> 


From niko at n-k.de  Thu Jul 16 08:30:31 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 16 Jul 2015 14:30:31 +0200
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <419710240.39951220.1437049577286.JavaMail.zimbra@redhat.com>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
	<1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
	<E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>
	<419710240.39951220.1437049577286.JavaMail.zimbra@redhat.com>
Message-ID: <AF88F2F8-9608-4C0D-A874-4CA876C24187@n-k.de>

sorry, I forgot to mention this step, I actually changed the password (set it the first time)

In the meantime I tried this loop (click link in mail, change password, log in) more than 5 times? it still works!


> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> 
> 
> ----- Original Message -----
>> From: "Niko K?bler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>> 
>> We are still on 1.2.0
>> 
>> Steps to reproduce:
>> - create a user via Admin API
>> - trigger to send the password-reset mail via Admin API
>> - click on the link in the mail to set the password
>> - try to log in -> works
> 
> Have you actually changed the password here, or just log in?
> 
>> - go back to your mails, click again on the password-reset link in the mail
>> - change your password
>> - try to log in with old password -> doesn?t work
>> - try to log in with new password -> works
>> - and so on?
>> 
>> 
>> 
>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
>>> 
>>> That's definitively not correct behavior. What version are you on? Can you
>>> give me exact steps to reproduce?
>>> 
>>> ----- Original Message -----
>>>> From: "Niko K?bler" <niko at n-k.de>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>> 
>>>> It is valid.
>>>> I can change my password again and again?
>>>> 
>>>> 
>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>> 
>>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>>> once.
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Niko K?bler" <niko at n-k.de>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> you can set the ?login user action lifespan? in realm settings for the
>>>>>> time
>>>>>> the link is valid for a user to set a password (or other tasks).
>>>>>> This link seems to be valid and working even if the user has clicked on
>>>>>> it
>>>>>> and has done the tasks.
>>>>>> 
>>>>>> Is it possible to configure this link to be valid only once during its
>>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>>> password/done the login actions?
>>>>>> Otherwise this link could be used to change the password again, after
>>>>>> the
>>>>>> user has already set his password - possibly from third persons who got
>>>>>> known of this link. May be a security issue?
>>>>>> 
>>>>>> Thanks & regards,
>>>>>> - Niko
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> 
>> 
>> 



From stian at redhat.com  Thu Jul 16 08:32:54 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 16 Jul 2015 08:32:54 -0400 (EDT)
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <AF88F2F8-9608-4C0D-A874-4CA876C24187@n-k.de>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
	<1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
	<E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>
	<419710240.39951220.1437049577286.JavaMail.zimbra@redhat.com>
	<AF88F2F8-9608-4C0D-A874-4CA876C24187@n-k.de>
Message-ID: <1564913279.39954412.1437049974810.JavaMail.zimbra@redhat.com>

Can you create a JIRA for this please?

----- Original Message -----
> From: "Niko K?bler" <niko at n-k.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 16 July, 2015 2:30:31 PM
> Subject: Re: [keycloak-user] Login user action lifespan
> 
> sorry, I forgot to mention this step, I actually changed the password (set it
> the first time)
> 
> In the meantime I tried this loop (click link in mail, change password, log
> in) more than 5 times? it still works!
> 
> 
> > Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
> > 
> > 
> > 
> > ----- Original Message -----
> >> From: "Niko K?bler" <niko at n-k.de>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-user at lists.jboss.org
> >> Sent: Thursday, 16 July, 2015 2:24:40 PM
> >> Subject: Re: [keycloak-user] Login user action lifespan
> >> 
> >> We are still on 1.2.0
> >> 
> >> Steps to reproduce:
> >> - create a user via Admin API
> >> - trigger to send the password-reset mail via Admin API
> >> - click on the link in the mail to set the password
> >> - try to log in -> works
> > 
> > Have you actually changed the password here, or just log in?
> > 
> >> - go back to your mails, click again on the password-reset link in the
> >> mail
> >> - change your password
> >> - try to log in with old password -> doesn?t work
> >> - try to log in with new password -> works
> >> - and so on?
> >> 
> >> 
> >> 
> >>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
> >>> 
> >>> That's definitively not correct behavior. What version are you on? Can
> >>> you
> >>> give me exact steps to reproduce?
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Niko K?bler" <niko at n-k.de>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-user at lists.jboss.org
> >>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
> >>>> Subject: Re: [keycloak-user] Login user action lifespan
> >>>> 
> >>>> It is valid.
> >>>> I can change my password again and again?
> >>>> 
> >>>> 
> >>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
> >>>>> 
> >>>>> Does it seem that it is valid, or is it valid? It should only be usable
> >>>>> once.
> >>>>> 
> >>>>> ----- Original Message -----
> >>>>>> From: "Niko K?bler" <niko at n-k.de>
> >>>>>> To: keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
> >>>>>> Subject: [keycloak-user] Login user action lifespan
> >>>>>> 
> >>>>>> Hi,
> >>>>>> 
> >>>>>> you can set the ?login user action lifespan? in realm settings for the
> >>>>>> time
> >>>>>> the link is valid for a user to set a password (or other tasks).
> >>>>>> This link seems to be valid and working even if the user has clicked
> >>>>>> on
> >>>>>> it
> >>>>>> and has done the tasks.
> >>>>>> 
> >>>>>> Is it possible to configure this link to be valid only once during its
> >>>>>> lifespan ? Or at least to be invalid as soon the user has set his
> >>>>>> password/done the login actions?
> >>>>>> Otherwise this link could be used to change the password again, after
> >>>>>> the
> >>>>>> user has already set his password - possibly from third persons who
> >>>>>> got
> >>>>>> known of this link. May be a security issue?
> >>>>>> 
> >>>>>> Thanks & regards,
> >>>>>> - Niko
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> 
> >>>> 
> >> 
> >> 
> 
> 


From niko at n-k.de  Thu Jul 16 08:44:05 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 16 Jul 2015 14:44:05 +0200
Subject: [keycloak-user] Login user action lifespan
In-Reply-To: <1564913279.39954412.1437049974810.JavaMail.zimbra@redhat.com>
References: <EE84AFE0-F365-414A-9D38-ED23C68B26E6@n-k.de>
	<1975433364.39935626.1437047356353.JavaMail.zimbra@redhat.com>
	<C2F6B57F-BD3F-424D-A965-60AB0FAAD234@n-k.de>
	<1183082353.39938730.1437048015347.JavaMail.zimbra@redhat.com>
	<E41C5089-2BC8-4061-B321-D8E40F50D2F8@n-k.de>
	<419710240.39951220.1437049577286.JavaMail.zimbra@redhat.com>
	<AF88F2F8-9608-4C0D-A874-4CA876C24187@n-k.de>
	<1564913279.39954412.1437049974810.JavaMail.zimbra@redhat.com>
Message-ID: <F8A04A66-4F33-46A2-8F21-AE83DA0B58D0@n-k.de>

Done.
https://issues.jboss.org/browse/KEYCLOAK-1576 <https://issues.jboss.org/browse/KEYCLOAK-1576>

Thanks!


> Am 16.07.2015 um 14:32 schrieb Stian Thorgersen <stian at redhat.com>:
> 
> Can you create a JIRA for this please?
> 
> ----- Original Message -----
>> From: "Niko K?bler" <niko at n-k.de>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 16 July, 2015 2:30:31 PM
>> Subject: Re: [keycloak-user] Login user action lifespan
>> 
>> sorry, I forgot to mention this step, I actually changed the password (set it
>> the first time)
>> 
>> In the meantime I tried this loop (click link in mail, change password, log
>> in) more than 5 times? it still works!
>> 
>> 
>>> Am 16.07.2015 um 14:26 schrieb Stian Thorgersen <stian at redhat.com>:
>>> 
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Niko K?bler" <niko at n-k.de>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 16 July, 2015 2:24:40 PM
>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>> 
>>>> We are still on 1.2.0
>>>> 
>>>> Steps to reproduce:
>>>> - create a user via Admin API
>>>> - trigger to send the password-reset mail via Admin API
>>>> - click on the link in the mail to set the password
>>>> - try to log in -> works
>>> 
>>> Have you actually changed the password here, or just log in?
>>> 
>>>> - go back to your mails, click again on the password-reset link in the
>>>> mail
>>>> - change your password
>>>> - try to log in with old password -> doesn?t work
>>>> - try to log in with new password -> works
>>>> - and so on?
>>>> 
>>>> 
>>>> 
>>>>> Am 16.07.2015 um 14:00 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>> 
>>>>> That's definitively not correct behavior. What version are you on? Can
>>>>> you
>>>>> give me exact steps to reproduce?
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Niko K?bler" <niko at n-k.de>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 16 July, 2015 1:58:21 PM
>>>>>> Subject: Re: [keycloak-user] Login user action lifespan
>>>>>> 
>>>>>> It is valid.
>>>>>> I can change my password again and again?
>>>>>> 
>>>>>> 
>>>>>>> Am 16.07.2015 um 13:49 schrieb Stian Thorgersen <stian at redhat.com>:
>>>>>>> 
>>>>>>> Does it seem that it is valid, or is it valid? It should only be usable
>>>>>>> once.
>>>>>>> 
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Niko K?bler" <niko at n-k.de>
>>>>>>>> To: keycloak-user at lists.jboss.org
>>>>>>>> Sent: Thursday, 16 July, 2015 1:45:43 PM
>>>>>>>> Subject: [keycloak-user] Login user action lifespan
>>>>>>>> 
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> you can set the ?login user action lifespan? in realm settings for the
>>>>>>>> time
>>>>>>>> the link is valid for a user to set a password (or other tasks).
>>>>>>>> This link seems to be valid and working even if the user has clicked
>>>>>>>> on
>>>>>>>> it
>>>>>>>> and has done the tasks.
>>>>>>>> 
>>>>>>>> Is it possible to configure this link to be valid only once during its
>>>>>>>> lifespan ? Or at least to be invalid as soon the user has set his
>>>>>>>> password/done the login actions?
>>>>>>>> Otherwise this link could be used to change the password again, after
>>>>>>>> the
>>>>>>>> user has already set his password - possibly from third persons who
>>>>>>>> got
>>>>>>>> known of this link. May be a security issue?
>>>>>>>> 
>>>>>>>> Thanks & regards,
>>>>>>>> - Niko
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> 
>>>>>> 
>>>> 
>>>> 
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150716/69acdcbe/attachment-0001.html 

From juraci at kroehling.de  Thu Jul 16 11:04:18 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Thu, 16 Jul 2015 17:04:18 +0200
Subject: [keycloak-user] Login timeout
In-Reply-To: <55A6D9A5.7030000@redhat.com>
References: <55A66206.1040002@kroehling.de> <55A6D9A5.7030000@redhat.com>
Message-ID: <55A7C7F2.3030808@kroehling.de>

Bill,

Thanks for your answer. While I understand what happens in the 
background, I still have some concerns about the user experience of this 
process. More inline.

On 07/16/2015 12:07 AM, Bill Burke wrote:
> Yeah, we are fixing timeouts a little.  There are 2 timeouts:  Timeout
> of a login action.  This happens if you take too long in the login
> process.  In this case the login session is still active in memory.
> What we'll do is just redirect the user to the login screen to start
> over and give them this error message.  "You took too long to login.
> Please restart login process.".

For this timeout, I don't see a reason why it can't just start a fresh 
login session and perform the login with the provided credentials. I'm 
with the basic scenario in mind, and I realize that this might not 
*always* be possible, but the server should know which scenarios are 
possible and which aren't, right? From the user's perspective, I can't 
understand why my credentials weren't accepted on the first time, but 
accepted on the second time, a couple of seconds later.

> Next one is timeout of the session.  When this happens, we have no
> information on how to complete the login.  Information like the SAML
> Request or OIDC query parameters.  In this case we will be redirecting
> back to the client.  Client will choose whether to restart
> authentication over or not.

This seems trickier, but similar to the above: the server knows (based 
on the realm) if just starting a new session is enough, no?

> I'm not sure we can fix this.  If there is a session timeout, we have no
> information on how to complete the authentication as this information
> has been wiped out.  So the only option is to redirect back to the
> client in this situation.

Actually, the user is *not* redirected back to the original application. 
Entering the login/password again will just do the right thing: the user 
will be logged in, and then redirected back to the original application.

- Juca.

From bburke at redhat.com  Thu Jul 16 12:41:38 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 16 Jul 2015 12:41:38 -0400
Subject: [keycloak-user] Login timeout
In-Reply-To: <55A7C7F2.3030808@kroehling.de>
References: <55A66206.1040002@kroehling.de> <55A6D9A5.7030000@redhat.com>
	<55A7C7F2.3030808@kroehling.de>
Message-ID: <55A7DEC2.9010304@redhat.com>



On 7/16/2015 11:04 AM, Juraci Paix?o Kr?hling wrote:
> Bill,
>
> Thanks for your answer. While I understand what happens in the
> background, I still have some concerns about the user experience of this
> process. More inline.
>
> On 07/16/2015 12:07 AM, Bill Burke wrote:
>> Yeah, we are fixing timeouts a little.  There are 2 timeouts:  Timeout
>> of a login action.  This happens if you take too long in the login
>> process.  In this case the login session is still active in memory.
>> What we'll do is just redirect the user to the login screen to start
>> over and give them this error message.  "You took too long to login.
>> Please restart login process.".
>
> For this timeout, I don't see a reason why it can't just start a fresh
> login session and perform the login with the provided credentials. I'm
> with the basic scenario in mind, and I realize that this might not
> *always* be possible, but the server should know which scenarios are
> possible and which aren't, right? From the user's perspective, I can't
> understand why my credentials weren't accepted on the first time, but
> accepted on the second time, a couple of seconds later.
>

Honestly you're just going to have to deal with it.  If you don't like 
this timeout, then just set it to be the same as the session timeout and 
you will never see this message.

It works the way it works because keycloak is making sure you are not 
trying to hack and skip around the authentication flow.  Even though the 
username/password screen may be the first thing the user sees, there's 
other optional non-browser authenticators that could have run:  i.e. 
kerberos.  Kerberos requires one or more challenge/response messages 
with the browser.  The authentication implementation would become just 
way too complex to support this edge case.



>> Next one is timeout of the session.  When this happens, we have no
>> information on how to complete the login.  Information like the SAML
>> Request or OIDC query parameters.  In this case we will be redirecting
>> back to the client.  Client will choose whether to restart
>> authentication over or not.
>
> This seems trickier, but similar to the above: the server knows (based
> on the realm) if just starting a new session is enough, no?
>

If the server session times out, it is removed.  Information that is 
needed to complete authentication with the client is completely gone 
(i.e. information in the original SAML Request (session ids from the 
client, relay state, callback url, name-id format).  Redirect URI and 
state parameters for OIDC).  The session also keeps track of the state 
of the authentication flow.  For example, login could be a multi-step 
process:

1. client-cert validation
2. username/password
3. OTP


You could be on step #3 when the server session times out.  I'm sorry, 
but there is no avoiding starting over authentication in this scenario.

I could look to store some of the initial request metadata in a cookie 
to avoid having to redirect back to client.  But I'm worried that the 
info might be too large.  I'm also worried about the security 
implications of a cookie like this because SAML Requests can be signed 
and verified.  Stale cookies might create sneaky vulnerabilities, etc...



>> I'm not sure we can fix this.  If there is a session timeout, we have no
>> information on how to complete the authentication as this information
>> has been wiped out.  So the only option is to redirect back to the
>> client in this situation.
>
> Actually, the user is *not* redirected back to the original application.
> Entering the login/password again will just do the right thing: the user
> will be logged in, and then redirected back to the original application.
>


Right now, there is an error screen message when this happens.  We are 
fixing this so that the clientId is stored in the session code so that 
there can be a link "back to application".



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jdcasey at commonjava.org  Thu Jul 16 12:50:23 2015
From: jdcasey at commonjava.org (John Casey)
Date: Thu, 16 Jul 2015 11:50:23 -0500
Subject: [keycloak-user] help with bearer + basic auth
In-Reply-To: <55A692F0.2000807@commonjava.org>
References: <55A52B9D.9060704@commonjava.org>	<55A52F85.3000709@kroehling.de>	<55A53305.7090403@commonjava.org>	<55A535CC.7080805@redhat.com>	<55A561C2.2040708@commonjava.org>	<699457916.39128725.1436944675968.JavaMail.zimbra@redhat.com>	<55A6799A.2060605@commonjava.org>	<55A682AE.30400@kroehling.de>
	<55A692F0.2000807@commonjava.org>
Message-ID: <55A7E0CF.2010203@commonjava.org>

So, I've gone back to using this basic-auth translator to inject a 
bearer token, after wrestling with it for a couple of days. It's 
probably wrong (there's probably some way to do what I need to with 
enable-basic-auth) but I'm out of time for now. I've marked the code 
with some notes about the problems I'm seeing trying to do it the right 
way...

What I'm wondering now is if it'd be a massive security problem if I 
injected a RESPONSE header with the token in it when the basic-auth 
translator runs. This would enable my java client api to use basic auth 
then save the bearer token and use that for future calls. It might save 
a little bit in backend round-trips to the keycloak server.

But I don't want to open up a gaping security hole...

Thanks,

-john

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

From ed.hillmann at gmail.com  Mon Jul 20 01:15:43 2015
From: ed.hillmann at gmail.com (Ed Hillmann)
Date: Mon, 20 Jul 2015 15:15:43 +1000
Subject: [keycloak-user] When using an IdentityBroker
Message-ID: <CAKbR2FPhyNCm=y81Cub859azBZGS1UjqZYzaPdH7T84P2kzVBw@mail.gmail.com>

Hi, I'm going through the most recent doco, and I'm looking at the
IdentityBroker
<http://keycloak.github.io/docs/userguide/html/identity-broker.html>
section.  So, having gone through the walkthrough, can someone tell me if
I'm on the right track.

So, step #8 states that "Keycloak is going to check if the response from
the identity provider is valid. If valid, it will create an user or just
skip that if the user already exists".

Does that mean that KeyCloak will have a User, against which roles can be
mapped?  This will be a user that would be, for example, displayed in the
admin console just like any locally-defined User?

I'm trying to piece this all together, from where we can start assigning
roles to these users whose authentication has been performed by an external
IdentityProvider.

Following on from that, the user would continue to authenticate against the
Identity Provider?  If they already exist, that's mentioned later on it the
same text where the accounts are linked?

If I've got this wrong, please let me know. :)

Thanks for any help,
Ed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150720/efe0329a/attachment.html 

From stian at redhat.com  Mon Jul 20 01:32:27 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 20 Jul 2015 01:32:27 -0400 (EDT)
Subject: [keycloak-user] When using an IdentityBroker
In-Reply-To: <CAKbR2FPhyNCm=y81Cub859azBZGS1UjqZYzaPdH7T84P2kzVBw@mail.gmail.com>
References: <CAKbR2FPhyNCm=y81Cub859azBZGS1UjqZYzaPdH7T84P2kzVBw@mail.gmail.com>
Message-ID: <1172621532.314546.1437370347265.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Ed Hillmann" <ed.hillmann at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 20 July, 2015 7:15:43 AM
> Subject: [keycloak-user] When using an IdentityBroker
> 
> Hi, I'm going through the most recent doco, and I'm looking at the
> IdentityBroker section. So, having gone through the walkthrough, can someone
> tell me if I'm on the right track.
> 
> So, step #8 states that "Keycloak is going to check if the response from the
> identity provider is valid. If valid, it will create an user or just skip
> that if the user already exists".
> 
> Does that mean that KeyCloak will have a User, against which roles can be
> mapped? This will be a user that would be, for example, displayed in the
> admin console just like any locally-defined User?

Yes

> 
> I'm trying to piece this all together, from where we can start assigning
> roles to these users whose authentication has been performed by an external
> IdentityProvider.
> 
> Following on from that, the user would continue to authenticate against the
> Identity Provider? If they already exist, that's mentioned later on it the
> same text where the accounts are linked?

There's is no automatic linking of accounts. There's two scenarios basically:

* A user with same email address exists - in this case a error message is displayed to the user and user would have to login to account management and link to the identity provider from there
* The user has already logged-in with the identity provider - in this case a user is already linked to the identity provider and the user is logged-in

The same user can also authenticate with different methods. It's possible to login to the same account with username/password as well as multiple identity providers (linked through account management).

With regards to setting up roles these can either be added through admin console manually or added automatically either by using default roles or using mappers.

> 
> If I've got this wrong, please let me know. :)
> 
> Thanks for any help,
> Ed
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ed.hillmann at gmail.com  Mon Jul 20 20:13:12 2015
From: ed.hillmann at gmail.com (Ed Hillmann)
Date: Tue, 21 Jul 2015 10:13:12 +1000
Subject: [keycloak-user] When using an IdentityBroker
In-Reply-To: <1172621532.314546.1437370347265.JavaMail.zimbra@redhat.com>
References: <CAKbR2FPhyNCm=y81Cub859azBZGS1UjqZYzaPdH7T84P2kzVBw@mail.gmail.com>
	<1172621532.314546.1437370347265.JavaMail.zimbra@redhat.com>
Message-ID: <CAKbR2FP84zaC8H672AC=H3v7LFSbrg4kWmT9Q5YqS58kE2-2fw@mail.gmail.com>

Hi Stian.  Thanks very much for the clarification.  I think I better
understand how the users are federated.

With respect to the following statement in the document (section 9.1) ...

When using Keycloak as an identity broker, users are not forced to provide
> their credentials in order to authenticate in a specific realm.

Does that mean that users can be authenticated without providing a specific
Realm?  I presume you still need to use a Realm to support role mapping,
but can a federated, authenticated user be ported across Realms?

The context of my question is this:  I'm trying to get my head around
multi-tenacy.  I am looking at the feasibility of having a single
deployment of an application that supports multiple tenants, with the
Identity Provider reliant on the user logging in.  So, users 1-10 are from
Site A and want to use Identity Provider A, 11-20 are from Site B and want
to use Identity Provider B.  Sites A & B have their own Realm, so roles can
be defined as they want.  There's also a desire for a user to be able to
have access to Sites A and B (not at the same time) with potentially
different permissions/roles.  But, that's later down the track.

If the application can somehow handle associating a user with the sites
they are allowed to access, then it could also manage the Realm to use
(hopefully, using the Classes/Interfaces specified in the Multi-Tenancy
section of the doco).  But, does that mean that the user would log in
(authenticate) first and then pick which site (and thus which Realm) they
want to view?  Can that initial authentication, when using an Identity
Broker, take place without specifying a Realm?  Or is there a default Realm
which is used first, with the subsequent tokens passed on to the other
Realms accessed (if that's even a thing)?

Or, will we have select, up front, the Site (ie, Realm) they want to access
before they work through the authentication workflow?

Sorry for the lengthy question.

Thanks,

Ed

On Mon, Jul 20, 2015 at 3:32 PM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Ed Hillmann" <ed.hillmann at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 20 July, 2015 7:15:43 AM
> > Subject: [keycloak-user] When using an IdentityBroker
> >
> > Hi, I'm going through the most recent doco, and I'm looking at the
> > IdentityBroker section. So, having gone through the walkthrough, can
> someone
> > tell me if I'm on the right track.
> >
> > So, step #8 states that "Keycloak is going to check if the response from
> the
> > identity provider is valid. If valid, it will create an user or just skip
> > that if the user already exists".
> >
> > Does that mean that KeyCloak will have a User, against which roles can be
> > mapped? This will be a user that would be, for example, displayed in the
> > admin console just like any locally-defined User?
>
> Yes
>
> >
> > I'm trying to piece this all together, from where we can start assigning
> > roles to these users whose authentication has been performed by an
> external
> > IdentityProvider.
> >
> > Following on from that, the user would continue to authenticate against
> the
> > Identity Provider? If they already exist, that's mentioned later on it
> the
> > same text where the accounts are linked?
>
> There's is no automatic linking of accounts. There's two scenarios
> basically:
>
> * A user with same email address exists - in this case a error message is
> displayed to the user and user would have to login to account management
> and link to the identity provider from there
> * The user has already logged-in with the identity provider - in this case
> a user is already linked to the identity provider and the user is logged-in
>
> The same user can also authenticate with different methods. It's possible
> to login to the same account with username/password as well as multiple
> identity providers (linked through account management).
>
> With regards to setting up roles these can either be added through admin
> console manually or added automatically either by using default roles or
> using mappers.
>
> >
> > If I've got this wrong, please let me know. :)
> >
> > Thanks for any help,
> > Ed
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150721/e1a156d6/attachment-0001.html 

From stian at redhat.com  Tue Jul 21 02:33:02 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 21 Jul 2015 02:33:02 -0400 (EDT)
Subject: [keycloak-user] When using an IdentityBroker
In-Reply-To: <CAKbR2FP84zaC8H672AC=H3v7LFSbrg4kWmT9Q5YqS58kE2-2fw@mail.gmail.com>
References: <CAKbR2FPhyNCm=y81Cub859azBZGS1UjqZYzaPdH7T84P2kzVBw@mail.gmail.com>
	<1172621532.314546.1437370347265.JavaMail.zimbra@redhat.com>
	<CAKbR2FP84zaC8H672AC=H3v7LFSbrg4kWmT9Q5YqS58kE2-2fw@mail.gmail.com>
Message-ID: <84840846.1323651.1437460382844.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Ed Hillmann" <ed.hillmann at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 21 July, 2015 2:13:12 AM
> Subject: Re: [keycloak-user] When using an IdentityBroker
> 
> Hi Stian.  Thanks very much for the clarification.  I think I better
> understand how the users are federated.
> 
> With respect to the following statement in the document (section 9.1) ...
> 
> When using Keycloak as an identity broker, users are not forced to provide
> > their credentials in order to authenticate in a specific realm.
> 
> Does that mean that users can be authenticated without providing a specific
> Realm?  I presume you still need to use a Realm to support role mapping,
> but can a federated, authenticated user be ported across Realms?
> 
> The context of my question is this:  I'm trying to get my head around
> multi-tenacy.  I am looking at the feasibility of having a single
> deployment of an application that supports multiple tenants, with the
> Identity Provider reliant on the user logging in.  So, users 1-10 are from
> Site A and want to use Identity Provider A, 11-20 are from Site B and want
> to use Identity Provider B.  Sites A & B have their own Realm, so roles can
> be defined as they want.  There's also a desire for a user to be able to
> have access to Sites A and B (not at the same time) with potentially
> different permissions/roles.  But, that's later down the track.
> 
> If the application can somehow handle associating a user with the sites
> they are allowed to access, then it could also manage the Realm to use
> (hopefully, using the Classes/Interfaces specified in the Multi-Tenancy
> section of the doco).  But, does that mean that the user would log in
> (authenticate) first and then pick which site (and thus which Realm) they
> want to view?  Can that initial authentication, when using an Identity
> Broker, take place without specifying a Realm?  Or is there a default Realm
> which is used first, with the subsequent tokens passed on to the other
> Realms accessed (if that's even a thing)?
> 
> Or, will we have select, up front, the Site (ie, Realm) they want to access
> before they work through the authentication workflow?
> 
> Sorry for the lengthy question.

Users (and all config) is within the scope of a single realm. So a user can only authenticate with one realm.

You can use identity brokering to let a user login with the credentials of another realm though. For example in your case a user on site A can login to site B if site a is configured as a identity provider on site b.

> 
> Thanks,
> 
> Ed
> 
> On Mon, Jul 20, 2015 at 3:32 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Ed Hillmann" <ed.hillmann at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 20 July, 2015 7:15:43 AM
> > > Subject: [keycloak-user] When using an IdentityBroker
> > >
> > > Hi, I'm going through the most recent doco, and I'm looking at the
> > > IdentityBroker section. So, having gone through the walkthrough, can
> > someone
> > > tell me if I'm on the right track.
> > >
> > > So, step #8 states that "Keycloak is going to check if the response from
> > the
> > > identity provider is valid. If valid, it will create an user or just skip
> > > that if the user already exists".
> > >
> > > Does that mean that KeyCloak will have a User, against which roles can be
> > > mapped? This will be a user that would be, for example, displayed in the
> > > admin console just like any locally-defined User?
> >
> > Yes
> >
> > >
> > > I'm trying to piece this all together, from where we can start assigning
> > > roles to these users whose authentication has been performed by an
> > external
> > > IdentityProvider.
> > >
> > > Following on from that, the user would continue to authenticate against
> > the
> > > Identity Provider? If they already exist, that's mentioned later on it
> > the
> > > same text where the accounts are linked?
> >
> > There's is no automatic linking of accounts. There's two scenarios
> > basically:
> >
> > * A user with same email address exists - in this case a error message is
> > displayed to the user and user would have to login to account management
> > and link to the identity provider from there
> > * The user has already logged-in with the identity provider - in this case
> > a user is already linked to the identity provider and the user is logged-in
> >
> > The same user can also authenticate with different methods. It's possible
> > to login to the same account with username/password as well as multiple
> > identity providers (linked through account management).
> >
> > With regards to setting up roles these can either be added through admin
> > console manually or added automatically either by using default roles or
> > using mappers.
> >
> > >
> > > If I've got this wrong, please let me know. :)
> > >
> > > Thanks for any help,
> > > Ed
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From Maurice.Quaedackers at planonsoftware.com  Tue Jul 21 02:55:20 2015
From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers)
Date: Tue, 21 Jul 2015 08:55:20 +0200
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E46FEF3F6525@NL-MAIL02.planon-fm.com>

Any news regarding Keycloak 1.3.1 Openshif cartridge?

Best regards,

Maurice Quaedackers

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Maurice Quaedackers
Sent: donderdag 9 juli 2015 14:34
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak 1.3.1 Openshift cartridge

Sorry,

I forgot to mention that I am looking for a Keycloak Openshift 1.3.1 cartridge.

Best regards,

Maurice Quaedackers

From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Maurice Quaedackers
Sent: donderdag 9 juli 2015 11:34
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge

Hello,

Is a GitHub repository of Keycloak 1.3.1 available?

When I visit https://github.com/keycloak I can find the https://github.com/keycloak/openshift-keycloak-cartridge repository but that there is no 1.3.1 version available

Can a 1.3.1 version be added or can you point me into the correct direction.

Thank you very much in advance,

Best regards
Maurice Quaedackers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150721/cbb171b2/attachment.html 

From stian at redhat.com  Tue Jul 21 03:04:04 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 21 Jul 2015 03:04:04 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E46FEF3F6525@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E46DAE558E3C@NL-MAIL02.planon-fm.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E46DAE559220@NL-MAIL02.planon-fm.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E46FEF3F6525@NL-MAIL02.planon-fm.com>
Message-ID: <23878533.1335031.1437462244697.JavaMail.zimbra@redhat.com>

I'll get it done today

----- Original Message -----
> From: "Maurice Quaedackers" <Maurice.Quaedackers at planonsoftware.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 21 July, 2015 8:55:20 AM
> Subject: Re: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
> 
> 
> 
> Any news regarding Keycloak 1.3.1 Openshif cartridge?
> 
> 
> 
> 
> Best regards,
> 
> 
> 
> Maurice Quaedackers
> 
> 
> 
> 
> 
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Maurice
> Quaedackers
> Sent: donderdag 9 juli 2015 14:34
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
> 
> 
> 
> 
> Sorry,
> 
> 
> 
> I forgot to mention that I am looking for a Keycloak Openshift 1.3.1
> cartridge.
> 
> 
> 
> 
> Best regards,
> 
> 
> 
> Maurice Quaedackers
> 
> 
> 
> 
> 
> From: keycloak-user-bounces at lists.jboss.org [
> mailto:keycloak-user-bounces at lists.jboss.org ] On Behalf Of Maurice
> Quaedackers
> Sent: donderdag 9 juli 2015 11:34
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Keycloak 1.3.1 Openshift cartridge
> 
> 
> 
> 
> Hello,
> 
> 
> 
> Is a GitHub repository of Keycloak 1.3.1 available?
> 
> 
> 
> When I visit https://github.com/keycloak I can find the
> https://github.com/keycloak/openshift-keycloak-cartridge repository but that
> there is no 1.3.1 version available
> 
> 
> 
> Can a 1.3.1 version be added or can you point me into the correct direction.
> 
> 
> 
> Thank you very much in advance,
> 
> 
> 
> Best regards
> 
> Maurice Quaedackers
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Jul 21 05:54:54 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 21 Jul 2015 05:54:54 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.3.1.Final
In-Reply-To: <885940784.1408605.1437472440055.JavaMail.zimbra@redhat.com>
Message-ID: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>

Keycloak OpenShift Cartridge updated to 1.3.1.Final

From stan.ieugen at gmail.com  Tue Jul 21 16:33:08 2015
From: stan.ieugen at gmail.com (Ioan Eugen Stan)
Date: Tue, 21 Jul 2015 23:33:08 +0300
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
Message-ID: <55AEAC84.303@gmail.com>

I've tried it and it doesn't seem to work. The cartridge is started but
no application is available, just a default OpenShift deployment
instruction page.

Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150721/d7cba454/attachment.bin 

From stan.ieugen at gmail.com  Tue Jul 21 17:01:41 2015
From: stan.ieugen at gmail.com (Ioan Eugen Stan)
Date: Wed, 22 Jul 2015 00:01:41 +0300
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <55AEAC84.303@gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com>
Message-ID: <55AEB335.7020207@gmail.com>

I found out that the keycloak is in fact running but it is not public by
default. You can access it locally by forwarding the remote ports to
your local ports: rhc port-forward keycloak and go to http://loalhost:8080/

Any idea why keycloak is not available public by default? Is this an
intended feature or bug? Any hints on how to make it public are
aprecieated.

Thanks,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/a616ee12/attachment.bin 

From sennatece at gmail.com  Tue Jul 21 20:09:35 2015
From: sennatece at gmail.com (Senthil Nathan)
Date: Tue, 21 Jul 2015 17:09:35 -0700
Subject: [keycloak-user] Keycloak - login into applciation
Message-ID: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>

Hi,

I installed keycloak in wildfly9 server and I deployed my application. When
I accessed the home page of my application, Im unable to login in using my
application user. Can anybody help me in this.

Thanks,
Senthil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150721/039db1ae/attachment-0001.html 

From stian at redhat.com  Wed Jul 22 03:10:08 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jul 2015 03:10:08 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated
	to	1.3.1.Final
In-Reply-To: <55AEB335.7020207@gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
Message-ID: <1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>

Are you deploying to a private OpenShift? It seems to work just fine on OpenShift online.

The cartridge is just the WildFly cartridge with Keycloak added on top, do you have the same issue with that?

----- Original Message -----
> From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 21 July, 2015 11:01:41 PM
> Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to	1.3.1.Final
> 
> I found out that the keycloak is in fact running but it is not public by
> default. You can access it locally by forwarding the remote ports to
> your local ports: rhc port-forward keycloak and go to http://loalhost:8080/
> 
> Any idea why keycloak is not available public by default? Is this an
> intended feature or bug? Any hints on how to make it public are
> aprecieated.
> 
> Thanks,
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Wed Jul 22 03:10:41 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jul 2015 03:10:41 -0400 (EDT)
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
Message-ID: <1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>

You'll need to add a lot more information than this if we're going to be able to help you

----- Original Message -----
> From: "Senthil Nathan" <sennatece at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 22 July, 2015 2:09:35 AM
> Subject: [keycloak-user] Keycloak - login into applciation
> 
> Hi,
> 
> I installed keycloak in wildfly9 server and I deployed my application. When I
> accessed the home page of my application, Im unable to login in using my
> application user. Can anybody help me in this.
> 
> Thanks,
> Senthil
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Martin.Hipfinger at oebb.at  Wed Jul 22 07:07:54 2015
From: Martin.Hipfinger at oebb.at (=?iso-8859-1?Q?Hipfinger_Martin_=28BCC=2E=D6BB=2ETicketShop=2EMA=29?=)
Date: Wed, 22 Jul 2015 11:07:54 +0000
Subject: [keycloak-user] multi tenant configuration with 1.3.1?
Message-ID: <1CBE59D9C302B841A9562E1A3A6F5B7333076AED@LAXEX004.oebb.at>

Hi,

we're running keycloak 1.1 with several overlays - in detail:


-       A new datasource per overlay
/opt/keycloak/bin/jboss-cli.sh --commands="connect, data-source add --name=xxxDS --connection-url=jdbc:oracle:thin:@xxxxx:1522:xxxxx --jndi-name=java:jboss/datasources/xxxDS --driver-name=ojdbc --password=xxx --user-name=XXX"


-       A new auth-server entry
/opt/keycloak/bin/jboss-cli.sh --commands="connect, /subsystem=keycloak/auth-server=xxx-server/:add(web-context=xxx, enabled=true)"


-       An own keycloak-server.json
"connectionsJpa": {
"default": {
"dataSource": "java:jboss/datasources/xxxDS",
"databaseSchema": "update"
}
}
"connectionsInfinispan": {
"default" : {
"cacheContainer" : "java:jboss/infinispan/xxxKeycloak"
}

/opt/keycloak/bin/jboss-cli.sh --commands="connect, /subsystem=keycloak/auth-server=xxx-server:update-server-config(bytes-to-upload=/opt/keycloak/standalone/configuration/keycloak-server-xxx.json,overwrite=true)"

This configuration isn't supported anymore with 1.3.1 - do you have any hint for me, how to achieve a similar config with 1.3.1?

br,
Martin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/a670a15f/attachment.html 

From stian at redhat.com  Wed Jul 22 07:23:03 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jul 2015 07:23:03 -0400 (EDT)
Subject: [keycloak-user] multi tenant configuration with 1.3.1?
In-Reply-To: <1CBE59D9C302B841A9562E1A3A6F5B7333076AED@LAXEX004.oebb.at>
References: <1CBE59D9C302B841A9562E1A3A6F5B7333076AED@LAXEX004.oebb.at>
Message-ID: <980465831.2641731.1437564183052.JavaMail.zimbra@redhat.com>

Read the manual:
http://keycloak.github.io/docs/userguide/html/Migration_from_older_versions.html#d4e3319

----- Original Message -----
> From: "Hipfinger Martin (BCC.?BB.TicketShop.MA)" <Martin.Hipfinger at oebb.at>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 22 July, 2015 1:07:54 PM
> Subject: [keycloak-user] multi tenant configuration with 1.3.1?
> 
> 
> 
> Hi,
> 
> 
> 
> we?re running keycloak 1.1 with several overlays ? in detail:
> 
> 
> 
> - A new datasource per overlay
> 
> /opt/keycloak/bin/jboss-cli.sh --commands="connect, data-source add --name=
> xxx DS --connection-url=jdbc:oracle:thin:@ xxxxx:1522:xxxxx
> --jndi-name=java:jboss/datasources/ xxx DS --driver-name=ojdbc --password=
> xxx --user-name= XXX "
> 
> 
> 
> - A new auth-server entry
> 
> /opt/keycloak/bin/jboss-cli.sh --commands="connect,
> /subsystem=keycloak/auth-server= xxx -server/:add(web-context= xxx ,
> enabled=true)"
> 
> 
> 
> - An own keycloak-server.json
> 
> "connectionsJpa": {
> 
> "default": {
> 
> "dataSource": "java:jboss/datasources/ xxx DS",
> 
> "databaseSchema": "update"
> 
> }
> 
> }
> 
> "connectionsInfinispan": {
> 
> "default" : {
> 
> "cacheContainer" : "java:jboss/infinispan/ xxx Keycloak"
> 
> }
> 
> 
> 
> /opt/keycloak/bin/jboss-cli.sh --commands=?connect,
> /subsystem=keycloak/auth-server= xxx
> -server:update-server-config(bytes-to-upload=/opt/keycloak/standalone/configuration/keycloak-server-
> xxx .json,overwrite=true)?
> 
> 
> 
> This configuration isn?t supported anymore with 1.3.1 - do you have any hint
> for me, how to achieve a similar config with 1.3.1?
> 
> 
> 
> br,
> 
> Martin
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From gerbermichi at me.com  Wed Jul 22 09:38:11 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Wed, 22 Jul 2015 13:38:11 +0000 (GMT)
Subject: [keycloak-user] LDAP with Kerberos, login with different user
Message-ID: <4431908e-c376-452c-a4f2-cea82952dcdc@me.com>

Hi all,

I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible??

cheers
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/c1bf5d26/attachment.html 

From tdudgeon.ml at gmail.com  Wed Jul 22 13:08:35 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 22 Jul 2015 18:08:35 +0100
Subject: [keycloak-user] problems getting started with tomcat
Message-ID: <55AFCE13.6000705@gmail.com>

Hi all,

I'm trying to get starting with keycloak, but struggling with getting 
started with tomcat.
I think I've followed the instructions described here:
http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter

I'm using clean tomcat 7.0.57 distro and have copied the jars from 
keycloak-tomcat7-adapter-dist-1.3.1.Final.tar.gz download to the lib folder.
But nothing I can so can trigger an authentication redirect.
I've attached a very simple war file that illustrates this and contains:

        43  07-22-15 17:38   index.html
         0  07-22-15 17:40   META-INF/
       159  07-22-15 17:40   META-INF/context.xml
         0  07-22-15 17:43   WEB-INF/
       632  07-22-15 17:38   WEB-INF/keycloak.json
      1207  07-22-15 17:43   WEB-INF/web.xml

Can someone help spot what is wrong?
Sorry for the basic nature of this, but, as always, the hardest part of 
flying is getting of the ground.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sampleapp.war
Type: application/octet-stream
Size: 2005 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/e194c79b/attachment.obj 

From rodrigopsasaki at gmail.com  Wed Jul 22 13:24:42 2015
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 22 Jul 2015 17:24:42 +0000
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
Message-ID: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>

Hello everyone,

I haven't used Keycloak since version 1.0.2, which we have now in
production. But now Keycloak has so many new features that we decided to
migrate to the 1.3.1.Final

This is a very specific issue, maybe this has already been discussed
before, and if it has I'd like to ask you to direct me to that thread.

Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on version
1.0.2 all I had to do was add an artifact of keycloak-server on the
deployment and it was done, but that no longer exists and I don't seem to
find a replacement for it.

What I do now is add a step to execute a maven goal to package the war and
I created an artifact based on that war to deploy it, it works fine but I
believe there must be a simpler solution, and doing it like this I can't
use JRebel to hot deploy my alterations as well.

Is there a way to do what I'm trying to do? I'll be happy to provide you
more information if necessary.

Cheers,
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/55a68070/attachment.html 

From sennatece at gmail.com  Wed Jul 22 13:42:42 2015
From: sennatece at gmail.com (Senthil Nathan)
Date: Wed, 22 Jul 2015 10:42:42 -0700
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
Message-ID: <CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>

Hi Stian,

Thanks for the reply. Currently I deployed my application in wildfly8
server with basic authentication and moving it to wildfly9 server with
OAuth2.0 authentication. I came across thru keycloak which does the same
OAuth2.0 authentication. I tried deploying my application in wildfly9
server by following the below link

http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html

After starting the server I am logging in using the realm user into my
application which I have created using keycloak settings. I need the user
which I have created using my application and keycloak only need provied
authentication to my REST service.

Kindly help in this.

Thanks,
Senthil

On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen <stian at redhat.com> wrote:

> You'll need to add a lot more information than this if we're going to be
> able to help you
>
> ----- Original Message -----
> > From: "Senthil Nathan" <sennatece at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 22 July, 2015 2:09:35 AM
> > Subject: [keycloak-user] Keycloak - login into applciation
> >
> > Hi,
> >
> > I installed keycloak in wildfly9 server and I deployed my application.
> When I
> > accessed the home page of my application, Im unable to login in using my
> > application user. Can anybody help me in this.
> >
> > Thanks,
> > Senthil
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/8a7849ca/attachment.html 

From bburke at redhat.com  Wed Jul 22 16:15:24 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 22 Jul 2015 16:15:24 -0400
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
Message-ID: <55AFF9DC.7030909@redhat.com>

You should probably look at the examples that come with the distro.  The 
screencast videos would help too although they are quite out of date.

On 7/22/2015 1:42 PM, Senthil Nathan wrote:
> Hi Stian,
>
> Thanks for the reply. Currently I deployed my application in wildfly8
> server with basic authentication and moving it to wildfly9 server with
> OAuth2.0 authentication. I came across thru keycloak which does the same
> OAuth2.0 authentication. I tried deploying my application in wildfly9
> server by following the below link
>
> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
>
> After starting the server I am logging in using the realm user into my
> application which I have created using keycloak settings. I need the
> user which I have created using my application and keycloak only need
> provied authentication to my REST service.
>
> Kindly help in this.
>
> Thanks,
> Senthil
>
> On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
>     You'll need to add a lot more information than this if we're going
>     to be able to help you
>
>     ----- Original Message -----
>      > From: "Senthil Nathan" <sennatece at gmail.com
>     <mailto:sennatece at gmail.com>>
>      > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
>      > Subject: [keycloak-user] Keycloak - login into applciation
>      >
>      > Hi,
>      >
>      > I installed keycloak in wildfly9 server and I deployed my
>     application. When I
>      > accessed the home page of my application, Im unable to login in
>     using my
>      > application user. Can anybody help me in this.
>      >
>      > Thanks,
>      > Senthil
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sennatece at gmail.com  Wed Jul 22 17:04:41 2015
From: sennatece at gmail.com (Senthil Nathan)
Date: Wed, 22 Jul 2015 14:04:41 -0700
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <55AFF9DC.7030909@redhat.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
Message-ID: <CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>

Hi,

I followed the screencast videos and there is no option to make my
application's index.html as default page. Can you guide me in this.


Thanks,
Senthil

On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke <bburke at redhat.com> wrote:

> You should probably look at the examples that come with the distro.  The
> screencast videos would help too although they are quite out of date.
>
> On 7/22/2015 1:42 PM, Senthil Nathan wrote:
> > Hi Stian,
> >
> > Thanks for the reply. Currently I deployed my application in wildfly8
> > server with basic authentication and moving it to wildfly9 server with
> > OAuth2.0 authentication. I came across thru keycloak which does the same
> > OAuth2.0 authentication. I tried deploying my application in wildfly9
> > server by following the below link
> >
> >
> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
> >
> > After starting the server I am logging in using the realm user into my
> > application which I have created using keycloak settings. I need the
> > user which I have created using my application and keycloak only need
> > provied authentication to my REST service.
> >
> > Kindly help in this.
> >
> > Thanks,
> > Senthil
> >
> > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen <stian at redhat.com
> > <mailto:stian at redhat.com>> wrote:
> >
> >     You'll need to add a lot more information than this if we're going
> >     to be able to help you
> >
> >     ----- Original Message -----
> >      > From: "Senthil Nathan" <sennatece at gmail.com
> >     <mailto:sennatece at gmail.com>>
> >      > To: keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
> >      > Subject: [keycloak-user] Keycloak - login into applciation
> >      >
> >      > Hi,
> >      >
> >      > I installed keycloak in wildfly9 server and I deployed my
> >     application. When I
> >      > accessed the home page of my application, Im unable to login in
> >     using my
> >      > application user. Can anybody help me in this.
> >      >
> >      > Thanks,
> >      > Senthil
> >      >
> >      > _______________________________________________
> >      > keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/63d58996/attachment-0001.html 

From mposolda at redhat.com  Wed Jul 22 17:06:45 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 22 Jul 2015 23:06:45 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <4431908e-c376-452c-a4f2-cea82952dcdc@me.com>
References: <4431908e-c376-452c-a4f2-cea82952dcdc@me.com>
Message-ID: <55B005E5.6050306@redhat.com>

I don't think it's doable. Kerberos is kind of desktop login and logout 
from the web application won't destroy the kerberos ticket - similarly 
like it can't logout your laptop/desktop session. So when you visit the 
secured application next time, you are automatically logged into 
Keycloak through SPNEGO due to the Kerberos ticket.

Hence you need to remove kerberos ticket manually (For example 
"kdestroy" works on Linux, but I guess you're using Windows + 
ActiveDirectory? ) and then you will be able to see keycloak login 
screen and login as different user.

Marek

On 22.7.2015 15:38, Michael Gerber wrote:
> Hi all,
>
> I use LDAP with Kerberos and would like to logout and login again with 
> a different user (no kerberos login, just keycloak username and 
> password dialog).
> Is that possible?
>
> cheers
> Michael
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150722/02491fc0/attachment.html 

From bburke at redhat.com  Wed Jul 22 22:24:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 22 Jul 2015 22:24:30 -0400
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
	<CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
Message-ID: <55B0505E.4070501@redhat.com>

It is standard servlet security.  Use security constraints to secure the 
url patterns you want to secure.

On 7/22/2015 5:04 PM, Senthil Nathan wrote:
> Hi,
>
> I followed the screencast videos and there is no option to make my
> application's index.html as default page. Can you guide me in this.
>
>
> Thanks,
> Senthil
>
> On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You should probably look at the examples that come with the distro.  The
>     screencast videos would help too although they are quite out of date.
>
>     On 7/22/2015 1:42 PM, Senthil Nathan wrote:
>     > Hi Stian,
>     >
>     > Thanks for the reply. Currently I deployed my application in wildfly8
>     > server with basic authentication and moving it to wildfly9 server with
>     > OAuth2.0 authentication. I came across thru keycloak which does the same
>     > OAuth2.0 authentication. I tried deploying my application in wildfly9
>     > server by following the below link
>     >
>     >http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
>     >
>     > After starting the server I am logging in using the realm user into my
>     > application which I have created using keycloak settings. I need the
>     > user which I have created using my application and keycloak only need
>     > provied authentication to my REST service.
>     >
>     > Kindly help in this.
>     >
>     > Thanks,
>     > Senthil
>     >
>     > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen <stian at redhat.com <mailto:stian at redhat.com>
>     > <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>     >
>     >     You'll need to add a lot more information than this if we're going
>     >     to be able to help you
>     >
>     >     ----- Original Message -----
>     >      > From: "Senthil Nathan" <sennatece at gmail.com <mailto:sennatece at gmail.com>
>     >     <mailto:sennatece at gmail.com <mailto:sennatece at gmail.com>>>
>     >      > To:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     >     <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>     >      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
>     >      > Subject: [keycloak-user] Keycloak - login into applciation
>     >      >
>     >      > Hi,
>     >      >
>     >      > I installed keycloak in wildfly9 server and I deployed my
>     >     application. When I
>     >      > accessed the home page of my application, Im unable to login in
>     >     using my
>     >      > application user. Can anybody help me in this.
>     >      >
>     >      > Thanks,
>     >      > Senthil
>     >      >
>     >      > _______________________________________________
>     >      > keycloak-user mailing list
>      >      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     >keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From gerbermichi at me.com  Thu Jul 23 01:44:20 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Thu, 23 Jul 2015 05:44:20 +0000 (GMT)
Subject: [keycloak-user] =?utf-8?q?_Re=3A__LDAP_with_Kerberos=2C_login_wit?=
 =?utf-8?q?h_different_user?=
Message-ID: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>

Isn't it possible to create a cookie or add an url parameter after the logout, so the user is not logged in automatically?

It's crucial for us to be able to log in as a different user, otherwise we can not use kerberos at all :(

Michael

Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:

I don't think it's doable. Kerberos is kind of desktop login and logout from the web application won't destroy the kerberos ticket - similarly like it can't logout your laptop/desktop session. So when you visit the secured application next time, you are automatically logged into Keycloak through SPNEGO due to the Kerberos ticket. 

Hence you need to remove kerberos ticket manually (For example "kdestroy" works on Linux, but I guess you're using Windows + ActiveDirectory? ) and then you will be able to see keycloak login screen and login as different user.

Marek

On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,

I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible??

cheers
Michael


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/29b5cb80/attachment.html 

From mposolda at redhat.com  Thu Jul 23 02:26:05 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 23 Jul 2015 08:26:05 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
Message-ID: <55B088FD.2020505@redhat.com>

Do you want that for normal users or just for admin users? Just trying 
to understand the usecase. Because AFAIK the point of kerberos is, that 
you login into the desktop and then you're automatically logged into 
integrated web applications without need to deal with any login screens 
and username/password. When user has just one keycloak account 
corresponding to his kerberos ticket, then why he need to login as 
different user?

I can understand the usecase for admin, when you want to login as 
different user for testing purpose etc. For this, isn't it possible in 
windows to do something like "kdestroy" to be able to login without 
kerberos?

Marek

On 23.7.2015 07:44, Michael Gerber wrote:
> Isn't it possible to create a cookie or add an url parameter after the 
> logout, so the user is not logged in automatically?
>
> It's crucial for us to be able to log in as a different user, 
> otherwise we can not use kerberos at all :(
>
> Michael
>
> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>
>> I don't think it's doable. Kerberos is kind of desktop login and 
>> logout from the web application won't destroy the kerberos ticket - 
>> similarly like it can't logout your laptop/desktop session. So when 
>> you visit the secured application next time, you are automatically 
>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>
>> Hence you need to remove kerberos ticket manually (For example 
>> "kdestroy" works on Linux, but I guess you're using Windows + 
>> ActiveDirectory? ) and then you will be able to see keycloak login 
>> screen and login as different user.
>>
>> Marek
>>
>> On 22.7.2015 15:38, Michael Gerber wrote:
>>> Hi all,
>>>
>>> I use LDAP with Kerberos and would like to logout and login again 
>>> with a different user (no kerberos login, just keycloak username and 
>>> password dialog).
>>> Is that possible?
>>>
>>> cheers
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/90a230b9/attachment.html 

From mposolda at redhat.com  Thu Jul 23 02:35:30 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 23 Jul 2015 08:35:30 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B088FD.2020505@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com>
Message-ID: <55B08B32.1060505@redhat.com>

Maybe we can have special request parameter, which will be send from 
application to login screen. The parameter will contain list of 
authentication mechanisms, which you want to skip for this login. 
Something like "skipAuthType=cookie,kerberos" . The list of skipped 
alternative mechanisms will be saved in ClientSession, so authentication 
SPI can deal with it.

Not sure if it makes sense to add support into adapter, but maybe 
something basic (like we have for parameters "login_hint" or 
"kc_idp_hint" in keycloak.js) can be added as well?

Marek

On 23.7.2015 08:26, Marek Posolda wrote:
> Do you want that for normal users or just for admin users? Just trying 
> to understand the usecase. Because AFAIK the point of kerberos is, 
> that you login into the desktop and then you're automatically logged 
> into integrated web applications without need to deal with any login 
> screens and username/password. When user has just one keycloak account 
> corresponding to his kerberos ticket, then why he need to login as 
> different user?
>
> I can understand the usecase for admin, when you want to login as 
> different user for testing purpose etc. For this, isn't it possible in 
> windows to do something like "kdestroy" to be able to login without 
> kerberos?
>
> Marek
>
> On 23.7.2015 07:44, Michael Gerber wrote:
>> Isn't it possible to create a cookie or add an url parameter after 
>> the logout, so the user is not logged in automatically?
>>
>> It's crucial for us to be able to log in as a different user, 
>> otherwise we can not use kerberos at all :(
>>
>> Michael
>>
>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>
>>> I don't think it's doable. Kerberos is kind of desktop login and 
>>> logout from the web application won't destroy the kerberos ticket - 
>>> similarly like it can't logout your laptop/desktop session. So when 
>>> you visit the secured application next time, you are automatically 
>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>
>>> Hence you need to remove kerberos ticket manually (For example 
>>> "kdestroy" works on Linux, but I guess you're using Windows + 
>>> ActiveDirectory? ) and then you will be able to see keycloak login 
>>> screen and login as different user.
>>>
>>> Marek
>>>
>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>> Hi all,
>>>>
>>>> I use LDAP with Kerberos and would like to logout and login again 
>>>> with a different user (no kerberos login, just keycloak username 
>>>> and password dialog).
>>>> Is that possible?
>>>>
>>>> cheers
>>>> Michael
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/a04951b2/attachment-0001.html 

From stan.ieugen at gmail.com  Thu Jul 23 03:36:23 2015
From: stan.ieugen at gmail.com (Ioan Eugen Stan)
Date: Thu, 23 Jul 2015 10:36:23 +0300
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
Message-ID: <CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>

Hi,

I tried it again after a bit and it worked. I was very anxious abd forgot
about the big startup cost of web application servers. My bad. Sorry for
all the noise.

Unfortunatelly tgis lasted just over night. The next morning openshift
proxy failes to redirect to keycloak. I did not do anything to it, I swear.

I get bad request when I ,access it.
Pe 22 iul. 2015 10:10, "Stian Thorgersen" <stian at redhat.com> a scris:

> Are you deploying to a private OpenShift? It seems to work just fine on
> OpenShift online.
>
> The cartridge is just the WildFly cartridge with Keycloak added on top, do
> you have the same issue with that?
>
> ----- Original Message -----
> > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 21 July, 2015 11:01:41 PM
> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> 1.3.1.Final
> >
> > I found out that the keycloak is in fact running but it is not public by
> > default. You can access it locally by forwarding the remote ports to
> > your local ports: rhc port-forward keycloak and go to
> http://loalhost:8080/
> >
> > Any idea why keycloak is not available public by default? Is this an
> > intended feature or bug? Any hints on how to make it public are
> > aprecieated.
> >
> > Thanks,
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/92e18ebe/attachment.html 

From stian at redhat.com  Thu Jul 23 03:51:15 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 03:51:15 -0400 (EDT)
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B08B32.1060505@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B08B32.1060505@redhat.com>
Message-ID: <1332957419.3265488.1437637875844.JavaMail.zimbra@redhat.com>

How about when a user logs out from Keycloak we add a session cookie to not use Kerberos again automatically? Even better if there's a concept of a session-id with Kerberos we can add the session-id to the cookie and automatically login if the users Kerberos session is changed, but otherwise display username/password form.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Michael Gerber" <gerbermichi at me.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 8:35:30 AM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
> 
> Maybe we can have special request parameter, which will be send from
> application to login screen. The parameter will contain list of
> authentication mechanisms, which you want to skip for this login. Something
> like "skipAuthType=cookie,kerberos" . The list of skipped alternative
> mechanisms will be saved in ClientSession, so authentication SPI can deal
> with it.
> 
> Not sure if it makes sense to add support into adapter, but maybe something
> basic (like we have for parameters "login_hint" or "kc_idp_hint" in
> keycloak.js) can be added as well?
> 
> Marek
> 
> On 23.7.2015 08:26, Marek Posolda wrote:
> 
> 
> 
> Do you want that for normal users or just for admin users? Just trying to
> understand the usecase. Because AFAIK the point of kerberos is, that you
> login into the desktop and then you're automatically logged into integrated
> web applications without need to deal with any login screens and
> username/password. When user has just one keycloak account corresponding to
> his kerberos ticket, then why he need to login as different user?
> 
> I can understand the usecase for admin, when you want to login as different
> user for testing purpose etc. For this, isn't it possible in windows to do
> something like "kdestroy" to be able to login without kerberos?
> 
> Marek
> 
> On 23.7.2015 07:44, Michael Gerber wrote:
> 
> 
> 
> Isn't it possible to create a cookie or add an url parameter after the
> logout, so the user is not logged in automatically?
> 
> It's crucial for us to be able to log in as a different user, otherwise we
> can not use kerberos at all :(
> 
> Michael
> 
> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :
> 
> 
> 
> 
> I don't think it's doable. Kerberos is kind of desktop login and logout from
> the web application won't destroy the kerberos ticket - similarly like it
> can't logout your laptop/desktop session. So when you visit the secured
> application next time, you are automatically logged into Keycloak through
> SPNEGO due to the Kerberos ticket.
> 
> Hence you need to remove kerberos ticket manually (For example "kdestroy"
> works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
> then you will be able to see keycloak login screen and login as different
> user.
> 
> Marek
> 
> On 22.7.2015 15:38, Michael Gerber wrote:
> 
> 
> 
> Hi all,
> 
> I use LDAP with Kerberos and would like to logout and login again with a
> different user (no kerberos login, just keycloak username and password
> dialog).
> Is that possible?
> 
> cheers
> Michael
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jul 23 03:55:47 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 03:55:47 -0400 (EDT)
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
In-Reply-To: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
References: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
Message-ID: <158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>

Keycloak is not deployed as a WAR anymore, so there's no concept of deploying Keycloak to a WildFly server.

Are you forking/modifying Keycloak code? If so have a look at https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#keycloak-server. There's KeycloakServer which contains a main method and can be ran directly from the IDE.

If you're not modifying Keycloak code and just developing your own apps I recommend either spinning up a standalone KC server, or to use the server-overlay download and add it to the WildFly server you deploy your apps to (this is only recommended for development btw).

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 22 July, 2015 7:24:42 PM
> Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> 
> Hello everyone,
> 
> I haven't used Keycloak since version 1.0.2, which we have now in production.
> But now Keycloak has so many new features that we decided to migrate to the
> 1.3.1.Final
> 
> This is a very specific issue, maybe this has already been discussed before,
> and if it has I'd like to ask you to direct me to that thread.
> 
> Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on version
> 1.0.2 all I had to do was add an artifact of keycloak-server on the
> deployment and it was done, but that no longer exists and I don't seem to
> find a replacement for it.
> 
> What I do now is add a step to execute a maven goal to package the war and I
> created an artifact based on that war to deploy it, it works fine but I
> believe there must be a simpler solution, and doing it like this I can't use
> JRebel to hot deploy my alterations as well.
> 
> Is there a way to do what I'm trying to do? I'll be happy to provide you more
> information if necessary.
> 
> Cheers,
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jul 23 04:48:29 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 04:48:29 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
Message-ID: <503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>

OpenShift online free accounts "pause" unused instances after a while of inactivity. See https://developers.openshift.com/en/managing-idling.html

----- Original Message -----
> From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 23 July, 2015 9:36:23 AM
> Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.3.1.Final
> 
> Hi,
> 
> I tried it again after a bit and it worked. I was very anxious abd forgot
> about the big startup cost of web application servers. My bad. Sorry for
> all the noise.
> 
> Unfortunatelly tgis lasted just over night. The next morning openshift
> proxy failes to redirect to keycloak. I did not do anything to it, I swear.
> 
> I get bad request when I ,access it.
> Pe 22 iul. 2015 10:10, "Stian Thorgersen" <stian at redhat.com> a scris:
> 
> > Are you deploying to a private OpenShift? It seems to work just fine on
> > OpenShift online.
> >
> > The cartridge is just the WildFly cartridge with Keycloak added on top, do
> > you have the same issue with that?
> >
> > ----- Original Message -----
> > > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 21 July, 2015 11:01:41 PM
> > > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> > 1.3.1.Final
> > >
> > > I found out that the keycloak is in fact running but it is not public by
> > > default. You can access it locally by forwarding the remote ports to
> > > your local ports: rhc port-forward keycloak and go to
> > http://loalhost:8080/
> > >
> > > Any idea why keycloak is not available public by default? Is this an
> > > intended feature or bug? Any hints on how to make it public are
> > > aprecieated.
> > >
> > > Thanks,
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From stan.ieugen at gmail.com  Thu Jul 23 06:45:56 2015
From: stan.ieugen at gmail.com (Ioan Eugen Stan)
Date: Thu, 23 Jul 2015 13:45:56 +0300
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
Message-ID: <55B0C5E4.7070902@gmail.com>

Thank you for the response. However, I think it's another beast altogether:


https://keycloak-ieugen.rhcloud.com/auth/admin/

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /auth/admin/.

Reason: DNS lookup failure for: 127.0.0.1:80auth

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/045ed22f/attachment.bin 

From stian at redhat.com  Thu Jul 23 06:59:57 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 06:59:57 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <55B0C5E4.7070902@gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
Message-ID: <1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>

Just got the same issue on my instance. Seems that after the instance is idled it returns this 502 even after the instance is restarted (confirmed in the log that it's up and running).

----- Original Message -----
> From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 23 July, 2015 12:45:56 PM
> Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.3.1.Final
> 
> Thank you for the response. However, I think it's another beast altogether:
> 
> 
> https://keycloak-ieugen.rhcloud.com/auth/admin/
> 
> Proxy Error
> 
> The proxy server received an invalid response from an upstream server.
> The proxy server could not handle the request GET /auth/admin/.
> 
> Reason: DNS lookup failure for: 127.0.0.1:80auth
> 
> 

From stian at redhat.com  Thu Jul 23 07:07:18 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 07:07:18 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
Message-ID: <263935832.3344070.1437649638623.JavaMail.zimbra@redhat.com>

https://issues.jboss.org/browse/KEYCLOAK-1597

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 23 July, 2015 12:59:57 PM
> Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.3.1.Final
> 
> Just got the same issue on my instance. Seems that after the instance is
> idled it returns this 502 even after the instance is restarted (confirmed in
> the log that it's up and running).
> 
> ----- Original Message -----
> > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, 23 July, 2015 12:45:56 PM
> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> > 1.3.1.Final
> > 
> > Thank you for the response. However, I think it's another beast altogether:
> > 
> > 
> > https://keycloak-ieugen.rhcloud.com/auth/admin/
> > 
> > Proxy Error
> > 
> > The proxy server received an invalid response from an upstream server.
> > The proxy server could not handle the request GET /auth/admin/.
> > 
> > Reason: DNS lookup failure for: 127.0.0.1:80auth
> > 
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From mike.hills at sematree.com  Thu Jul 23 07:15:55 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Thu, 23 Jul 2015 07:15:55 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
Message-ID: <CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>

It's good to know I am not alone :)

I consistently receive this error on both the 1.2 and 1.3 versions of
Keycloak running on OPENSHIFT ONLINE.

OPENSHIFT support had me validate that I could access my keycloak instance
at http://localhost:8080/auth after executing:  *rhc port-forward
keycloak.* (which
 I could). I have not had a follow-up support since I confirmed this.

https://access.redhat.com/support/cases/#/case/01479959


On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Just got the same issue on my instance. Seems that after the instance is
> idled it returns this 502 even after the instance is restarted (confirmed
> in the log that it's up and running).
>
> ----- Original Message -----
> > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, 23 July, 2015 12:45:56 PM
> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> 1.3.1.Final
> >
> > Thank you for the response. However, I think it's another beast
> altogether:
> >
> >
> > https://keycloak-ieugen.rhcloud.com/auth/admin/
> >
> > Proxy Error
> >
> > The proxy server received an invalid response from an upstream server.
> > The proxy server could not handle the request GET /auth/admin/.
> >
> > Reason: DNS lookup failure for: 127.0.0.1:80auth
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/3348e412/attachment.html 

From mposolda at redhat.com  Thu Jul 23 07:33:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 23 Jul 2015 13:33:15 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <cbf1f58d-f7dd-4d90-825a-b6b745007442@me.com>
References: <cbf1f58d-f7dd-4d90-825a-b6b745007442@me.com>
Message-ID: <55B0D0FB.9060709@redhat.com>

Ah, Ok. So it's about admin users. Also note that in latest 1.4 version 
we will have new "impersonation" feature, which allows admin to 
temporarily login on behalf of any other user. Isn't this even better 
for your usecase?

Marek

On 23.7.2015 08:41, Michael Gerber wrote:
> Hi, yes something like that would be great.
> Because our application admins are no tech guys, so it would be nice 
> to offer an easy solution to them ;)
>
> Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda at redhat.com>:
>
>> Maybe we can have special request parameter, which will be send from 
>> application to login screen. The parameter will contain list of 
>> authentication mechanisms, which you want to skip for this login. 
>> Something like "skipAuthType=cookie,kerberos" . The list of skipped 
>> alternative mechanisms will be saved in ClientSession, so 
>> authentication SPI can deal with it.
>>
>> Not sure if it makes sense to add support into adapter, but maybe 
>> something basic (like we have for parameters "login_hint" or 
>> "kc_idp_hint" in keycloak.js) can be added as well?
>>
>> Marek
>>
>> On 23.7.2015 08:26, Marek Posolda wrote:
>>> Do you want that for normal users or just for admin users? Just 
>>> trying to understand the usecase. Because AFAIK the point of 
>>> kerberos is, that you login into the desktop and then you're 
>>> automatically logged into integrated web applications without need 
>>> to deal with any login screens and username/password. When user has 
>>> just one keycloak account corresponding to his kerberos ticket, then 
>>> why he need to login as different user?
>>>
>>> I can understand the usecase for admin, when you want to login as 
>>> different user for testing purpose etc. For this, isn't it possible 
>>> in windows to do something like "kdestroy" to be able to login 
>>> without kerberos?
>>>
>>> Marek
>>>
>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>> Isn't it possible to create a cookie or add an url parameter after 
>>>> the logout, so the user is not logged in automatically?
>>>>
>>>> It's crucial for us to be able to log in as a different user, 
>>>> otherwise we can not use kerberos at all :(
>>>>
>>>> Michael
>>>>
>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>
>>>>> I don't think it's doable. Kerberos is kind of desktop login and 
>>>>> logout from the web application won't destroy the kerberos ticket 
>>>>> - similarly like it can't logout your laptop/desktop session. So 
>>>>> when you visit the secured application next time, you are 
>>>>> automatically logged into Keycloak through SPNEGO due to the 
>>>>> Kerberos ticket.
>>>>>
>>>>> Hence you need to remove kerberos ticket manually (For example 
>>>>> "kdestroy" works on Linux, but I guess you're using Windows + 
>>>>> ActiveDirectory? ) and then you will be able to see keycloak login 
>>>>> screen and login as different user.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I use LDAP with Kerberos and would like to logout and login again 
>>>>>> with a different user (no kerberos login, just keycloak username 
>>>>>> and password dialog).
>>>>>> Is that possible?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/78c5d969/attachment.html 

From mposolda at redhat.com  Thu Jul 23 07:35:36 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 23 Jul 2015 13:35:36 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <1332957419.3265488.1437637875844.JavaMail.zimbra@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B08B32.1060505@redhat.com>
	<1332957419.3265488.1437637875844.JavaMail.zimbra@redhat.com>
Message-ID: <55B0D188.8010706@redhat.com>

TBH I am not very confident about adding cookie during logout. Usually 
in production, I want to always login with Kerberos and don't deal with 
any login screen. Like when I go to https://mojo.redhat.com it always 
login with kerberos ticket and when I logout or login again (either same 
or next day) it works fine without need to deal with any cookie.

The only usecase, which come to my mind, why someone may want to skip 
login with his kerberos account, is the admin during 
testing/preproduction setup phase when he want to try login with 
different users etc. But now we have impersonation, so maybe this won't 
be needed at all? Awaiting feedback from Michael in other mail..

Marek


On 23.7.2015 09:51, Stian Thorgersen wrote:
> How about when a user logs out from Keycloak we add a session cookie to not use Kerberos again automatically? Even better if there's a concept of a session-id with Kerberos we can add the session-id to the cookie and automatically login if the users Kerberos session is changed, but otherwise display username/password form.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Michael Gerber" <gerbermichi at me.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Thursday, 23 July, 2015 8:35:30 AM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>
>> Maybe we can have special request parameter, which will be send from
>> application to login screen. The parameter will contain list of
>> authentication mechanisms, which you want to skip for this login. Something
>> like "skipAuthType=cookie,kerberos" . The list of skipped alternative
>> mechanisms will be saved in ClientSession, so authentication SPI can deal
>> with it.
>>
>> Not sure if it makes sense to add support into adapter, but maybe something
>> basic (like we have for parameters "login_hint" or "kc_idp_hint" in
>> keycloak.js) can be added as well?
>>
>> Marek
>>
>> On 23.7.2015 08:26, Marek Posolda wrote:
>>
>>
>>
>> Do you want that for normal users or just for admin users? Just trying to
>> understand the usecase. Because AFAIK the point of kerberos is, that you
>> login into the desktop and then you're automatically logged into integrated
>> web applications without need to deal with any login screens and
>> username/password. When user has just one keycloak account corresponding to
>> his kerberos ticket, then why he need to login as different user?
>>
>> I can understand the usecase for admin, when you want to login as different
>> user for testing purpose etc. For this, isn't it possible in windows to do
>> something like "kdestroy" to be able to login without kerberos?
>>
>> Marek
>>
>> On 23.7.2015 07:44, Michael Gerber wrote:
>>
>>
>>
>> Isn't it possible to create a cookie or add an url parameter after the
>> logout, so the user is not logged in automatically?
>>
>> It's crucial for us to be able to log in as a different user, otherwise we
>> can not use kerberos at all :(
>>
>> Michael
>>
>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :
>>
>>
>>
>>
>> I don't think it's doable. Kerberos is kind of desktop login and logout from
>> the web application won't destroy the kerberos ticket - similarly like it
>> can't logout your laptop/desktop session. So when you visit the secured
>> application next time, you are automatically logged into Keycloak through
>> SPNEGO due to the Kerberos ticket.
>>
>> Hence you need to remove kerberos ticket manually (For example "kdestroy"
>> works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
>> then you will be able to see keycloak login screen and login as different
>> user.
>>
>> Marek
>>
>> On 22.7.2015 15:38, Michael Gerber wrote:
>>
>>
>>
>> Hi all,
>>
>> I use LDAP with Kerberos and would like to logout and login again with a
>> different user (no kerberos login, just keycloak username and password
>> dialog).
>> Is that possible?
>>
>> cheers
>> Michael
>>
>>
>> _______________________________________________
>> keycloak-user mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From gerbermichi at me.com  Thu Jul 23 08:12:13 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Thu, 23 Jul 2015 12:12:13 +0000 (GMT)
Subject: [keycloak-user] =?utf-8?q?_Re=3A__LDAP_with_Kerberos=2C_login_wit?=
 =?utf-8?q?h_different_user?=
Message-ID: <a21d6af0-7876-4515-bbe1-1c3ad1bfab6c@me.com>

TBH I have not checked out 1.4 yet. But I will have a look at it as soon as it's out.

It would solve my problem, if 1.4 offers a way to create impersonated users and login with username and password even if kerberos is enabled.


Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda at redhat.com>:

Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we will have new "impersonation" feature, which allows admin to temporarily login on behalf of any other user. Isn't this even better for your usecase?

Marek

On 23.7.2015 08:41, Michael Gerber wrote:
Hi, yes something like that would be great.
Because our application admins are no tech guys, so it would be nice to offer an easy solution to them ;)

Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda at redhat.com>:

Maybe we can have special request parameter, which will be send from application to login screen. The parameter will contain list of authentication mechanisms, which you want to skip for this login. Something like "skipAuthType=cookie,kerberos" . The list of skipped alternative mechanisms will be saved in ClientSession, so authentication SPI can deal with it. 

Not sure if it makes sense to add support into adapter, but maybe something basic (like we have for parameters "login_hint" or "kc_idp_hint" in keycloak.js) can be added as well?

Marek

On 23.7.2015 08:26, Marek Posolda wrote:
Do you want that for normal users or just for admin users? Just trying to understand the usecase. Because AFAIK the point of kerberos is, that you login into the desktop and then you're automatically logged into integrated web applications without need to deal with any login screens and username/password. When user has just one keycloak account corresponding to his kerberos ticket, then why he need to login as different user?

I can understand the usecase for admin, when you want to login as different user for testing purpose etc. For this, isn't it possible in windows to do something like "kdestroy" to be able to login without kerberos?

Marek

On 23.7.2015 07:44, Michael Gerber wrote:
Isn't it possible to create a cookie or add an url parameter after the logout, so the user is not logged in automatically?

It's crucial for us to be able to log in as a different user, otherwise we can not use kerberos at all :(

Michael

Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:

I don't think it's doable. Kerberos is kind of desktop login and logout from the web application won't destroy the kerberos ticket - similarly like it can't logout your laptop/desktop session. So when you visit the secured application next time, you are automatically logged into Keycloak through SPNEGO due to the Kerberos ticket. 

Hence you need to remove kerberos ticket manually (For example "kdestroy" works on Linux, but I guess you're using Windows + ActiveDirectory? ) and then you will be able to see keycloak login screen and login as different user.

Marek

On 22.7.2015 15:38, Michael Gerber wrote:
Hi all,

I use LDAP with Kerberos and would like to logout and login again with a different user (no kerberos login, just keycloak username and password dialog).
Is that possible??

cheers
Michael


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/4bc900b9/attachment-0001.html 

From stian at redhat.com  Thu Jul 23 08:20:27 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 08:20:27 -0400 (EDT)
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <a21d6af0-7876-4515-bbe1-1c3ad1bfab6c@me.com>
References: <a21d6af0-7876-4515-bbe1-1c3ad1bfab6c@me.com>
Message-ID: <1186547867.3370531.1437654027774.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 2:12:13 PM
> Subject: [keycloak-user]  Re:  LDAP with Kerberos, login with different user
> 
> TBH I have not checked out 1.4 yet. But I will have a look at it as soon as
> it's out.
> 
> It would solve my problem, i f 1.4 offers a way to create impersonated users
> and login with username and password even if kerberos is enabled.

1.4 offers a way for an admin to impersonate another user without specifying the users password - this doesn't provide a mechanism to login with username/password

> 
> 
> Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda at redhat.com>:
> 
> 
> 
> 
> Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we
> will have new "impersonation" feature, which allows admin to temporarily
> login on behalf of any other user. Isn't this even better for your usecase?
> 
> Marek
> 
> On 23.7.2015 08:41, Michael Gerber wrote:
> 
> 
> 
> Hi, yes something like that would be great.
> Because our application admins are no tech guys, so it would be nice to offer
> an easy solution to them ;)
> 
> Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda at redhat.com> :
> 
> 
> 
> 
> Maybe we can have special request parameter, which will be send from
> application to login screen. The parameter will contain list of
> authentication mechanisms, which you want to skip for this login. Something
> like "skipAuthType=cookie,kerberos" . The list of skipped alternative
> mechanisms will be saved in ClientSession, so authentication SPI can deal
> with it.
> 
> Not sure if it makes sense to add support into adapter, but maybe something
> basic (like we have for parameters "login_hint" or "kc_idp_hint" in
> keycloak.js) can be added as well?
> 
> Marek
> 
> On 23.7.2015 08:26, Marek Posolda wrote:
> 
> 
> 
> Do you want that for normal users or just for admin users? Just trying to
> understand the usecase. Because AFAIK the point of kerberos is, that you
> login into the desktop and then you're automatically logged into integrated
> web applications without need to deal with any login screens and
> username/password. When user has just one keycloak account corresponding to
> his kerberos ticket, then why he need to login as different user?
> 
> I can understand the usecase for admin, when you want to login as different
> user for testing purpose etc. For this, isn't it possible in windows to do
> something like "kdestroy" to be able to login without kerberos?
> 
> Marek
> 
> On 23.7.2015 07:44, Michael Gerber wrote:
> 
> 
> 
> Isn't it possible to create a cookie or add an url parameter after the
> logout, so the user is not logged in automatically?
> 
> It's crucial for us to be able to log in as a different user, otherwise we
> can not use kerberos at all :(
> 
> Michael
> 
> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :
> 
> 
> 
> 
> I don't think it's doable. Kerberos is kind of desktop login and logout from
> the web application won't destroy the kerberos ticket - similarly like it
> can't logout your laptop/desktop session. So when you visit the secured
> application next time, you are automatically logged into Keycloak through
> SPNEGO due to the Kerberos ticket.
> 
> Hence you need to remove kerberos ticket manually (For example "kdestroy"
> works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
> then you will be able to see keycloak login screen and login as different
> user.
> 
> Marek
> 
> On 22.7.2015 15:38, Michael Gerber wrote:
> 
> 
> 
> Hi all,
> 
> I use LDAP with Kerberos and would like to logout and login again with a
> different user (no kerberos login, just keycloak username and password
> dialog).
> Is that possible?
> 
> cheers
> Michael
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gerbermichi at me.com  Thu Jul 23 08:35:40 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Thu, 23 Jul 2015 12:35:40 +0000 (GMT)
Subject: [keycloak-user] =?utf-8?q?_Re=3A___Re=3A__LDAP_with_Kerberos=2C_l?=
 =?utf-8?q?ogin_with_different_user?=
Message-ID: <fa6362ce-b312-48d7-b088-2ee5c3c7873e@me.com>

Ok, so that won't solve my problem.

I guess there is no other way than a cookie or a parameter to bypass kerberos.

Am 23. Juli 2015 um 14:20 schrieb Stian Thorgersen <stian at redhat.com>:



----- Original Message -----
From: "Michael Gerber" <gerbermichi at me.com>
To: "Marek Posolda" <mposolda at redhat.com>
Cc: keycloak-user at lists.jboss.org
Sent: Thursday, 23 July, 2015 2:12:13 PM
Subject: [keycloak-user] Re: LDAP with Kerberos, login with different user

TBH I have not checked out 1.4 yet. But I will have a look at it as soon as
it's out.

It would solve my problem, i f 1.4 offers a way to create impersonated users
and login with username and password even if kerberos is enabled.

1.4 offers a way for an admin to impersonate another user without specifying the users password - this doesn't provide a mechanism to login with username/password



Am 23. Juli 2015 um 13:33 schrieb Marek Posolda <mposolda at redhat.com>:




Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we
will have new "impersonation" feature, which allows admin to temporarily
login on behalf of any other user. Isn't this even better for your usecase?

Marek

On 23.7.2015 08:41, Michael Gerber wrote:



Hi, yes something like that would be great.
Because our application admins are no tech guys, so it would be nice to offer
an easy solution to them ;)

Am 23. Juli 2015 um 08:35 schrieb Marek Posolda <mposolda at redhat.com> :




Maybe we can have special request parameter, which will be send from
application to login screen. The parameter will contain list of
authentication mechanisms, which you want to skip for this login. Something
like "skipAuthType=cookie,kerberos" . The list of skipped alternative
mechanisms will be saved in ClientSession, so authentication SPI can deal
with it.

Not sure if it makes sense to add support into adapter, but maybe something
basic (like we have for parameters "login_hint" or "kc_idp_hint" in
keycloak.js) can be added as well?

Marek

On 23.7.2015 08:26, Marek Posolda wrote:



Do you want that for normal users or just for admin users? Just trying to
understand the usecase. Because AFAIK the point of kerberos is, that you
login into the desktop and then you're automatically logged into integrated
web applications without need to deal with any login screens and
username/password. When user has just one keycloak account corresponding to
his kerberos ticket, then why he need to login as different user?

I can understand the usecase for admin, when you want to login as different
user for testing purpose etc. For this, isn't it possible in windows to do
something like "kdestroy" to be able to login without kerberos?

Marek

On 23.7.2015 07:44, Michael Gerber wrote:



Isn't it possible to create a cookie or add an url parameter after the
logout, so the user is not logged in automatically?

It's crucial for us to be able to log in as a different user, otherwise we
can not use kerberos at all :(

Michael

Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com> :




I don't think it's doable. Kerberos is kind of desktop login and logout from
the web application won't destroy the kerberos ticket - similarly like it
can't logout your laptop/desktop session. So when you visit the secured
application next time, you are automatically logged into Keycloak through
SPNEGO due to the Kerberos ticket.

Hence you need to remove kerberos ticket manually (For example "kdestroy"
works on Linux, but I guess you're using Windows + ActiveDirectory? ) and
then you will be able to see keycloak login screen and login as different
user.

Marek

On 22.7.2015 15:38, Michael Gerber wrote:



Hi all,

I use LDAP with Kerberos and would like to logout and login again with a
different user (no kerberos login, just keycloak username and password
dialog).
Is that possible?

cheers
Michael


_______________________________________________
keycloak-user mailing list keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/740f4d6e/attachment.html 

From ornot2008 at yahoo.com  Thu Jul 23 09:04:09 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Thu, 23 Jul 2015 13:04:09 +0000 (UTC)
Subject: [keycloak-user] Is it possible to complete a login process with
	program ?
Message-ID: <1802144848.1181208.1437656649485.JavaMail.yahoo@mail.yahoo.com>

Hi, there,?
I am new in this domain so pls help me even my question looks too naive.?

What I want to do is as below:
1) Add a user with RESTful ?API .?2) get the token with direct access grant .

All above will happen with ?program.?
We can add a user , but ?can not get the token . It seems the user can not ?login in .?
We missed something ?
Is there any example code ?

Thanks in advance.?

Mai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/985f4c57/attachment-0001.html 

From stian at redhat.com  Thu Jul 23 09:59:07 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 09:59:07 -0400 (EDT)
Subject: [keycloak-user] Is it possible to complete a login process
	with	program ?
In-Reply-To: <1802144848.1181208.1437656649485.JavaMail.yahoo@mail.yahoo.com>
References: <1802144848.1181208.1437656649485.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1612942116.3456493.1437659947799.JavaMail.zimbra@redhat.com>

Did you set credentials for the user? There's separate endpoints to create the user and set user credentials

----- Original Message -----
> From: "Mai Zi" <ornot2008 at yahoo.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 3:04:09 PM
> Subject: [keycloak-user] Is it possible to complete a login process with	program ?
> 
> Hi, there,
> 
> I am new in this domain so pls help me even my question looks too naive.
> 
> 
> What I want to do is as below:
> 
> 1) Add a user with RESTful API .
> 2) get the token with direct access grant .
> 
> 
> All above will happen with program.
> 
> We can add a user , but can not get the token . It seems the user can not
> login in .
> 
> We missed something ?
> 
> Is there any example code ?
> 
> 
> Thanks in advance.
> 
> 
> Mai
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Thu Jul 23 10:02:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 23 Jul 2015 10:02:53 -0400
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B088FD.2020505@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com>
Message-ID: <55B0F40D.30007@redhat.com>

With the new flows, we could detect a kerberos login then ask if they 
want to login as that user or another.

On 7/23/2015 2:26 AM, Marek Posolda wrote:
> Do you want that for normal users or just for admin users? Just trying
> to understand the usecase. Because AFAIK the point of kerberos is, that
> you login into the desktop and then you're automatically logged into
> integrated web applications without need to deal with any login screens
> and username/password. When user has just one keycloak account
> corresponding to his kerberos ticket, then why he need to login as
> different user?
>
> I can understand the usecase for admin, when you want to login as
> different user for testing purpose etc. For this, isn't it possible in
> windows to do something like "kdestroy" to be able to login without
> kerberos?
>
> Marek
>
> On 23.7.2015 07:44, Michael Gerber wrote:
>> Isn't it possible to create a cookie or add an url parameter after the
>> logout, so the user is not logged in automatically?
>>
>> It's crucial for us to be able to log in as a different user,
>> otherwise we can not use kerberos at all :(
>>
>> Michael
>>
>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>
>>> I don't think it's doable. Kerberos is kind of desktop login and
>>> logout from the web application won't destroy the kerberos ticket -
>>> similarly like it can't logout your laptop/desktop session. So when
>>> you visit the secured application next time, you are automatically
>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>
>>> Hence you need to remove kerberos ticket manually (For example
>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>> screen and login as different user.
>>>
>>> Marek
>>>
>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>> Hi all,
>>>>
>>>> I use LDAP with Kerberos and would like to logout and login again
>>>> with a different user (no kerberos login, just keycloak username and
>>>> password dialog).
>>>> Is that possible?
>>>>
>>>> cheers
>>>> Michael
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Thu Jul 23 10:36:02 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 10:36:02 -0400 (EDT)
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B0F40D.30007@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
Message-ID: <1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>

"Is this you?"

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 4:02:53 PM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
> 
> With the new flows, we could detect a kerberos login then ask if they
> want to login as that user or another.
> 
> On 7/23/2015 2:26 AM, Marek Posolda wrote:
> > Do you want that for normal users or just for admin users? Just trying
> > to understand the usecase. Because AFAIK the point of kerberos is, that
> > you login into the desktop and then you're automatically logged into
> > integrated web applications without need to deal with any login screens
> > and username/password. When user has just one keycloak account
> > corresponding to his kerberos ticket, then why he need to login as
> > different user?
> >
> > I can understand the usecase for admin, when you want to login as
> > different user for testing purpose etc. For this, isn't it possible in
> > windows to do something like "kdestroy" to be able to login without
> > kerberos?
> >
> > Marek
> >
> > On 23.7.2015 07:44, Michael Gerber wrote:
> >> Isn't it possible to create a cookie or add an url parameter after the
> >> logout, so the user is not logged in automatically?
> >>
> >> It's crucial for us to be able to log in as a different user,
> >> otherwise we can not use kerberos at all :(
> >>
> >> Michael
> >>
> >> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
> >>
> >>> I don't think it's doable. Kerberos is kind of desktop login and
> >>> logout from the web application won't destroy the kerberos ticket -
> >>> similarly like it can't logout your laptop/desktop session. So when
> >>> you visit the secured application next time, you are automatically
> >>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
> >>>
> >>> Hence you need to remove kerberos ticket manually (For example
> >>> "kdestroy" works on Linux, but I guess you're using Windows +
> >>> ActiveDirectory? ) and then you will be able to see keycloak login
> >>> screen and login as different user.
> >>>
> >>> Marek
> >>>
> >>> On 22.7.2015 15:38, Michael Gerber wrote:
> >>>> Hi all,
> >>>>
> >>>> I use LDAP with Kerberos and would like to logout and login again
> >>>> with a different user (no kerberos login, just keycloak username and
> >>>> password dialog).
> >>>> Is that possible?
> >>>>
> >>>> cheers
> >>>> Michael
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From rodrigopsasaki at gmail.com  Thu Jul 23 10:50:06 2015
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 23 Jul 2015 14:50:06 +0000
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
In-Reply-To: <158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>
References: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
	<158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwCYzFL3sbz7uKKXZcMOSnYxt-uJ5Mq3Mx3cqJTE+sUSnA@mail.gmail.com>

Oh, I see.

I am modifying the Keycloak code, the class works but it lacks a bit of
 the flexibility I had when I could maintain my own standalone.xml

I saw there is a way for me to run tests using a specific database, but is
there a way for me to deploy it using a different database than the default
H2? I couldn't see an option for it on the properties file you use to
configure the server on startup.

I realize this is a very specific case, but maybe there's a solution.

Thanks again,
Rodrigo Sasaki

Em qui, 23 de jul de 2015 ?s 04:55, Stian Thorgersen <stian at redhat.com>
escreveu:

> Keycloak is not deployed as a WAR anymore, so there's no concept of
> deploying Keycloak to a WildFly server.
>
> Are you forking/modifying Keycloak code? If so have a look at
> https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#keycloak-server.
> There's KeycloakServer which contains a main method and can be ran directly
> from the IDE.
>
> If you're not modifying Keycloak code and just developing your own apps I
> recommend either spinning up a standalone KC server, or to use the
> server-overlay download and add it to the WildFly server you deploy your
> apps to (this is only recommended for development btw).
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 22 July, 2015 7:24:42 PM
> > Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> >
> > Hello everyone,
> >
> > I haven't used Keycloak since version 1.0.2, which we have now in
> production.
> > But now Keycloak has so many new features that we decided to migrate to
> the
> > 1.3.1.Final
> >
> > This is a very specific issue, maybe this has already been discussed
> before,
> > and if it has I'd like to ask you to direct me to that thread.
> >
> > Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on version
> > 1.0.2 all I had to do was add an artifact of keycloak-server on the
> > deployment and it was done, but that no longer exists and I don't seem to
> > find a replacement for it.
> >
> > What I do now is add a step to execute a maven goal to package the war
> and I
> > created an artifact based on that war to deploy it, it works fine but I
> > believe there must be a simpler solution, and doing it like this I can't
> use
> > JRebel to hot deploy my alterations as well.
> >
> > Is there a way to do what I'm trying to do? I'll be happy to provide you
> more
> > information if necessary.
> >
> > Cheers,
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/4c22bf83/attachment.html 

From mposolda at redhat.com  Thu Jul 23 10:50:28 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 23 Jul 2015 16:50:28 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>	<55B088FD.2020505@redhat.com>
	<55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
Message-ID: <55B0FF34.6080401@redhat.com>

Maybe it can be configurable for the kerberos mechanism? Just the flag 
"login automatically" . If it's off, another confirmation screen for the 
user will be displayed?

Marek

On 23.7.2015 16:36, Stian Thorgersen wrote:
> "Is this you?"
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>
>> With the new flows, we could detect a kerberos login then ask if they
>> want to login as that user or another.
>>
>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>> Do you want that for normal users or just for admin users? Just trying
>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>> you login into the desktop and then you're automatically logged into
>>> integrated web applications without need to deal with any login screens
>>> and username/password. When user has just one keycloak account
>>> corresponding to his kerberos ticket, then why he need to login as
>>> different user?
>>>
>>> I can understand the usecase for admin, when you want to login as
>>> different user for testing purpose etc. For this, isn't it possible in
>>> windows to do something like "kdestroy" to be able to login without
>>> kerberos?
>>>
>>> Marek
>>>
>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>> logout, so the user is not logged in automatically?
>>>>
>>>> It's crucial for us to be able to log in as a different user,
>>>> otherwise we can not use kerberos at all :(
>>>>
>>>> Michael
>>>>
>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>
>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>> you visit the secured application next time, you are automatically
>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>
>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>> screen and login as different user.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>> password dialog).
>>>>>> Is that possible?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Jul 23 10:52:10 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jul 2015 10:52:10 -0400 (EDT)
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
In-Reply-To: <CANLOgwCYzFL3sbz7uKKXZcMOSnYxt-uJ5Mq3Mx3cqJTE+sUSnA@mail.gmail.com>
References: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
	<158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>
	<CANLOgwCYzFL3sbz7uKKXZcMOSnYxt-uJ5Mq3Mx3cqJTE+sUSnA@mail.gmail.com>
Message-ID: <2138881042.3492613.1437663130214.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 23 July, 2015 4:50:06 PM
> Subject: Re: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> 
> Oh, I see.
> 
> I am modifying the Keycloak code, the class works but it lacks a bit of
>  the flexibility I had when I could maintain my own standalone.xml
> 
> I saw there is a way for me to run tests using a specific database, but is
> there a way for me to deploy it using a different database than the default
> H2? I couldn't see an option for it on the properties file you use to
> configure the server on startup.

You can either pass system properties for it, that's what our tests do. Or edit the keycloak-server.json it uses directly. 

> 
> I realize this is a very specific case, but maybe there's a solution.

Not really, we do it all the time ;)

> 
> Thanks again,
> Rodrigo Sasaki
> 
> Em qui, 23 de jul de 2015 ?s 04:55, Stian Thorgersen <stian at redhat.com>
> escreveu:
> 
> > Keycloak is not deployed as a WAR anymore, so there's no concept of
> > deploying Keycloak to a WildFly server.
> >
> > Are you forking/modifying Keycloak code? If so have a look at
> > https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#keycloak-server.
> > There's KeycloakServer which contains a main method and can be ran directly
> > from the IDE.
> >
> > If you're not modifying Keycloak code and just developing your own apps I
> > recommend either spinning up a standalone KC server, or to use the
> > server-overlay download and add it to the WildFly server you deploy your
> > apps to (this is only recommended for development btw).
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 22 July, 2015 7:24:42 PM
> > > Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> > >
> > > Hello everyone,
> > >
> > > I haven't used Keycloak since version 1.0.2, which we have now in
> > production.
> > > But now Keycloak has so many new features that we decided to migrate to
> > the
> > > 1.3.1.Final
> > >
> > > This is a very specific issue, maybe this has already been discussed
> > before,
> > > and if it has I'd like to ask you to direct me to that thread.
> > >
> > > Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on version
> > > 1.0.2 all I had to do was add an artifact of keycloak-server on the
> > > deployment and it was done, but that no longer exists and I don't seem to
> > > find a replacement for it.
> > >
> > > What I do now is add a step to execute a maven goal to package the war
> > and I
> > > created an artifact based on that war to deploy it, it works fine but I
> > > believe there must be a simpler solution, and doing it like this I can't
> > use
> > > JRebel to hot deploy my alterations as well.
> > >
> > > Is there a way to do what I'm trying to do? I'll be happy to provide you
> > more
> > > information if necessary.
> > >
> > > Cheers,
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


From rodrigopsasaki at gmail.com  Thu Jul 23 10:56:55 2015
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 23 Jul 2015 14:56:55 +0000
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
In-Reply-To: <2138881042.3492613.1437663130214.JavaMail.zimbra@redhat.com>
References: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
	<158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>
	<CANLOgwCYzFL3sbz7uKKXZcMOSnYxt-uJ5Mq3Mx3cqJTE+sUSnA@mail.gmail.com>
	<2138881042.3492613.1437663130214.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBNjGi1cZwS3vtK-ktvY3EHnO33bKSV5BmtLA2FxpY-7w@mail.gmail.com>

Hm, is there a way for me to define a datasource on the
keycloak-server.json?

I know I can specify the JNDI of the datasource I want to use, but can I
configure one there too?

Em qui, 23 de jul de 2015 ?s 11:52, Stian Thorgersen <stian at redhat.com>
escreveu:

>
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 23 July, 2015 4:50:06 PM
> > Subject: Re: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> >
> > Oh, I see.
> >
> > I am modifying the Keycloak code, the class works but it lacks a bit of
> >  the flexibility I had when I could maintain my own standalone.xml
> >
> > I saw there is a way for me to run tests using a specific database, but
> is
> > there a way for me to deploy it using a different database than the
> default
> > H2? I couldn't see an option for it on the properties file you use to
> > configure the server on startup.
>
> You can either pass system properties for it, that's what our tests do. Or
> edit the keycloak-server.json it uses directly.
>
> >
> > I realize this is a very specific case, but maybe there's a solution.
>
> Not really, we do it all the time ;)
>
> >
> > Thanks again,
> > Rodrigo Sasaki
> >
> > Em qui, 23 de jul de 2015 ?s 04:55, Stian Thorgersen <stian at redhat.com>
> > escreveu:
> >
> > > Keycloak is not deployed as a WAR anymore, so there's no concept of
> > > deploying Keycloak to a WildFly server.
> > >
> > > Are you forking/modifying Keycloak code? If so have a look at
> > >
> https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#keycloak-server
> .
> > > There's KeycloakServer which contains a main method and can be ran
> directly
> > > from the IDE.
> > >
> > > If you're not modifying Keycloak code and just developing your own
> apps I
> > > recommend either spinning up a standalone KC server, or to use the
> > > server-overlay download and add it to the WildFly server you deploy
> your
> > > apps to (this is only recommended for development btw).
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 22 July, 2015 7:24:42 PM
> > > > Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
> > > >
> > > > Hello everyone,
> > > >
> > > > I haven't used Keycloak since version 1.0.2, which we have now in
> > > production.
> > > > But now Keycloak has so many new features that we decided to migrate
> to
> > > the
> > > > 1.3.1.Final
> > > >
> > > > This is a very specific issue, maybe this has already been discussed
> > > before,
> > > > and if it has I'd like to ask you to direct me to that thread.
> > > >
> > > > Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on
> version
> > > > 1.0.2 all I had to do was add an artifact of keycloak-server on the
> > > > deployment and it was done, but that no longer exists and I don't
> seem to
> > > > find a replacement for it.
> > > >
> > > > What I do now is add a step to execute a maven goal to package the
> war
> > > and I
> > > > created an artifact based on that war to deploy it, it works fine
> but I
> > > > believe there must be a simpler solution, and doing it like this I
> can't
> > > use
> > > > JRebel to hot deploy my alterations as well.
> > > >
> > > > Is there a way to do what I'm trying to do? I'll be happy to provide
> you
> > > more
> > > > information if necessary.
> > > >
> > > > Cheers,
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/5ecafc76/attachment.html 

From spousty at redhat.com  Thu Jul 23 11:05:12 2015
From: spousty at redhat.com (Steven Pousty)
Date: Thu, 23 Jul 2015 08:05:12 -0700
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
Message-ID: <55B102A8.2020702@redhat.com>

Does the keycloak cartridge hardwire ips when it is "installed" into a
gear? Are these scalable applications, as in, were they created with/rhc
app create .... -s/

What happens if you restart the gear

/rhc app restart -a mykeycloakapp/

if that doesn't fix it then try

/rhc app force-stop -a mykeycloakapp//
//rhc app start -a mykeycloakapp/

This could help narrow down the problem. Because it either of those work
it is something about return from idling that is not getting properly
set with the routing layer.

On 07/23/2015 04:15 AM, Mike Hills wrote:
> It's good to know I am not alone :) 
>
> I consistently receive this error on both the 1.2 and 1.3 versions of
> Keycloak running on OPENSHIFT ONLINE.
>
> OPENSHIFT support had me validate that I could access my keycloak
> instance at http://localhost:8080/auth after executing:  *rhc
> port-forward keycloak.* (which  I could). I have not had a follow-up
> support since I confirmed this.
>
> https://access.redhat.com/support/cases/#/case/01479959
> <https://access.redhat.com/support/cases/#/case/01479959>
>
>
> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
>     Just got the same issue on my instance. Seems that after the
>     instance is idled it returns this 502 even after the instance is
>     restarted (confirmed in the log that it's up and running).
>
>     ----- Original Message -----
>     > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com
>     <mailto:stan.ieugen at gmail.com>>
>     > To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
>     > Cc: "keycloak-user" <keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>     > Sent: Thursday, 23 July, 2015 12:45:56 PM
>     > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge
>     updated to 1.3.1.Final
>     >
>     > Thank you for the response. However, I think it's another beast
>     altogether:
>     >
>     >
>     > https://keycloak-ieugen.rhcloud.com/auth/admin/
>     >
>     > Proxy Error
>     >
>     > The proxy server received an invalid response from an upstream
>     server.
>     > The proxy server could not handle the request GET /auth/admin/.
>     >
>     > Reason: DNS lookup failure for: 127.0.0.1:80auth
>     >
>     >
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
> Skype : mhills_sematree
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/ecd65ca5/attachment.html 

From mike.hills at sematree.com  Thu Jul 23 11:14:03 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Thu, 23 Jul 2015 11:14:03 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <55B102A8.2020702@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
Message-ID: <CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>

No on all accounts... I performed all of the steps and none of them allowed
me to access keycloak.

My keycloak server.log file

2015-07-23 11:11:04,640 INFO
[org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
Thread Pool -- 73) HHH000397: Using ASTQueryTranslatorFactory

2015-07-23 11:11:04,891 INFO
[org.hibernate.validator.internal.util.Version] (ServerService Thread Pool
-- 73) HV000001: Hibernate Validator 5.1.3.Final

2015-07-23 11:11:13,582 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Deploying javax.ws.rs.core.Application:
class org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding class resource
org.keycloak.services.resources.ThemeResource from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding class resource
org.keycloak.services.resources.JsResource from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding class resource
org.keycloak.services.resources.WelcomeResource from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding class resource
org.keycloak.services.resources.QRCodeResource from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding provider class
org.keycloak.SkeletonKeyContextResolver from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding singleton resource
org.keycloak.services.resources.ServerVersionResource from Application
class org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding singleton resource
org.keycloak.services.resources.admin.AdminRoot from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding provider singleton
org.keycloak.services.resources.ModelExceptionMapper from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 73) Adding singleton resource
org.keycloak.services.resources.RealmsResource from Application class
org.keycloak.services.resources.KeycloakApplication

2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 73) WFLYUT0021: Registered web context: /auth

2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService Thread
Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
"keycloak-server.war")

2015-07-23 11:11:15,141 INFO  [org.jboss.as] (Controller Boot Thread)
WFLYSRV0060: Http management interface listening on
http://127.3.17.129:9990/management

2015-07-23 11:11:15,142 INFO  [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.3.17.129:9990

2015-07-23 11:11:15,143 INFO  [org.jboss.as] (Controller Boot Thread)
WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly Core 1.0.0.CR6) started in
58758ms - Started 334 of 553 services (271 services are lazy, passive or
on-demand)



On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com> wrote:

>  Does the keycloak cartridge hardwire ips when it is "installed" into a
> gear? Are these scalable applications, as in, were they created with* rhc
> app create .... -s*
>
> What happens if you restart the gear
>
> *rhc app restart -a mykeycloakapp*
>
> if that doesn't fix it then try
>
> *rhc app force-stop -a mykeycloakapp*
> *rhc app start -a mykeycloakapp*
>
> This could help narrow down the problem. Because it either of those work
> it is something about return from idling that is not getting properly set
> with the routing layer.
>
> On 07/23/2015 04:15 AM, Mike Hills wrote:
>
> It's good to know I am not alone :)
>
>  I consistently receive this error on both the 1.2 and 1.3 versions of
> Keycloak running on OPENSHIFT ONLINE.
>
>  OPENSHIFT support had me validate that I could access my keycloak
> instance at http://localhost:8080/auth after executing:  *rhc
> port-forward keycloak.* (which  I could). I have not had a follow-up
> support since I confirmed this.
>
>  https://access.redhat.com/support/cases/#/case/01479959
>
>
> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> Just got the same issue on my instance. Seems that after the instance is
>> idled it returns this 502 even after the instance is restarted (confirmed
>> in the log that it's up and running).
>>
>> ----- Original Message -----
>> > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com>
>> > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
>> > Sent: Thursday, 23 July, 2015 12:45:56 PM
>> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
>> 1.3.1.Final
>> >
>> > Thank you for the response. However, I think it's another beast
>> altogether:
>> >
>> >
>> > https://keycloak-ieugen.rhcloud.com/auth/admin/
>> >
>> > Proxy Error
>> >
>> > The proxy server received an invalid response from an upstream server.
>> > The proxy server could not handle the request GET /auth/admin/.
>> >
>> > Reason: DNS lookup failure for: 127.0.0.1:80auth
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
>  --
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com
> Skype : mhills_sematree
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/cd976f2b/attachment-0001.html 

From prabhalar at yahoo.com  Thu Jul 23 11:14:25 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Thu, 23 Jul 2015 11:14:25 -0400
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B0FF34.6080401@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
Message-ID: <C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>

Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.



Sent from my iPhone

> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Maybe it can be configurable for the kerberos mechanism? Just the flag 
> "login automatically" . If it's off, another confirmation screen for the 
> user will be displayed?
> 
> Marek
> 
>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>> "Is this you?"
>> 
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>> 
>>> With the new flows, we could detect a kerberos login then ask if they
>>> want to login as that user or another.
>>> 
>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>> Do you want that for normal users or just for admin users? Just trying
>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>> you login into the desktop and then you're automatically logged into
>>>> integrated web applications without need to deal with any login screens
>>>> and username/password. When user has just one keycloak account
>>>> corresponding to his kerberos ticket, then why he need to login as
>>>> different user?
>>>> 
>>>> I can understand the usecase for admin, when you want to login as
>>>> different user for testing purpose etc. For this, isn't it possible in
>>>> windows to do something like "kdestroy" to be able to login without
>>>> kerberos?
>>>> 
>>>> Marek
>>>> 
>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>> logout, so the user is not logged in automatically?
>>>>> 
>>>>> It's crucial for us to be able to log in as a different user,
>>>>> otherwise we can not use kerberos at all :(
>>>>> 
>>>>> Michael
>>>>> 
>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>> 
>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>> you visit the secured application next time, you are automatically
>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>> 
>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>> screen and login as different user.
>>>>>> 
>>>>>> Marek
>>>>>> 
>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>> password dialog).
>>>>>>> Is that possible?
>>>>>>> 
>>>>>>> cheers
>>>>>>> Michael
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From spousty at redhat.com  Thu Jul 23 11:27:21 2015
From: spousty at redhat.com (Steven Pousty)
Date: Thu, 23 Jul 2015 08:27:21 -0700
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
Message-ID: <55B107D9.3070109@redhat.com>

This is interesting because people are not seeing this issue with
Wildfly when it comes back from being idled. Keycloak mustbe doing
something different.... hmmmmm

On 07/23/2015 08:14 AM, Mike Hills wrote:
> No on all accounts... I performed all of the steps and none of them
> allowed me to access keycloak.
>
> My keycloak server.log file
>
> 2015-07-23 11:11:04,640 INFO 
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 73) HHH000397: Using
> ASTQueryTranslatorFactory
>
> 2015-07-23 11:11:04,891 INFO 
> [org.hibernate.validator.internal.util.Version] (ServerService Thread
> Pool -- 73) HV000001: Hibernate Validator 5.1.3.Final
>
> 2015-07-23 11:11:13,582 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Deploying javax.ws.rs.core.Application: class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider class org.keycloak.SkeletonKeyContextResolver
> from Application class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context:
> /auth
>
> 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService
> Thread Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war"
> (runtime-name : "keycloak-server.war")
>
> 2015-07-23 11:11:15,141 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0060: Http management interface
> listening on http://127.3.17.129:9990/management
>
> 2015-07-23 11:11:15,142 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0051: Admin console listening on
> http://127.3.17.129:9990
>
> 2015-07-23 11:11:15,143 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly
> Core 1.0.0.CR6) started in 58758ms - Started 334 of 553 services (271
> services are lazy, passive or on-demand)
>
>
>
> On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com
> <mailto:spousty at redhat.com>> wrote:
>
>     Does the keycloak cartridge hardwire ips when it is "installed"
>     into a gear? Are these scalable applications, as in, were they
>     created with/rhc app create .... -s/
>
>     What happens if you restart the gear
>
>     /rhc app restart -a mykeycloakapp/
>
>     if that doesn't fix it then try
>
>     /rhc app force-stop -a mykeycloakapp//
>     //rhc app start -a mykeycloakapp/
>
>     This could help narrow down the problem. Because it either of
>     those work it is something about return from idling that is not
>     getting properly set with the routing layer.
>
>     On 07/23/2015 04:15 AM, Mike Hills wrote:
>>     It's good to know I am not alone :) 
>>
>>     I consistently receive this error on both the 1.2 and 1.3
>>     versions of Keycloak running on OPENSHIFT ONLINE.
>>
>>     OPENSHIFT support had me validate that I could access my keycloak
>>     instance at http://localhost:8080/auth after executing:  *rhc
>>     port-forward keycloak.* (which  I could). I have not had a
>>     follow-up support since I confirmed this.
>>
>>     https://access.redhat.com/support/cases/#/case/01479959
>>     <https://access.redhat.com/support/cases/#/case/01479959>
>>
>>
>>     On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen
>>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>
>>         Just got the same issue on my instance. Seems that after the
>>         instance is idled it returns this 502 even after the instance
>>         is restarted (confirmed in the log that it's up and running).
>>
>>         ----- Original Message -----
>>         > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com
>>         <mailto:stan.ieugen at gmail.com>>
>>         > To: "Stian Thorgersen" <stian at redhat.com
>>         <mailto:stian at redhat.com>>
>>         > Cc: "keycloak-user" <keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         > Sent: Thursday, 23 July, 2015 12:45:56 PM
>>         > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge
>>         updated to 1.3.1.Final
>>         >
>>         > Thank you for the response. However, I think it's another
>>         beast altogether:
>>         >
>>         >
>>         > https://keycloak-ieugen.rhcloud.com/auth/admin/
>>         >
>>         > Proxy Error
>>         >
>>         > The proxy server received an invalid response from an
>>         upstream server.
>>         > The proxy server could not handle the request GET /auth/admin/.
>>         >
>>         > Reason: DNS lookup failure for: 127.0.0.1:80auth
>>         >
>>         >
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     -- 
>>     Michael J. Hills
>>     Sr. CRM Architect
>>
>>     Mobile: 603.475.5093 <tel:603.475.5093>
>>     Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
>>     Skype : mhills_sematree
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
> Skype : mhills_sematree

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/960cf16e/attachment-0001.html 

From bburke at redhat.com  Thu Jul 23 11:28:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 23 Jul 2015 11:28:32 -0400
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
	<C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
Message-ID: <55B10820.90006@redhat.com>

All this interaction is defined by the SAML and OIDC specifications. 
Logout redirects you back to the application and its up to the 
application what to do next.  We could add a query param that if it is 
set, to not do kerberos.  This could be in addition to the "login 
automatically" flag.


On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
> Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
>
>
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>> "login automatically" . If it's off, another confirmation screen for the
>> user will be displayed?
>>
>> Marek
>>
>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>> "Is this you?"
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>>
>>>> With the new flows, we could detect a kerberos login then ask if they
>>>> want to login as that user or another.
>>>>
>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>> Do you want that for normal users or just for admin users? Just trying
>>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>>> you login into the desktop and then you're automatically logged into
>>>>> integrated web applications without need to deal with any login screens
>>>>> and username/password. When user has just one keycloak account
>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>> different user?
>>>>>
>>>>> I can understand the usecase for admin, when you want to login as
>>>>> different user for testing purpose etc. For this, isn't it possible in
>>>>> windows to do something like "kdestroy" to be able to login without
>>>>> kerberos?
>>>>>
>>>>> Marek
>>>>>
>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>>> logout, so the user is not logged in automatically?
>>>>>>
>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>> otherwise we can not use kerberos at all :(
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>>
>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>> you visit the secured application next time, you are automatically
>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>
>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>> screen and login as different user.
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>>> password dialog).
>>>>>>>> Is that possible?
>>>>>>>>
>>>>>>>> cheers
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Jul 23 11:31:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 23 Jul 2015 11:31:32 -0400
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B10820.90006@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
	<C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
	<55B10820.90006@redhat.com>
Message-ID: <55B108D4.2090200@redhat.com>

OpenID Connect has prompt=select_account query param.  If this is sent, 
we could automatically display the "Is this you?" page for kerberos.

On 7/23/2015 11:28 AM, Bill Burke wrote:
> All this interaction is defined by the SAML and OIDC specifications.
> Logout redirects you back to the application and its up to the
> application what to do next.  We could add a query param that if it is
> set, to not do kerberos.  This could be in addition to the "login
> automatically" flag.
>
>
> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>> Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
>>
>>
>>
>> Sent from my iPhone
>>
>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>> "login automatically" . If it's off, another confirmation screen for the
>>> user will be displayed?
>>>
>>> Marek
>>>
>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>> "Is this you?"
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: keycloak-user at lists.jboss.org
>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>>>
>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>> want to login as that user or another.
>>>>>
>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>> Do you want that for normal users or just for admin users? Just trying
>>>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>>>> you login into the desktop and then you're automatically logged into
>>>>>> integrated web applications without need to deal with any login screens
>>>>>> and username/password. When user has just one keycloak account
>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>> different user?
>>>>>>
>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>> different user for testing purpose etc. For this, isn't it possible in
>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>> kerberos?
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>
>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>
>>>>>>> Michael
>>>>>>>
>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>>>
>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>
>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>> screen and login as different user.
>>>>>>>>
>>>>>>>> Marek
>>>>>>>>
>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>>>> password dialog).
>>>>>>>>> Is that possible?
>>>>>>>>>
>>>>>>>>> cheers
>>>>>>>>> Michael
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Thu Jul 23 11:31:48 2015
From: spousty at redhat.com (Steven Pousty)
Date: Thu, 23 Jul 2015 08:31:48 -0700
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
Message-ID: <55B108E4.90702@redhat.com>

Mike any chance you can get on irc on freenode in channel #openshift
right now. I am there and I can try to get an ops person to help us diagnose

Thanks
Steve


On 07/23/2015 08:14 AM, Mike Hills wrote:
> No on all accounts... I performed all of the steps and none of them
> allowed me to access keycloak.
>
> My keycloak server.log file
>
> 2015-07-23 11:11:04,640 INFO 
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 73) HHH000397: Using
> ASTQueryTranslatorFactory
>
> 2015-07-23 11:11:04,891 INFO 
> [org.hibernate.validator.internal.util.Version] (ServerService Thread
> Pool -- 73) HV000001: Hibernate Validator 5.1.3.Final
>
> 2015-07-23 11:11:13,582 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Deploying javax.ws.rs.core.Application: class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider class org.keycloak.SkeletonKeyContextResolver
> from Application class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context:
> /auth
>
> 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService
> Thread Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war"
> (runtime-name : "keycloak-server.war")
>
> 2015-07-23 11:11:15,141 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0060: Http management interface
> listening on http://127.3.17.129:9990/management
>
> 2015-07-23 11:11:15,142 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0051: Admin console listening on
> http://127.3.17.129:9990
>
> 2015-07-23 11:11:15,143 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly
> Core 1.0.0.CR6) started in 58758ms - Started 334 of 553 services (271
> services are lazy, passive or on-demand)
>
>
>
> On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com
> <mailto:spousty at redhat.com>> wrote:
>
>     Does the keycloak cartridge hardwire ips when it is "installed"
>     into a gear? Are these scalable applications, as in, were they
>     created with/rhc app create .... -s/
>
>     What happens if you restart the gear
>
>     /rhc app restart -a mykeycloakapp/
>
>     if that doesn't fix it then try
>
>     /rhc app force-stop -a mykeycloakapp//
>     //rhc app start -a mykeycloakapp/
>
>     This could help narrow down the problem. Because it either of
>     those work it is something about return from idling that is not
>     getting properly set with the routing layer.
>
>     On 07/23/2015 04:15 AM, Mike Hills wrote:
>>     It's good to know I am not alone :) 
>>
>>     I consistently receive this error on both the 1.2 and 1.3
>>     versions of Keycloak running on OPENSHIFT ONLINE.
>>
>>     OPENSHIFT support had me validate that I could access my keycloak
>>     instance at http://localhost:8080/auth after executing:  *rhc
>>     port-forward keycloak.* (which  I could). I have not had a
>>     follow-up support since I confirmed this.
>>
>>     https://access.redhat.com/support/cases/#/case/01479959
>>     <https://access.redhat.com/support/cases/#/case/01479959>
>>
>>
>>     On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen
>>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>
>>         Just got the same issue on my instance. Seems that after the
>>         instance is idled it returns this 502 even after the instance
>>         is restarted (confirmed in the log that it's up and running).
>>
>>         ----- Original Message -----
>>         > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com
>>         <mailto:stan.ieugen at gmail.com>>
>>         > To: "Stian Thorgersen" <stian at redhat.com
>>         <mailto:stian at redhat.com>>
>>         > Cc: "keycloak-user" <keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         > Sent: Thursday, 23 July, 2015 12:45:56 PM
>>         > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge
>>         updated to 1.3.1.Final
>>         >
>>         > Thank you for the response. However, I think it's another
>>         beast altogether:
>>         >
>>         >
>>         > https://keycloak-ieugen.rhcloud.com/auth/admin/
>>         >
>>         > Proxy Error
>>         >
>>         > The proxy server received an invalid response from an
>>         upstream server.
>>         > The proxy server could not handle the request GET /auth/admin/.
>>         >
>>         > Reason: DNS lookup failure for: 127.0.0.1:80auth
>>         >
>>         >
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     -- 
>>     Michael J. Hills
>>     Sr. CRM Architect
>>
>>     Mobile: 603.475.5093 <tel:603.475.5093>
>>     Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
>>     Skype : mhills_sematree
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
> Skype : mhills_sematree

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/9b9b1975/attachment-0001.html 

From mike.hills at sematree.com  Thu Jul 23 11:38:48 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Thu, 23 Jul 2015 11:38:48 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <55B108E4.90702@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
	<55B108E4.90702@redhat.com>
Message-ID: <CAFfNJaV9ji+-OaNk80GkviVDzjEyytra-NsiRBFHk9U0CC8veA@mail.gmail.com>

sure thing - I am on now

On Thu, Jul 23, 2015 at 11:31 AM, Steven Pousty <spousty at redhat.com> wrote:

>  Mike any chance you can get on irc on freenode in channel #openshift
> right now. I am there and I can try to get an ops person to help us diagnose
>
> Thanks
> Steve
>
>
> On 07/23/2015 08:14 AM, Mike Hills wrote:
>
> No on all accounts... I performed all of the steps and none of them
> allowed me to access keycloak.
>
>  My keycloak server.log file
>
>  2015-07-23 11:11:04,640 INFO
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 73) HHH000397: Using ASTQueryTranslatorFactory
>
> 2015-07-23 11:11:04,891 INFO
> [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool
> -- 73) HV000001: Hibernate Validator 5.1.3.Final
>
> 2015-07-23 11:11:13,582 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding provider class
> org.keycloak.SkeletonKeyContextResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context: /auth
>
> 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
>
> 2015-07-23 11:11:15,141 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0060: Http management interface listening on
> http://127.3.17.129:9990/management
>
> 2015-07-23 11:11:15,142 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0051: Admin console listening on http://127.3.17.129:9990
>
> 2015-07-23 11:11:15,143 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly Core 1.0.0.CR6) started in
> 58758ms - Started 334 of 553 services (271 services are lazy, passive or
> on-demand)
>
>
>
> On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com>
> wrote:
>
>>  Does the keycloak cartridge hardwire ips when it is "installed" into a
>> gear? Are these scalable applications, as in, were they created with*
>> rhc app create .... -s*
>>
>> What happens if you restart the gear
>>
>> *rhc app restart -a mykeycloakapp*
>>
>> if that doesn't fix it then try
>>
>> *rhc app force-stop -a mykeycloakapp*
>> *rhc app start -a mykeycloakapp*
>>
>> This could help narrow down the problem. Because it either of those work
>> it is something about return from idling that is not getting properly set
>> with the routing layer.
>>
>> On 07/23/2015 04:15 AM, Mike Hills wrote:
>>
>> It's good to know I am not alone :)
>>
>>  I consistently receive this error on both the 1.2 and 1.3 versions of
>> Keycloak running on OPENSHIFT ONLINE.
>>
>>  OPENSHIFT support had me validate that I could access my keycloak
>> instance at  <http://localhost:8080/auth>http://localhost:8080/auth after
>> executing:  *rhc port-forward keycloak.* (which  I could). I have not
>> had a follow-up support since I confirmed this.
>>
>>  https://access.redhat.com/support/cases/#/case/01479959
>>
>>
>> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen < <stian at redhat.com>
>> stian at redhat.com> wrote:
>>
>>> Just got the same issue on my instance. Seems that after the instance is
>>> idled it returns this 502 even after the instance is restarted (confirmed
>>> in the log that it's up and running).
>>>
>>> ----- Original Message -----
>>> > From: "Ioan Eugen Stan" < <stan.ieugen at gmail.com>stan.ieugen at gmail.com
>>> >
>>> > To: "Stian Thorgersen" < <stian at redhat.com>stian at redhat.com>
>>> > Cc: "keycloak-user" < <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org>
>>> > Sent: Thursday, 23 July, 2015 12:45:56 PM
>>> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
>>> 1.3.1.Final
>>> >
>>> > Thank you for the response. However, I think it's another beast
>>> altogether:
>>> >
>>> >
>>> > https://keycloak-ieugen.rhcloud.com/auth/admin/
>>> >
>>> > Proxy Error
>>> >
>>> > The proxy server received an invalid response from an upstream server.
>>> > The proxy server could not handle the request GET /auth/admin/.
>>> >
>>> > Reason: DNS lookup failure for: 127.0.0.1:80auth
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>  --
>> Michael J. Hills
>> Sr. CRM Architect
>>
>> Mobile: 603.475.5093
>> Email  : mike.hills at sematree.com
>> Skype : mhills_sematree
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>  --
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com
> Skype : mhills_sematree
>
>
>


-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/dbe272ca/attachment.html 

From prabhalar at yahoo.com  Thu Jul 23 11:43:12 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Thu, 23 Jul 2015 11:43:12 -0400
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B10820.90006@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
	<C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
	<55B10820.90006@redhat.com>
Message-ID: <DB62D8AE-10B4-4B05-B323-2073536C745D@yahoo.com>

The select account prompt wouldn't work for us as some of our applications require that the user login only by entering userid/pw but your other suggestion might work as long as we do the Kerberos authentication using Id/ow

Sent from my iPhone

> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com> wrote:
> 
> All this interaction is defined by the SAML and OIDC specifications. Logout redirects you back to the application and its up to the application what to do next.  We could add a query param that if it is set, to not do kerberos.  This could be in addition to the "login automatically" flag.
> 
> 
>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>> Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
>> 
>> 
>> 
>> Sent from my iPhone
>> 
>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>> 
>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>> "login automatically" . If it's off, another confirmation screen for the
>>> user will be displayed?
>>> 
>>> Marek
>>> 
>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>> "Is this you?"
>>>> 
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: keycloak-user at lists.jboss.org
>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>>> 
>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>> want to login as that user or another.
>>>>> 
>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>> Do you want that for normal users or just for admin users? Just trying
>>>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>>>> you login into the desktop and then you're automatically logged into
>>>>>> integrated web applications without need to deal with any login screens
>>>>>> and username/password. When user has just one keycloak account
>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>> different user?
>>>>>> 
>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>> different user for testing purpose etc. For this, isn't it possible in
>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>> kerberos?
>>>>>> 
>>>>>> Marek
>>>>>> 
>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>>>> logout, so the user is not logged in automatically?
>>>>>>> 
>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>> 
>>>>>>> Michael
>>>>>>> 
>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>>> 
>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>> 
>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>> screen and login as different user.
>>>>>>>> 
>>>>>>>> Marek
>>>>>>>> 
>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>> Hi all,
>>>>>>>>> 
>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>>>> password dialog).
>>>>>>>>> Is that possible?
>>>>>>>>> 
>>>>>>>>> cheers
>>>>>>>>> Michael
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com


From mike.hills at sematree.com  Thu Jul 23 11:45:59 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Thu, 23 Jul 2015 11:45:59 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <55B108E4.90702@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
	<55B108E4.90702@redhat.com>
Message-ID: <CAFfNJaVnHJJ7wEDaGQGa+6JE4EkAO0d41DM-CKYE=_vudq7BpQ@mail.gmail.com>

I am on as mhills

On Thu, Jul 23, 2015 at 11:31 AM, Steven Pousty <spousty at redhat.com> wrote:

>  Mike any chance you can get on irc on freenode in channel #openshift
> right now. I am there and I can try to get an ops person to help us diagnose
>
> Thanks
> Steve
>
>
> On 07/23/2015 08:14 AM, Mike Hills wrote:
>
> No on all accounts... I performed all of the steps and none of them
> allowed me to access keycloak.
>
>  My keycloak server.log file
>
>  2015-07-23 11:11:04,640 INFO
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 73) HHH000397: Using ASTQueryTranslatorFactory
>
> 2015-07-23 11:11:04,891 INFO
> [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool
> -- 73) HV000001: Hibernate Validator 5.1.3.Final
>
> 2015-07-23 11:11:13,582 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding provider class
> org.keycloak.SkeletonKeyContextResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 73) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context: /auth
>
> 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
>
> 2015-07-23 11:11:15,141 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0060: Http management interface listening on
> http://127.3.17.129:9990/management
>
> 2015-07-23 11:11:15,142 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0051: Admin console listening on http://127.3.17.129:9990
>
> 2015-07-23 11:11:15,143 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly Core 1.0.0.CR6) started in
> 58758ms - Started 334 of 553 services (271 services are lazy, passive or
> on-demand)
>
>
>
> On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com>
> wrote:
>
>>  Does the keycloak cartridge hardwire ips when it is "installed" into a
>> gear? Are these scalable applications, as in, were they created with*
>> rhc app create .... -s*
>>
>> What happens if you restart the gear
>>
>> *rhc app restart -a mykeycloakapp*
>>
>> if that doesn't fix it then try
>>
>> *rhc app force-stop -a mykeycloakapp*
>> *rhc app start -a mykeycloakapp*
>>
>> This could help narrow down the problem. Because it either of those work
>> it is something about return from idling that is not getting properly set
>> with the routing layer.
>>
>> On 07/23/2015 04:15 AM, Mike Hills wrote:
>>
>> It's good to know I am not alone :)
>>
>>  I consistently receive this error on both the 1.2 and 1.3 versions of
>> Keycloak running on OPENSHIFT ONLINE.
>>
>>  OPENSHIFT support had me validate that I could access my keycloak
>> instance at  <http://localhost:8080/auth>http://localhost:8080/auth after
>> executing:  *rhc port-forward keycloak.* (which  I could). I have not
>> had a follow-up support since I confirmed this.
>>
>>  https://access.redhat.com/support/cases/#/case/01479959
>>
>>
>> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen < <stian at redhat.com>
>> stian at redhat.com> wrote:
>>
>>> Just got the same issue on my instance. Seems that after the instance is
>>> idled it returns this 502 even after the instance is restarted (confirmed
>>> in the log that it's up and running).
>>>
>>> ----- Original Message -----
>>> > From: "Ioan Eugen Stan" < <stan.ieugen at gmail.com>stan.ieugen at gmail.com
>>> >
>>> > To: "Stian Thorgersen" < <stian at redhat.com>stian at redhat.com>
>>> > Cc: "keycloak-user" < <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org>
>>> > Sent: Thursday, 23 July, 2015 12:45:56 PM
>>> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
>>> 1.3.1.Final
>>> >
>>> > Thank you for the response. However, I think it's another beast
>>> altogether:
>>> >
>>> >
>>> > https://keycloak-ieugen.rhcloud.com/auth/admin/
>>> >
>>> > Proxy Error
>>> >
>>> > The proxy server received an invalid response from an upstream server.
>>> > The proxy server could not handle the request GET /auth/admin/.
>>> >
>>> > Reason: DNS lookup failure for: 127.0.0.1:80auth
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>  --
>> Michael J. Hills
>> Sr. CRM Architect
>>
>> Mobile: 603.475.5093
>> Email  : mike.hills at sematree.com
>> Skype : mhills_sematree
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>  --
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com
> Skype : mhills_sematree
>
>
>


-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/7b62e11d/attachment.html 

From spousty at redhat.com  Thu Jul 23 11:31:59 2015
From: spousty at redhat.com (Steven Pousty)
Date: Thu, 23 Jul 2015 08:31:59 -0700
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55AEAC84.303@gmail.com> <55AEB335.7020207@gmail.com>
	<1091621274.2271286.1437549008652.JavaMail.zimbra@redhat.com>
	<CAFvdMiBLUcoyoALW-FydT6X84xpppK8djYd=0RY0UuqqckTOjw@mail.gmail.com>
	<503404133.3301148.1437641309825.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
Message-ID: <55B108EF.6010107@redhat.com>

Oh, I am TheSteve0 in there

On 07/23/2015 08:14 AM, Mike Hills wrote:
> No on all accounts... I performed all of the steps and none of them
> allowed me to access keycloak.
>
> My keycloak server.log file
>
> 2015-07-23 11:11:04,640 INFO 
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 73) HHH000397: Using
> ASTQueryTranslatorFactory
>
> 2015-07-23 11:11:04,891 INFO 
> [org.hibernate.validator.internal.util.Version] (ServerService Thread
> Pool -- 73) HV000001: Hibernate Validator 5.1.3.Final
>
> 2015-07-23 11:11:13,582 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Deploying javax.ws.rs.core.Application: class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,585 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider class org.keycloak.SkeletonKeyContextResolver
> from Application class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,586 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application
> class org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,587 INFO 
> [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool
> -- 73) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
>
> 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context:
> /auth
>
> 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService
> Thread Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war"
> (runtime-name : "keycloak-server.war")
>
> 2015-07-23 11:11:15,141 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0060: Http management interface
> listening on http://127.3.17.129:9990/management
>
> 2015-07-23 11:11:15,142 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0051: Admin console listening on
> http://127.3.17.129:9990
>
> 2015-07-23 11:11:15,143 INFO  [org.jboss.as <http://org.jboss.as>]
> (Controller Boot Thread) WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly
> Core 1.0.0.CR6) started in 58758ms - Started 334 of 553 services (271
> services are lazy, passive or on-demand)
>
>
>
> On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com
> <mailto:spousty at redhat.com>> wrote:
>
>     Does the keycloak cartridge hardwire ips when it is "installed"
>     into a gear? Are these scalable applications, as in, were they
>     created with/rhc app create .... -s/
>
>     What happens if you restart the gear
>
>     /rhc app restart -a mykeycloakapp/
>
>     if that doesn't fix it then try
>
>     /rhc app force-stop -a mykeycloakapp//
>     //rhc app start -a mykeycloakapp/
>
>     This could help narrow down the problem. Because it either of
>     those work it is something about return from idling that is not
>     getting properly set with the routing layer.
>
>     On 07/23/2015 04:15 AM, Mike Hills wrote:
>>     It's good to know I am not alone :) 
>>
>>     I consistently receive this error on both the 1.2 and 1.3
>>     versions of Keycloak running on OPENSHIFT ONLINE.
>>
>>     OPENSHIFT support had me validate that I could access my keycloak
>>     instance at http://localhost:8080/auth after executing:  *rhc
>>     port-forward keycloak.* (which  I could). I have not had a
>>     follow-up support since I confirmed this.
>>
>>     https://access.redhat.com/support/cases/#/case/01479959
>>     <https://access.redhat.com/support/cases/#/case/01479959>
>>
>>
>>     On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen
>>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>
>>         Just got the same issue on my instance. Seems that after the
>>         instance is idled it returns this 502 even after the instance
>>         is restarted (confirmed in the log that it's up and running).
>>
>>         ----- Original Message -----
>>         > From: "Ioan Eugen Stan" <stan.ieugen at gmail.com
>>         <mailto:stan.ieugen at gmail.com>>
>>         > To: "Stian Thorgersen" <stian at redhat.com
>>         <mailto:stian at redhat.com>>
>>         > Cc: "keycloak-user" <keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         > Sent: Thursday, 23 July, 2015 12:45:56 PM
>>         > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge
>>         updated to 1.3.1.Final
>>         >
>>         > Thank you for the response. However, I think it's another
>>         beast altogether:
>>         >
>>         >
>>         > https://keycloak-ieugen.rhcloud.com/auth/admin/
>>         >
>>         > Proxy Error
>>         >
>>         > The proxy server received an invalid response from an
>>         upstream server.
>>         > The proxy server could not handle the request GET /auth/admin/.
>>         >
>>         > Reason: DNS lookup failure for: 127.0.0.1:80auth
>>         >
>>         >
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     -- 
>>     Michael J. Hills
>>     Sr. CRM Architect
>>
>>     Mobile: 603.475.5093 <tel:603.475.5093>
>>     Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
>>     Skype : mhills_sematree
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
> Skype : mhills_sematree

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/bfb6592a/attachment-0001.html 

From sennatece at gmail.com  Thu Jul 23 13:32:34 2015
From: sennatece at gmail.com (Senthil Nathan)
Date: Thu, 23 Jul 2015 10:32:34 -0700
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <55B0505E.4070501@redhat.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
	<CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
	<55B0505E.4070501@redhat.com>
Message-ID: <CAPoiahMjZhwwQpkMoz4c1xiPKy=EUeyp7f-fd3gcfS9ZiyXmWA@mail.gmail.com>

can you provide me some samples?

do i need to use keycloak for securing my rest services?

thanks,
senthil

On Wed, Jul 22, 2015 at 7:24 PM, Bill Burke <bburke at redhat.com> wrote:

> It is standard servlet security.  Use security constraints to secure the
> url patterns you want to secure.
>
> On 7/22/2015 5:04 PM, Senthil Nathan wrote:
>
>> Hi,
>>
>> I followed the screencast videos and there is no option to make my
>> application's index.html as default page. Can you guide me in this.
>>
>>
>> Thanks,
>> Senthil
>>
>> On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     You should probably look at the examples that come with the distro.
>> The
>>     screencast videos would help too although they are quite out of date.
>>
>>     On 7/22/2015 1:42 PM, Senthil Nathan wrote:
>>     > Hi Stian,
>>     >
>>     > Thanks for the reply. Currently I deployed my application in
>> wildfly8
>>     > server with basic authentication and moving it to wildfly9 server
>> with
>>     > OAuth2.0 authentication. I came across thru keycloak which does the
>> same
>>     > OAuth2.0 authentication. I tried deploying my application in
>> wildfly9
>>     > server by following the below link
>>     >
>>     >
>> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
>>     >
>>     > After starting the server I am logging in using the realm user into
>> my
>>     > application which I have created using keycloak settings. I need the
>>     > user which I have created using my application and keycloak only
>> need
>>     > provied authentication to my REST service.
>>     >
>>     > Kindly help in this.
>>     >
>>     > Thanks,
>>     > Senthil
>>     >
>>     > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen <
>> stian at redhat.com <mailto:stian at redhat.com>
>>     > <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>>     >
>>     >     You'll need to add a lot more information than this if we're
>> going
>>     >     to be able to help you
>>     >
>>     >     ----- Original Message -----
>>     >      > From: "Senthil Nathan" <sennatece at gmail.com <mailto:
>> sennatece at gmail.com>
>>     >     <mailto:sennatece at gmail.com <mailto:sennatece at gmail.com>>>
>>     >      > To:keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>
>>     >     <mailto:keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>>
>>     >      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
>>     >      > Subject: [keycloak-user] Keycloak - login into applciation
>>     >      >
>>     >      > Hi,
>>     >      >
>>     >      > I installed keycloak in wildfly9 server and I deployed my
>>     >     application. When I
>>     >      > accessed the home page of my application, Im unable to login
>> in
>>     >     using my
>>     >      > application user. Can anybody help me in this.
>>     >      >
>>     >      > Thanks,
>>     >      > Senthil
>>     >      >
>>     >      > _______________________________________________
>>     >      > keycloak-user mailing list
>>      >      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     >
>>     >
>>     >
>>     >
>>     > _______________________________________________
>>     > keycloak-user mailing list
>>     >keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/10a46776/attachment.html 

From rodrigopsasaki at gmail.com  Thu Jul 23 13:36:00 2015
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 23 Jul 2015 17:36:00 +0000
Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
In-Reply-To: <CANLOgwBNjGi1cZwS3vtK-ktvY3EHnO33bKSV5BmtLA2FxpY-7w@mail.gmail.com>
References: <CANLOgwCgFWJzGwikfaL--WbAZih6CadS=ZXiqu=VubeE-OgeYw@mail.gmail.com>
	<158028761.3267841.1437638147006.JavaMail.zimbra@redhat.com>
	<CANLOgwCYzFL3sbz7uKKXZcMOSnYxt-uJ5Mq3Mx3cqJTE+sUSnA@mail.gmail.com>
	<2138881042.3492613.1437663130214.JavaMail.zimbra@redhat.com>
	<CANLOgwBNjGi1cZwS3vtK-ktvY3EHnO33bKSV5BmtLA2FxpY-7w@mail.gmail.com>
Message-ID: <CANLOgwB5zH8N9j80VNbRKKL+SeqAui_UbTBjOQfDA4Et-75ezQ@mail.gmail.com>

Oh, I saw that the keycloak-server.json on the testsuite did just that,
sorry :)

Thanks for the help!

Em qui, 23 de jul de 2015 ?s 11:56, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
escreveu:

> Hm, is there a way for me to define a datasource on the
> keycloak-server.json?
>
> I know I can specify the JNDI of the datasource I want to use, but can I
> configure one there too?
>
> Em qui, 23 de jul de 2015 ?s 11:52, Stian Thorgersen <stian at redhat.com>
> escreveu:
>
>>
>>
>> ----- Original Message -----
>> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Thursday, 23 July, 2015 4:50:06 PM
>> > Subject: Re: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
>> >
>> > Oh, I see.
>> >
>> > I am modifying the Keycloak code, the class works but it lacks a bit of
>> >  the flexibility I had when I could maintain my own standalone.xml
>> >
>> > I saw there is a way for me to run tests using a specific database, but
>> is
>> > there a way for me to deploy it using a different database than the
>> default
>> > H2? I couldn't see an option for it on the properties file you use to
>> > configure the server on startup.
>>
>> You can either pass system properties for it, that's what our tests do.
>> Or edit the keycloak-server.json it uses directly.
>>
>> >
>> > I realize this is a very specific case, but maybe there's a solution.
>>
>> Not really, we do it all the time ;)
>>
>> >
>> > Thanks again,
>> > Rodrigo Sasaki
>> >
>> > Em qui, 23 de jul de 2015 ?s 04:55, Stian Thorgersen <stian at redhat.com>
>> > escreveu:
>> >
>> > > Keycloak is not deployed as a WAR anymore, so there's no concept of
>> > > deploying Keycloak to a WildFly server.
>> > >
>> > > Are you forking/modifying Keycloak code? If so have a look at
>> > >
>> https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#keycloak-server
>> .
>> > > There's KeycloakServer which contains a main method and can be ran
>> directly
>> > > from the IDE.
>> > >
>> > > If you're not modifying Keycloak code and just developing your own
>> apps I
>> > > recommend either spinning up a standalone KC server, or to use the
>> > > server-overlay download and add it to the WildFly server you deploy
>> your
>> > > apps to (this is only recommended for development btw).
>> > >
>> > > ----- Original Message -----
>> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > > > To: keycloak-user at lists.jboss.org
>> > > > Sent: Wednesday, 22 July, 2015 7:24:42 PM
>> > > > Subject: [keycloak-user] Deploy Keycloak from within IntelliJ IDEA
>> > > >
>> > > > Hello everyone,
>> > > >
>> > > > I haven't used Keycloak since version 1.0.2, which we have now in
>> > > production.
>> > > > But now Keycloak has so many new features that we decided to
>> migrate to
>> > > the
>> > > > 1.3.1.Final
>> > > >
>> > > > This is a very specific issue, maybe this has already been discussed
>> > > before,
>> > > > and if it has I'd like to ask you to direct me to that thread.
>> > > >
>> > > > Anyways, I want to deploy Keycloak from within IntelliJ IDEA, on
>> version
>> > > > 1.0.2 all I had to do was add an artifact of keycloak-server on the
>> > > > deployment and it was done, but that no longer exists and I don't
>> seem to
>> > > > find a replacement for it.
>> > > >
>> > > > What I do now is add a step to execute a maven goal to package the
>> war
>> > > and I
>> > > > created an artifact based on that war to deploy it, it works fine
>> but I
>> > > > believe there must be a simpler solution, and doing it like this I
>> can't
>> > > use
>> > > > JRebel to hot deploy my alterations as well.
>> > > >
>> > > > Is there a way to do what I'm trying to do? I'll be happy to
>> provide you
>> > > more
>> > > > information if necessary.
>> > > >
>> > > > Cheers,
>> > > > Rodrigo Sasaki
>> > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150723/9886bf7f/attachment.html 

From bburke at redhat.com  Thu Jul 23 14:55:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 23 Jul 2015 14:55:21 -0400
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <CAPoiahMjZhwwQpkMoz4c1xiPKy=EUeyp7f-fd3gcfS9ZiyXmWA@mail.gmail.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
	<CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
	<55B0505E.4070501@redhat.com>
	<CAPoiahMjZhwwQpkMoz4c1xiPKy=EUeyp7f-fd3gcfS9ZiyXmWA@mail.gmail.com>
Message-ID: <55B13899.5010408@redhat.com>

There are a ton of samples in the distro.

On 7/23/2015 1:32 PM, Senthil Nathan wrote:
> can you provide me some samples?
>
> do i need to use keycloak for securing my rest services?
>
> thanks,
> senthil
>
> On Wed, Jul 22, 2015 at 7:24 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     It is standard servlet security.  Use security constraints to secure
>     the url patterns you want to secure.
>
>     On 7/22/2015 5:04 PM, Senthil Nathan wrote:
>
>         Hi,
>
>         I followed the screencast videos and there is no option to make my
>         application's index.html as default page. Can you guide me in this.
>
>
>         Thanks,
>         Senthil
>
>         On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              You should probably look at the examples that come with the
>         distro.  The
>              screencast videos would help too although they are quite
>         out of date.
>
>              On 7/22/2015 1:42 PM, Senthil Nathan wrote:
>              > Hi Stian,
>              >
>              > Thanks for the reply. Currently I deployed my application
>         in wildfly8
>              > server with basic authentication and moving it to
>         wildfly9 server with
>              > OAuth2.0 authentication. I came across thru keycloak
>         which does the same
>              > OAuth2.0 authentication. I tried deploying my application
>         in wildfly9
>              > server by following the below link
>              >
>
>          >http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
>              >
>              > After starting the server I am logging in using the realm
>         user into my
>              > application which I have created using keycloak settings.
>         I need the
>              > user which I have created using my application and
>         keycloak only need
>              > provied authentication to my REST service.
>              >
>              > Kindly help in this.
>              >
>              > Thanks,
>              > Senthil
>              >
>              > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen
>         <stian at redhat.com <mailto:stian at redhat.com>
>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>
>              > <mailto:stian at redhat.com <mailto:stian at redhat.com>
>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>>> wrote:
>              >
>              >     You'll need to add a lot more information than this
>         if we're going
>              >     to be able to help you
>              >
>              >     ----- Original Message -----
>              >      > From: "Senthil Nathan" <sennatece at gmail.com
>         <mailto:sennatece at gmail.com> <mailto:sennatece at gmail.com
>         <mailto:sennatece at gmail.com>>
>              >     <mailto:sennatece at gmail.com
>         <mailto:sennatece at gmail.com> <mailto:sennatece at gmail.com
>         <mailto:sennatece at gmail.com>>>>
>              >      > To:keycloak-user at lists.jboss.org
>         <mailto:To%3Akeycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              >     <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>              >      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
>              >      > Subject: [keycloak-user] Keycloak - login into
>         applciation
>              >      >
>              >      > Hi,
>              >      >
>              >      > I installed keycloak in wildfly9 server and I
>         deployed my
>              >     application. When I
>              >      > accessed the home page of my application, Im
>         unable to login in
>              >     using my
>              >      > application user. Can anybody help me in this.
>              >      >
>              >      > Thanks,
>              >      > Senthil
>              >      >
>              >      > _______________________________________________
>              >      > keycloak-user mailing list
>               >      > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>               >      >
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >
>              >
>              >
>              >
>              > _______________________________________________
>              > keycloak-user mailing list
>              >keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              >https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _______________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kclark at mbopartners.com  Thu Jul 23 22:14:23 2015
From: kclark at mbopartners.com (Kenyatta Clark)
Date: Fri, 24 Jul 2015 02:14:23 +0000
Subject: [keycloak-user] AD ObjectGUID User Federation Mappers
Message-ID: <D1D709AD.158AC%kclark@mbopartners.com>

I am trying to create a user federation mapper to map the object from Active Directory to an attribute in the JWT.  I have successfully mapped other Active Directory attributes but I am unable to the ObjectGUID to map at all.  I remembered that the ObjectGUID needs to be converted from a byte array to a string.  Does Keycloak take care of that conversion?  What is the best way to map the ObjectGUID?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/3932b513/attachment.html 

From stian at redhat.com  Fri Jul 24 03:08:40 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 03:08:40 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
 1.3.1.Final
In-Reply-To: <CAFfNJaVnHJJ7wEDaGQGa+6JE4EkAO0d41DM-CKYE=_vudq7BpQ@mail.gmail.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
	<55B108E4.90702@redhat.com>
	<CAFfNJaVnHJJ7wEDaGQGa+6JE4EkAO0d41DM-CKYE=_vudq7BpQ@mail.gmail.com>
Message-ID: <1970689618.3883576.1437721720530.JavaMail.zimbra@redhat.com>

Did you find a solution?

----- Original Message -----
> From: "Mike Hills" <mike.hills at sematree.com>
> To: "Steven Pousty" <spousty at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 23 July, 2015 5:45:59 PM
> Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.3.1.Final
> 
> I am on as mhills
> 
> On Thu, Jul 23, 2015 at 11:31 AM, Steven Pousty <spousty at redhat.com> wrote:
> 
> >  Mike any chance you can get on irc on freenode in channel #openshift
> > right now. I am there and I can try to get an ops person to help us
> > diagnose
> >
> > Thanks
> > Steve
> >
> >
> > On 07/23/2015 08:14 AM, Mike Hills wrote:
> >
> > No on all accounts... I performed all of the steps and none of them
> > allowed me to access keycloak.
> >
> >  My keycloak server.log file
> >
> >  2015-07-23 11:11:04,640 INFO
> > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> > Thread Pool -- 73) HHH000397: Using ASTQueryTranslatorFactory
> >
> > 2015-07-23 11:11:04,891 INFO
> > [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool
> > -- 73) HV000001: Hibernate Validator 5.1.3.Final
> >
> > 2015-07-23 11:11:13,582 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Deploying javax.ws.rs.core.Application:
> > class org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding class resource
> > org.keycloak.services.resources.ThemeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding class resource
> > org.keycloak.services.resources.JsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding class resource
> > org.keycloak.services.resources.WelcomeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,585 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding class resource
> > org.keycloak.services.resources.QRCodeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding provider class
> > org.keycloak.SkeletonKeyContextResolver from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding singleton resource
> > org.keycloak.services.resources.ServerVersionResource from Application
> > class org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,586 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding singleton resource
> > org.keycloak.services.resources.admin.AdminRoot from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding provider singleton
> > org.keycloak.services.resources.ModelExceptionMapper from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,587 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService Thread Pool -- 73) Adding singleton resource
> > org.keycloak.services.resources.RealmsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> >
> > 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> > (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context: /auth
> >
> > 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService Thread
> > Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > "keycloak-server.war")
> >
> > 2015-07-23 11:11:15,141 INFO  [org.jboss.as] (Controller Boot Thread)
> > WFLYSRV0060: Http management interface listening on
> > http://127.3.17.129:9990/management
> >
> > 2015-07-23 11:11:15,142 INFO  [org.jboss.as] (Controller Boot Thread)
> > WFLYSRV0051: Admin console listening on http://127.3.17.129:9990
> >
> > 2015-07-23 11:11:15,143 INFO  [org.jboss.as] (Controller Boot Thread)
> > WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly Core 1.0.0.CR6) started in
> > 58758ms - Started 334 of 553 services (271 services are lazy, passive or
> > on-demand)
> >
> >
> >
> > On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com>
> > wrote:
> >
> >>  Does the keycloak cartridge hardwire ips when it is "installed" into a
> >> gear? Are these scalable applications, as in, were they created with*
> >> rhc app create .... -s*
> >>
> >> What happens if you restart the gear
> >>
> >> *rhc app restart -a mykeycloakapp*
> >>
> >> if that doesn't fix it then try
> >>
> >> *rhc app force-stop -a mykeycloakapp*
> >> *rhc app start -a mykeycloakapp*
> >>
> >> This could help narrow down the problem. Because it either of those work
> >> it is something about return from idling that is not getting properly set
> >> with the routing layer.
> >>
> >> On 07/23/2015 04:15 AM, Mike Hills wrote:
> >>
> >> It's good to know I am not alone :)
> >>
> >>  I consistently receive this error on both the 1.2 and 1.3 versions of
> >> Keycloak running on OPENSHIFT ONLINE.
> >>
> >>  OPENSHIFT support had me validate that I could access my keycloak
> >> instance at  <http://localhost:8080/auth>http://localhost:8080/auth after
> >> executing:  *rhc port-forward keycloak.* (which  I could). I have not
> >> had a follow-up support since I confirmed this.
> >>
> >>  https://access.redhat.com/support/cases/#/case/01479959
> >>
> >>
> >> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen < <stian at redhat.com>
> >> stian at redhat.com> wrote:
> >>
> >>> Just got the same issue on my instance. Seems that after the instance is
> >>> idled it returns this 502 even after the instance is restarted (confirmed
> >>> in the log that it's up and running).
> >>>
> >>> ----- Original Message -----
> >>> > From: "Ioan Eugen Stan" < <stan.ieugen at gmail.com>stan.ieugen at gmail.com
> >>> >
> >>> > To: "Stian Thorgersen" < <stian at redhat.com>stian at redhat.com>
> >>> > Cc: "keycloak-user" < <keycloak-user at lists.jboss.org>
> >>> keycloak-user at lists.jboss.org>
> >>> > Sent: Thursday, 23 July, 2015 12:45:56 PM
> >>> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> >>> 1.3.1.Final
> >>> >
> >>> > Thank you for the response. However, I think it's another beast
> >>> altogether:
> >>> >
> >>> >
> >>> > https://keycloak-ieugen.rhcloud.com/auth/admin/
> >>> >
> >>> > Proxy Error
> >>> >
> >>> > The proxy server received an invalid response from an upstream server.
> >>> > The proxy server could not handle the request GET /auth/admin/.
> >>> >
> >>> > Reason: DNS lookup failure for: 127.0.0.1:80auth
> >>> >
> >>> >
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >>  --
> >> Michael J. Hills
> >> Sr. CRM Architect
> >>
> >> Mobile: 603.475.5093
> >> Email  : mike.hills at sematree.com
> >> Skype : mhills_sematree
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing
> >> listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >
> >
> >  --
> > Michael J. Hills
> > Sr. CRM Architect
> >
> > Mobile: 603.475.5093
> > Email  : mike.hills at sematree.com
> > Skype : mhills_sematree
> >
> >
> >
> 
> 
> --
> Michael J. Hills
> Sr. CRM Architect
> 
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com
> Skype : mhills_sematree
> 

From mposolda at redhat.com  Fri Jul 24 03:49:45 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 24 Jul 2015 09:49:45 +0200
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <DB62D8AE-10B4-4B05-B323-2073536C745D@yahoo.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B088FD.2020505@redhat.com> <55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
	<C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
	<55B10820.90006@redhat.com>
	<DB62D8AE-10B4-4B05-B323-2073536C745D@yahoo.com>
Message-ID: <55B1EE19.7030507@redhat.com>

Support for prompt=select_account will be cool. Another suggestion for 
adding query parameter for skip some mechanisms (like 
skipAuthMechanism=cookie,kerberos ) might be good too.

Not sure if we need to support both, but IMO it will be good to have 
solution not tightly coupled to Kerberos. I can imagine similar 
situation with other login mechanisms as well. For example with 
authenticating users by certificate, admin may also want to skip 
automatic login with the certificate from his browser and instead login 
with username/password form.

Marek

On 23.7.2015 17:43, Raghu Prabhala wrote:
> The select account prompt wouldn't work for us as some of our applications require that the user login only by entering userid/pw but your other suggestion might work as long as we do the Kerberos authentication using Id/ow
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>> All this interaction is defined by the SAML and OIDC specifications. Logout redirects you back to the application and its up to the application what to do next.  We could add a query param that if it is set, to not do kerberos.  This could be in addition to the "login automatically" flag.
>>
>>
>>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>> Why can't we have two separate authentication mechanisms - one IWA, in which case the user is logged in automatically and on logout he is taken to a login page where a diff userid can be entered and two, a login page that allows userid/password? That would address our use case.
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>>>
>>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>>> "login automatically" . If it's off, another confirmation screen for the
>>>> user will be displayed?
>>>>
>>>> Marek
>>>>
>>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>>> "Is this you?"
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
>>>>>>
>>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>>> want to login as that user or another.
>>>>>>
>>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>>> Do you want that for normal users or just for admin users? Just trying
>>>>>>> to understand the usecase. Because AFAIK the point of kerberos is, that
>>>>>>> you login into the desktop and then you're automatically logged into
>>>>>>> integrated web applications without need to deal with any login screens
>>>>>>> and username/password. When user has just one keycloak account
>>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>>> different user?
>>>>>>>
>>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>>> different user for testing purpose etc. For this, isn't it possible in
>>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>>> kerberos?
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>>> Isn't it possible to create a cookie or add an url parameter after the
>>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>>
>>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>>
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda <mposolda at redhat.com>:
>>>>>>>>>
>>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>>
>>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>>> screen and login as different user.
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>>> with a different user (no kerberos login, just keycloak username and
>>>>>>>>>> password dialog).
>>>>>>>>>> Is that possible?
>>>>>>>>>>
>>>>>>>>>> cheers
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> -- 
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com


From stian at redhat.com  Fri Jul 24 03:55:37 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 03:55:37 -0400 (EDT)
Subject: [keycloak-user] LDAP with Kerberos, login with different user
In-Reply-To: <55B1EE19.7030507@redhat.com>
References: <adb89690-a0bb-4fe6-8edf-a44200f5ce27@me.com>
	<55B0F40D.30007@redhat.com>
	<1973454276.3479379.1437662162825.JavaMail.zimbra@redhat.com>
	<55B0FF34.6080401@redhat.com>
	<C1D59F0A-8A9B-48DB-AF2F-9308B0B1FB4B@yahoo.com>
	<55B10820.90006@redhat.com>
	<DB62D8AE-10B4-4B05-B323-2073536C745D@yahoo.com>
	<55B1EE19.7030507@redhat.com>
Message-ID: <40288152.3905453.1437724537256.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Raghu Prabhala" <prabhalar at yahoo.com>, "Bill Burke" <bburke at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 9:49:45 AM
> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
> 
> Support for prompt=select_account will be cool. Another suggestion for
> adding query parameter for skip some mechanisms (like
> skipAuthMechanism=cookie,kerberos ) might be good too.

That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.

> 
> Not sure if we need to support both, but IMO it will be good to have
> solution not tightly coupled to Kerberos. I can imagine similar
> situation with other login mechanisms as well. For example with
> authenticating users by certificate, admin may also want to skip
> automatic login with the certificate from his browser and instead login
> with username/password form.
> 
> Marek
> 
> On 23.7.2015 17:43, Raghu Prabhala wrote:
> > The select account prompt wouldn't work for us as some of our applications
> > require that the user login only by entering userid/pw but your other
> > suggestion might work as long as we do the Kerberos authentication using
> > Id/ow
> >
> > Sent from my iPhone
> >
> >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com> wrote:
> >>
> >> All this interaction is defined by the SAML and OIDC specifications.
> >> Logout redirects you back to the application and its up to the
> >> application what to do next.  We could add a query param that if it is
> >> set, to not do kerberos.  This could be in addition to the "login
> >> automatically" flag.
> >>
> >>
> >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
> >>> Why can't we have two separate authentication mechanisms - one IWA, in
> >>> which case the user is logged in automatically and on logout he is taken
> >>> to a login page where a diff userid can be entered and two, a login page
> >>> that allows userid/password? That would address our use case.
> >>>
> >>>
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
> >>>>
> >>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
> >>>> "login automatically" . If it's off, another confirmation screen for the
> >>>> user will be displayed?
> >>>>
> >>>> Marek
> >>>>
> >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
> >>>>> "Is this you?"
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
> >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
> >>>>>> user
> >>>>>>
> >>>>>> With the new flows, we could detect a kerberos login then ask if they
> >>>>>> want to login as that user or another.
> >>>>>>
> >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
> >>>>>>> Do you want that for normal users or just for admin users? Just
> >>>>>>> trying
> >>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
> >>>>>>> that
> >>>>>>> you login into the desktop and then you're automatically logged into
> >>>>>>> integrated web applications without need to deal with any login
> >>>>>>> screens
> >>>>>>> and username/password. When user has just one keycloak account
> >>>>>>> corresponding to his kerberos ticket, then why he need to login as
> >>>>>>> different user?
> >>>>>>>
> >>>>>>> I can understand the usecase for admin, when you want to login as
> >>>>>>> different user for testing purpose etc. For this, isn't it possible
> >>>>>>> in
> >>>>>>> windows to do something like "kdestroy" to be able to login without
> >>>>>>> kerberos?
> >>>>>>>
> >>>>>>> Marek
> >>>>>>>
> >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
> >>>>>>>> Isn't it possible to create a cookie or add an url parameter after
> >>>>>>>> the
> >>>>>>>> logout, so the user is not logged in automatically?
> >>>>>>>>
> >>>>>>>> It's crucial for us to be able to log in as a different user,
> >>>>>>>> otherwise we can not use kerberos at all :(
> >>>>>>>>
> >>>>>>>> Michael
> >>>>>>>>
> >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
> >>>>>>>>> <mposolda at redhat.com>:
> >>>>>>>>>
> >>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
> >>>>>>>>> logout from the web application won't destroy the kerberos ticket -
> >>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
> >>>>>>>>> you visit the secured application next time, you are automatically
> >>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
> >>>>>>>>>
> >>>>>>>>> Hence you need to remove kerberos ticket manually (For example
> >>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
> >>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
> >>>>>>>>> screen and login as different user.
> >>>>>>>>>
> >>>>>>>>> Marek
> >>>>>>>>>
> >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
> >>>>>>>>>> Hi all,
> >>>>>>>>>>
> >>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
> >>>>>>>>>> with a different user (no kerberos login, just keycloak username
> >>>>>>>>>> and
> >>>>>>>>>> password dialog).
> >>>>>>>>>> Is that possible?
> >>>>>>>>>>
> >>>>>>>>>> cheers
> >>>>>>>>>> Michael
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> keycloak-user mailing list
> >>>>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> 
> 

From mposolda at redhat.com  Fri Jul 24 04:18:17 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 24 Jul 2015 10:18:17 +0200
Subject: [keycloak-user] AD ObjectGUID User Federation Mappers
In-Reply-To: <D1D709AD.158AC%kclark@mbopartners.com>
References: <D1D709AD.158AC%kclark@mbopartners.com>
Message-ID: <55B1F4C9.8000400@redhat.com>

Yes, by default Keycloak treats the ObjectGUID as UUID attribute of AD 
users. In other words, when you choose "Active Directory" vendor in 
admin console, you can see the name of UUID attribute is automatically 
filled to ObjectGUID. Keycloak takes care of converting from byte array 
to String and then it fills the serialized String as LDAP_ID attribute 
of user. Keycloak maps UUID attribute automatically to the LDAP_ID, 
there is no need to create any LDAP mapper for it.

So if you want to have it available in access token in your application, 
you can just create UserAttribute protocol mapper for the LDAP_ID 
attribute .

Marek

On 24.7.2015 04:14, Kenyatta Clark wrote:
> I am trying to create a user federation mapper to map the object from 
> Active Directory to an attribute in the JWT.  I have successfully 
> mapped other Active Directory attributes but I am unable to the 
> ObjectGUID to map at all.  I remembered that the ObjectGUID needs to 
> be converted from a byte array to a string.  Does Keycloak take care 
> of that conversion?  What is the best way to map the ObjectGUID?
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/4fbde9b5/attachment.html 

From kalc04 at gmail.com  Fri Jul 24 07:56:10 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 24 Jul 2015 17:26:10 +0530
Subject: [keycloak-user] Users able to retrieve a valid Access Token despite
 not verifying their email
Message-ID: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>

Hi,

We have identified that even if the user hasn't verified his email (he
cannot log in until it's verified), he can still invoke the
'auth/realms/{realm}/tokens/grants/access' API and retrieve a valid Access
Token. APIs can be successfully invoked through this Access Token. This
seems to be a buggy scenario.

Can anyone confirm if this is actually a bug or if this is the expected
behavior?


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/294fd565/attachment.html 

From mike.hills at sematree.com  Fri Jul 24 08:43:37 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Fri, 24 Jul 2015 08:43:37 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to
	1.3.1.Final
In-Reply-To: <1970689618.3883576.1437721720530.JavaMail.zimbra@redhat.com>
References: <1525379670.1408788.1437472494893.JavaMail.zimbra@redhat.com>
	<55B0C5E4.7070902@gmail.com>
	<1670618386.3341432.1437649197877.JavaMail.zimbra@redhat.com>
	<CAFfNJaXhXzt6ywO6ZprT4+theM_a62-+i0wVKCF3drZgtF18rw@mail.gmail.com>
	<55B102A8.2020702@redhat.com>
	<CAFfNJaVo9rZZ6vMRCHBhZKSGgwNJkqF2L1xzNuyr0o42xkfXTQ@mail.gmail.com>
	<55B108E4.90702@redhat.com>
	<CAFfNJaVnHJJ7wEDaGQGa+6JE4EkAO0d41DM-CKYE=_vudq7BpQ@mail.gmail.com>
	<1970689618.3883576.1437721720530.JavaMail.zimbra@redhat.com>
Message-ID: <CAFfNJaVE27A2Z9aGeYgN+h5FbbQqFnX7jom8yOZmFHd1OcYCJQ@mail.gmail.com>

Hi Stian,

Andy found something that needed to be reconfigured within the OPENSHIFT
ONLINE environment that I do not have access to. After his change, keycloak
was immediately available. After idling all night, my instance of keycloak
is still available this morning.  He will update the case
https://access.redhat.com/support/cases/#/case/01479959 with his findings.

Thank you,
Mike

On Fri, Jul 24, 2015 at 3:08 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Did you find a solution?
>
> ----- Original Message -----
> > From: "Mike Hills" <mike.hills at sematree.com>
> > To: "Steven Pousty" <spousty at redhat.com>
> > Cc: "Stian Thorgersen" <stian at redhat.com>, "keycloak-user" <
> keycloak-user at lists.jboss.org>
> > Sent: Thursday, 23 July, 2015 5:45:59 PM
> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated to
> 1.3.1.Final
> >
> > I am on as mhills
> >
> > On Thu, Jul 23, 2015 at 11:31 AM, Steven Pousty <spousty at redhat.com>
> wrote:
> >
> > >  Mike any chance you can get on irc on freenode in channel #openshift
> > > right now. I am there and I can try to get an ops person to help us
> > > diagnose
> > >
> > > Thanks
> > > Steve
> > >
> > >
> > > On 07/23/2015 08:14 AM, Mike Hills wrote:
> > >
> > > No on all accounts... I performed all of the steps and none of them
> > > allowed me to access keycloak.
> > >
> > >  My keycloak server.log file
> > >
> > >  2015-07-23 11:11:04,640 INFO
> > > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService
> > > Thread Pool -- 73) HHH000397: Using ASTQueryTranslatorFactory
> > >
> > > 2015-07-23 11:11:04,891 INFO
> > > [org.hibernate.validator.internal.util.Version] (ServerService Thread
> Pool
> > > -- 73) HV000001: Hibernate Validator 5.1.3.Final
> > >
> > > 2015-07-23 11:11:13,582 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Deploying
> javax.ws.rs.core.Application:
> > > class org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,585 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding class resource
> > > org.keycloak.services.resources.ThemeResource from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,585 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding class resource
> > > org.keycloak.services.resources.JsResource from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,585 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding class resource
> > > org.keycloak.services.resources.WelcomeResource from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,585 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding class resource
> > > org.keycloak.services.resources.QRCodeResource from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,586 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding provider class
> > > org.keycloak.SkeletonKeyContextResolver from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,586 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding singleton resource
> > > org.keycloak.services.resources.ServerVersionResource from Application
> > > class org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,586 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding singleton resource
> > > org.keycloak.services.resources.admin.AdminRoot from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,587 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding provider singleton
> > > org.keycloak.services.resources.ModelExceptionMapper from Application
> class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,587 INFO
> [org.jboss.resteasy.spi.ResteasyDeployment]
> > > (ServerService Thread Pool -- 73) Adding singleton resource
> > > org.keycloak.services.resources.RealmsResource from Application class
> > > org.keycloak.services.resources.KeycloakApplication
> > >
> > > 2015-07-23 11:11:13,856 INFO  [org.wildfly.extension.undertow]
> > > (ServerService Thread Pool -- 73) WFLYUT0021: Registered web context:
> /auth
> > >
> > > 2015-07-23 11:11:14,069 INFO  [org.jboss.as.server] (ServerService
> Thread
> > > Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > > "keycloak-server.war")
> > >
> > > 2015-07-23 11:11:15,141 INFO  [org.jboss.as] (Controller Boot Thread)
> > > WFLYSRV0060: Http management interface listening on
> > > http://127.3.17.129:9990/management
> > >
> > > 2015-07-23 11:11:15,142 INFO  [org.jboss.as] (Controller Boot Thread)
> > > WFLYSRV0051: Admin console listening on http://127.3.17.129:9990
> > >
> > > 2015-07-23 11:11:15,143 INFO  [org.jboss.as] (Controller Boot Thread)
> > > WFLYSRV0025: WildFly Full 9.0.0.CR2 (WildFly Core 1.0.0.CR6) started in
> > > 58758ms - Started 334 of 553 services (271 services are lazy, passive
> or
> > > on-demand)
> > >
> > >
> > >
> > > On Thu, Jul 23, 2015 at 11:05 AM, Steven Pousty <spousty at redhat.com>
> > > wrote:
> > >
> > >>  Does the keycloak cartridge hardwire ips when it is "installed" into
> a
> > >> gear? Are these scalable applications, as in, were they created with*
> > >> rhc app create .... -s*
> > >>
> > >> What happens if you restart the gear
> > >>
> > >> *rhc app restart -a mykeycloakapp*
> > >>
> > >> if that doesn't fix it then try
> > >>
> > >> *rhc app force-stop -a mykeycloakapp*
> > >> *rhc app start -a mykeycloakapp*
> > >>
> > >> This could help narrow down the problem. Because it either of those
> work
> > >> it is something about return from idling that is not getting properly
> set
> > >> with the routing layer.
> > >>
> > >> On 07/23/2015 04:15 AM, Mike Hills wrote:
> > >>
> > >> It's good to know I am not alone :)
> > >>
> > >>  I consistently receive this error on both the 1.2 and 1.3 versions of
> > >> Keycloak running on OPENSHIFT ONLINE.
> > >>
> > >>  OPENSHIFT support had me validate that I could access my keycloak
> > >> instance at  <http://localhost:8080/auth>http://localhost:8080/auth
> after
> > >> executing:  *rhc port-forward keycloak.* (which  I could). I have not
> > >> had a follow-up support since I confirmed this.
> > >>
> > >>  https://access.redhat.com/support/cases/#/case/01479959
> > >>
> > >>
> > >> On Thu, Jul 23, 2015 at 6:59 AM, Stian Thorgersen < <stian at redhat.com
> >
> > >> stian at redhat.com> wrote:
> > >>
> > >>> Just got the same issue on my instance. Seems that after the
> instance is
> > >>> idled it returns this 502 even after the instance is restarted
> (confirmed
> > >>> in the log that it's up and running).
> > >>>
> > >>> ----- Original Message -----
> > >>> > From: "Ioan Eugen Stan" < <stan.ieugen at gmail.com>
> stan.ieugen at gmail.com
> > >>> >
> > >>> > To: "Stian Thorgersen" < <stian at redhat.com>stian at redhat.com>
> > >>> > Cc: "keycloak-user" < <keycloak-user at lists.jboss.org>
> > >>> keycloak-user at lists.jboss.org>
> > >>> > Sent: Thursday, 23 July, 2015 12:45:56 PM
> > >>> > Subject: Re: [keycloak-user] Keycloak OpenShift Cartridge updated
> to
> > >>> 1.3.1.Final
> > >>> >
> > >>> > Thank you for the response. However, I think it's another beast
> > >>> altogether:
> > >>> >
> > >>> >
> > >>> > https://keycloak-ieugen.rhcloud.com/auth/admin/
> > >>> >
> > >>> > Proxy Error
> > >>> >
> > >>> > The proxy server received an invalid response from an upstream
> server.
> > >>> > The proxy server could not handle the request GET /auth/admin/.
> > >>> >
> > >>> > Reason: DNS lookup failure for: 127.0.0.1:80auth
> > >>> >
> > >>> >
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >>
> > >>
> > >>
> > >>  --
> > >> Michael J. Hills
> > >> Sr. CRM Architect
> > >>
> > >> Mobile: 603.475.5093
> > >> Email  : mike.hills at sematree.com
> > >> Skype : mhills_sematree
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing
> > >> listkeycloak-user at lists.jboss.orghttps://
> lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >
> > >
> > >  --
> > > Michael J. Hills
> > > Sr. CRM Architect
> > >
> > > Mobile: 603.475.5093
> > > Email  : mike.hills at sematree.com
> > > Skype : mhills_sematree
> > >
> > >
> > >
> >
> >
> > --
> > Michael J. Hills
> > Sr. CRM Architect
> >
> > Mobile: 603.475.5093
> > Email  : mike.hills at sematree.com
> > Skype : mhills_sematree
> >
>



-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/fc26fd46/attachment-0001.html 

From kclark at mbopartners.com  Fri Jul 24 08:54:24 2015
From: kclark at mbopartners.com (Kenyatta Clark)
Date: Fri, 24 Jul 2015 12:54:24 +0000
Subject: [keycloak-user] AD ObjectGUID User Federation Mappers
Message-ID: <D1D79F89.1590B%kclark@mbopartners.com>

Great that works!  Thanks for your help!




From stian at redhat.com  Fri Jul 24 09:34:11 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 09:34:11 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
Message-ID: <410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>

That's indeed a bug - can you create a jira please?

----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, 24 July, 2015 1:56:10 PM
> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> Hi,
> 
> We have identified that even if the user hasn't verified his email (he cannot
> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> successfully invoked through this Access Token. This seems to be a buggy
> scenario.
> 
> Can anyone confirm if this is actually a bug or if this is the expected
> behavior?
> 
> 
> Regards,
> Lohitha.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Fri Jul 24 09:41:51 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 24 Jul 2015 09:41:51 -0400
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
Message-ID: <55B2409F.2030408@redhat.com>

So, setting a verify email required action allows you to replicate the 
problem?

What version of Keycloak are you using?  Just looking at the code from 
1.3 and master we don't allow the creation of a token if a required 
action is active.

On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
> That's indeed a bug - can you create a jira please?
>
> ----- Original Message -----
>> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
>> To: "keycloak-user" <keycloak-user at lists.jboss.org>
>> Sent: Friday, 24 July, 2015 1:56:10 PM
>> Subject: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>
>> Hi,
>>
>> We have identified that even if the user hasn't verified his email (he cannot
>> log in until it's verified), he can still invoke the 'auth/realms/{realm}
>> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
>> successfully invoked through this Access Token. This seems to be a buggy
>> scenario.
>>
>> Can anyone confirm if this is actually a bug or if this is the expected
>> behavior?
>>
>>
>> Regards,
>> Lohitha.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Fri Jul 24 09:59:01 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 09:59:01 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <55B2409F.2030408@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
Message-ID: <219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 3:41:51 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> So, setting a verify email required action allows you to replicate the
> problem?
> 
> What version of Keycloak are you using?  Just looking at the code from
> 1.3 and master we don't allow the creation of a token if a required
> action is active.

The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.

> 
> On 7/24/2015 9:34 AM, Stian Thorgersen wrote:
> > That's indeed a bug - can you create a jira please?
> >
> > ----- Original Message -----
> >> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> >> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> >> Sent: Friday, 24 July, 2015 1:56:10 PM
> >> Subject: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> Hi,
> >>
> >> We have identified that even if the user hasn't verified his email (he
> >> cannot
> >> log in until it's verified), he can still invoke the 'auth/realms/{realm}
> >> /tokens /grants/access' API and retrieve a valid Access Token. APIs can be
> >> successfully invoked through this Access Token. This seems to be a buggy
> >> scenario.
> >>
> >> Can anyone confirm if this is actually a bug or if this is the expected
> >> behavior?
> >>
> >>
> >> Regards,
> >> Lohitha.
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From bburke at redhat.com  Fri Jul 24 10:08:06 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 24 Jul 2015 10:08:06 -0400
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
Message-ID: <55B246C6.6080704@redhat.com>



On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Friday, 24 July, 2015 3:41:51 PM
>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>
>> So, setting a verify email required action allows you to replicate the
>> problem?
>>
>> What version of Keycloak are you using?  Just looking at the code from
>> 1.3 and master we don't allow the creation of a token if a required
>> action is active.
>
> The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.
>

This check might be gone entirely now.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Fri Jul 24 10:10:03 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 24 Jul 2015 10:10:03 -0400
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <55B246C6.6080704@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
Message-ID: <55B2473B.6090307@redhat.com>

Fix is simple.  I'll commit it.

On 7/24/2015 10:08 AM, Bill Burke wrote:
>
>
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Friday, 24 July, 2015 3:41:51 PM
>>> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
>>>
>>> So, setting a verify email required action allows you to replicate the
>>> problem?
>>>
>>> What version of Keycloak are you using?  Just looking at the code from
>>> 1.3 and master we don't allow the creation of a token if a required
>>> action is active.
>>
>> The problem is that when a user logs in we check if verify email is required by the realm, if it is and user hasn't verified email we add the required action. We don't do this check in the direct grants api.
>>
>
> This check might be gone entirely now.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Fri Jul 24 10:10:44 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 10:10:44 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <55B246C6.6080704@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
Message-ID: <1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>

Was just looking at it and can't find anything that would check it, but RequiredActionEmailVerificationTest which is supposed to test it is passing

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:08:06 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> 
> 
> On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 24 July, 2015 3:41:51 PM
> >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> >> despite not verifying their email
> >>
> >> So, setting a verify email required action allows you to replicate the
> >> problem?
> >>
> >> What version of Keycloak are you using?  Just looking at the code from
> >> 1.3 and master we don't allow the creation of a token if a required
> >> action is active.
> >
> > The problem is that when a user logs in we check if verify email is
> > required by the realm, if it is and user hasn't verified email we add the
> > required action. We don't do this check in the direct grants api.
> >
> 
> This check might be gone entirely now.
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 

From stian at redhat.com  Fri Jul 24 10:15:37 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 10:15:37 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
	<1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
Message-ID: <1494048651.4082351.1437747337109.JavaMail.zimbra@redhat.com>

Tried it manually and it's not working. Users don't have to verify email in master.

One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:10:44 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> Was just looking at it and can't find anything that would check it, but
> RequiredActionEmailVerificationTest which is supposed to test it is passing
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:08:06 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > despite not verifying their email
> > 
> > 
> > 
> > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-user at lists.jboss.org
> > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > >> despite not verifying their email
> > >>
> > >> So, setting a verify email required action allows you to replicate the
> > >> problem?
> > >>
> > >> What version of Keycloak are you using?  Just looking at the code from
> > >> 1.3 and master we don't allow the creation of a token if a required
> > >> action is active.
> > >
> > > The problem is that when a user logs in we check if verify email is
> > > required by the realm, if it is and user hasn't verified email we add the
> > > required action. We don't do this check in the direct grants api.
> > >
> > 
> > This check might be gone entirely now.
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Fri Jul 24 10:17:45 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 24 Jul 2015 10:17:45 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
	<1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
Message-ID: <323867916.4084820.1437747465605.JavaMail.zimbra@redhat.com>

The test only checks if new users have to verify email, not that existing users have to verify email. Added https://issues.jboss.org/browse/KEYCLOAK-1696

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 24 July, 2015 4:10:44 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> Was just looking at it and can't find anything that would check it, but
> RequiredActionEmailVerificationTest which is supposed to test it is passing
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:08:06 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > despite not verifying their email
> > 
> > 
> > 
> > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-user at lists.jboss.org
> > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> > >> despite not verifying their email
> > >>
> > >> So, setting a verify email required action allows you to replicate the
> > >> problem?
> > >>
> > >> What version of Keycloak are you using?  Just looking at the code from
> > >> 1.3 and master we don't allow the creation of a token if a required
> > >> action is active.
> > >
> > > The problem is that when a user logs in we check if verify email is
> > > required by the realm, if it is and user hasn't verified email we add the
> > > required action. We don't do this check in the direct grants api.
> > >
> > 
> > This check might be gone entirely now.
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From kalc04 at gmail.com  Fri Jul 24 12:03:23 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 24 Jul 2015 21:33:23 +0530
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <323867916.4084820.1437747465605.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
	<1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
	<323867916.4084820.1437747465605.JavaMail.zimbra@redhat.com>
Message-ID: <CAPj1eSzU0sXeLrreULq-E4UFjsaWjVh_JMyABsPrt-ERas9GcQ@mail.gmail.com>

We're using 1.2.0.Final, and we're running our tests on a separate realm as
our master realm is reserved for admin tasks only. Not sure if the behavior
changes from master to other realms.

In 1.2.0.Final version, both new and existing users have to verify their
emails once the feature is turned on. Maybe it's broken in the newer
version.

Stian, will the ticket created by you (KEYCLOAK-1696) capture the initial
bug mentioned by me as well? Or do I have to report a separate ticket for
that?


Thanks,
Lohitha.

On Fri, Jul 24, 2015 at 7:47 PM, Stian Thorgersen <stian at redhat.com> wrote:

> The test only checks if new users have to verify email, not that existing
> users have to verify email. Added
> https://issues.jboss.org/browse/KEYCLOAK-1696
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 24 July, 2015 4:10:44 PM
> > Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token
> despite not verifying their email
> >
> > Was just looking at it and can't find anything that would check it, but
> > RequiredActionEmailVerificationTest which is supposed to test it is
> passing
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Friday, 24 July, 2015 4:08:06 PM
> > > Subject: Re: [keycloak-user] Users able to retrieve a valid Access
> Token
> > > despite not verifying their email
> > >
> > >
> > >
> > > On 7/24/2015 9:59 AM, Stian Thorgersen wrote:
> > > >
> > > >
> > > > ----- Original Message -----
> > > >> From: "Bill Burke" <bburke at redhat.com>
> > > >> To: keycloak-user at lists.jboss.org
> > > >> Sent: Friday, 24 July, 2015 3:41:51 PM
> > > >> Subject: Re: [keycloak-user] Users able to retrieve a valid Access
> Token
> > > >> despite not verifying their email
> > > >>
> > > >> So, setting a verify email required action allows you to replicate
> the
> > > >> problem?
> > > >>
> > > >> What version of Keycloak are you using?  Just looking at the code
> from
> > > >> 1.3 and master we don't allow the creation of a token if a required
> > > >> action is active.
> > > >
> > > > The problem is that when a user logs in we check if verify email is
> > > > required by the realm, if it is and user hasn't verified email we
> add the
> > > > required action. We don't do this check in the direct grants api.
> > > >
> > >
> > > This check might be gone entirely now.
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150724/899cd9ca/attachment.html 

From bburke at redhat.com  Sat Jul 25 12:46:36 2015
From: bburke at redhat.com (Bill Burke)
Date: Sat, 25 Jul 2015 12:46:36 -0400
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <1494048651.4082351.1437747337109.JavaMail.zimbra@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
	<1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
	<1494048651.4082351.1437747337109.JavaMail.zimbra@redhat.com>
Message-ID: <55B3BD6C.5070701@redhat.com>



On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> Tried it manually and it's not working. Users don't have to verify email in master.
>

Ok, I added a test and it is passing.  Can you verify I'm doing the 
right checks?  If I'm testing this right, I'll close the bug.

ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()

> One relevant question if "direct grant" flow has OTP set to optional and user has enabled otp with its account what happens?
>

If the user has OTP set up, then direct grant flow will expect it.  If 
it is not there, it will send an error message.

BruteForceTest.testGrantMissingOtp() tests this.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Mon Jul 27 01:46:02 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 01:46:02 -0400 (EDT)
Subject: [keycloak-user] Users able to retrieve a valid Access Token
 despite not verifying their email
In-Reply-To: <55B3BD6C.5070701@redhat.com>
References: <CAPj1eSwKN1faeDkFM3tk8g7gq0pQB0zR0D+k=9OEDu+zuvsQMA@mail.gmail.com>
	<410679878.4046644.1437744851949.JavaMail.zimbra@redhat.com>
	<55B2409F.2030408@redhat.com>
	<219124507.4066719.1437746341464.JavaMail.zimbra@redhat.com>
	<55B246C6.6080704@redhat.com>
	<1594348008.4075179.1437747044461.JavaMail.zimbra@redhat.com>
	<1494048651.4082351.1437747337109.JavaMail.zimbra@redhat.com>
	<55B3BD6C.5070701@redhat.com>
Message-ID: <529759033.409301.1437975962479.JavaMail.zimbra@redhat.com>

Looks good

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Saturday, 25 July, 2015 6:46:36 PM
> Subject: Re: [keycloak-user] Users able to retrieve a valid Access Token despite not verifying their email
> 
> 
> 
> On 7/24/2015 10:15 AM, Stian Thorgersen wrote:
> > Tried it manually and it's not working. Users don't have to verify email in
> > master.
> >
> 
> Ok, I added a test and it is passing.  Can you verify I'm doing the
> right checks?  If I'm testing this right, I'll close the bug.
> 
> ResourceOwnerPasswordCredentialsGrantTest.grantAccessTokenVerifyEmail()
> 
> > One relevant question if "direct grant" flow has OTP set to optional and
> > user has enabled otp with its account what happens?
> >
> 
> If the user has OTP set up, then direct grant flow will expect it.  If
> it is not there, it will send an error message.
> 
> BruteForceTest.testGrantMissingOtp() tests this.
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 

From sennatece at gmail.com  Mon Jul 27 02:53:01 2015
From: sennatece at gmail.com (Senthil Nathan)
Date: Sun, 26 Jul 2015 23:53:01 -0700
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <55B13899.5010408@redhat.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<1964953312.2271362.1437549041995.JavaMail.zimbra@redhat.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
	<CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
	<55B0505E.4070501@redhat.com>
	<CAPoiahMjZhwwQpkMoz4c1xiPKy=EUeyp7f-fd3gcfS9ZiyXmWA@mail.gmail.com>
	<55B13899.5010408@redhat.com>
Message-ID: <CAPoiahPXFDefhwBvU70DxOoRhttwnBbHbVFieVm6Nh-vT1LYuA@mail.gmail.com>

i worked on the samples(customer-app) in keycloak. after deploying it and
clicking on customer interface link i am redirected to keycloak demo login.
but i need my application login page to be displayed. how can i do this?

regards
senthil

On Thu, Jul 23, 2015 at 11:55 AM, Bill Burke <bburke at redhat.com> wrote:

> There are a ton of samples in the distro.
>
> On 7/23/2015 1:32 PM, Senthil Nathan wrote:
>
>> can you provide me some samples?
>>
>> do i need to use keycloak for securing my rest services?
>>
>> thanks,
>> senthil
>>
>> On Wed, Jul 22, 2015 at 7:24 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     It is standard servlet security.  Use security constraints to secure
>>     the url patterns you want to secure.
>>
>>     On 7/22/2015 5:04 PM, Senthil Nathan wrote:
>>
>>         Hi,
>>
>>         I followed the screencast videos and there is no option to make my
>>         application's index.html as default page. Can you guide me in
>> this.
>>
>>
>>         Thanks,
>>         Senthil
>>
>>         On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              You should probably look at the examples that come with the
>>         distro.  The
>>              screencast videos would help too although they are quite
>>         out of date.
>>
>>              On 7/22/2015 1:42 PM, Senthil Nathan wrote:
>>              > Hi Stian,
>>              >
>>              > Thanks for the reply. Currently I deployed my application
>>         in wildfly8
>>              > server with basic authentication and moving it to
>>         wildfly9 server with
>>              > OAuth2.0 authentication. I came across thru keycloak
>>         which does the same
>>              > OAuth2.0 authentication. I tried deploying my application
>>         in wildfly9
>>              > server by following the below link
>>              >
>>
>>          >
>> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
>>              >
>>              > After starting the server I am logging in using the realm
>>         user into my
>>              > application which I have created using keycloak settings.
>>         I need the
>>              > user which I have created using my application and
>>         keycloak only need
>>              > provied authentication to my REST service.
>>              >
>>              > Kindly help in this.
>>              >
>>              > Thanks,
>>              > Senthil
>>              >
>>              > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen
>>         <stian at redhat.com <mailto:stian at redhat.com>
>>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>
>>              > <mailto:stian at redhat.com <mailto:stian at redhat.com>
>>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>>> wrote:
>>              >
>>              >     You'll need to add a lot more information than this
>>         if we're going
>>              >     to be able to help you
>>              >
>>              >     ----- Original Message -----
>>              >      > From: "Senthil Nathan" <sennatece at gmail.com
>>         <mailto:sennatece at gmail.com> <mailto:sennatece at gmail.com
>>         <mailto:sennatece at gmail.com>>
>>              >     <mailto:sennatece at gmail.com
>>         <mailto:sennatece at gmail.com> <mailto:sennatece at gmail.com
>>         <mailto:sennatece at gmail.com>>>>
>>              >      > To:keycloak-user at lists.jboss.org
>>         <mailto:To%3Akeycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              >     <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>              >      > Sent: Wednesday, 22 July, 2015 2:09:35 AM
>>              >      > Subject: [keycloak-user] Keycloak - login into
>>         applciation
>>              >      >
>>              >      > Hi,
>>              >      >
>>              >      > I installed keycloak in wildfly9 server and I
>>         deployed my
>>              >     application. When I
>>              >      > accessed the home page of my application, Im
>>         unable to login in
>>              >     using my
>>              >      > application user. Can anybody help me in this.
>>              >      >
>>              >      > Thanks,
>>              >      > Senthil
>>              >      >
>>              >      > _______________________________________________
>>              >      > keycloak-user mailing list
>>               >      > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>               >      >
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>              >
>>              >
>>              >
>>              >
>>              > _______________________________________________
>>              > keycloak-user mailing list
>>              >keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              >https://lists.jboss.org/mailman/listinfo/keycloak-user
>>              >
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>              _______________________________________________
>>              keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150726/9767a823/attachment-0001.html 

From stian at redhat.com  Mon Jul 27 03:05:25 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 03:05:25 -0400 (EDT)
Subject: [keycloak-user] Keycloak - login into applciation
In-Reply-To: <CAPoiahPXFDefhwBvU70DxOoRhttwnBbHbVFieVm6Nh-vT1LYuA@mail.gmail.com>
References: <CAPoiahNm5r7ZwGSYKHqWF2odj=WOP=N_H8sGA3kZWuGSHsk+4Q@mail.gmail.com>
	<CAPoiahMjAn39hED3JfVOBG+qnO5y=E=LxRu1+eYOz=ZmLDqSyQ@mail.gmail.com>
	<55AFF9DC.7030909@redhat.com>
	<CAPoiahNV4gJBJZwTOYzi-PkDXaOvyBTG8K5r3E+tDEX4PkgO4w@mail.gmail.com>
	<55B0505E.4070501@redhat.com>
	<CAPoiahMjZhwwQpkMoz4c1xiPKy=EUeyp7f-fd3gcfS9ZiyXmWA@mail.gmail.com>
	<55B13899.5010408@redhat.com>
	<CAPoiahPXFDefhwBvU70DxOoRhttwnBbHbVFieVm6Nh-vT1LYuA@mail.gmail.com>
Message-ID: <1490221188.429104.1437980725606.JavaMail.zimbra@redhat.com>

What do you mean about "my application login page to be displayed"? The main concept of Keycloak is to provide SSO, hence you don't login to an individual app, you login to a centralized authentication server.

----- Original Message -----
> From: "Senthil Nathan" <sennatece at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 8:53:01 AM
> Subject: Re: [keycloak-user] Keycloak - login into applciation
> 
> i worked on the samples(customer-app) in keycloak. after deploying it and
> clicking on customer interface link i am redirected to keycloak demo login.
> but i need my application login page to be displayed. how can i do this?
> 
> regards
> senthil
> 
> On Thu, Jul 23, 2015 at 11:55 AM, Bill Burke < bburke at redhat.com > wrote:
> 
> 
> There are a ton of samples in the distro.
> 
> On 7/23/2015 1:32 PM, Senthil Nathan wrote:
> 
> 
> can you provide me some samples?
> 
> do i need to use keycloak for securing my rest services?
> 
> thanks,
> senthil
> 
> On Wed, Jul 22, 2015 at 7:24 PM, Bill Burke < bburke at redhat.com
> <mailto: bburke at redhat.com >> wrote:
> 
> It is standard servlet security. Use security constraints to secure
> the url patterns you want to secure.
> 
> On 7/22/2015 5:04 PM, Senthil Nathan wrote:
> 
> Hi,
> 
> I followed the screencast videos and there is no option to make my
> application's index.html as default page. Can you guide me in this.
> 
> 
> Thanks,
> Senthil
> 
> On Wed, Jul 22, 2015 at 1:15 PM, Bill Burke < bburke at redhat.com
> <mailto: bburke at redhat.com >
> <mailto: bburke at redhat.com <mailto: bburke at redhat.com >>> wrote:
> 
> You should probably look at the examples that come with the
> distro. The
> screencast videos would help too although they are quite
> out of date.
> 
> On 7/22/2015 1:42 PM, Senthil Nathan wrote:
> > Hi Stian,
> > 
> > Thanks for the reply. Currently I deployed my application
> in wildfly8
> > server with basic authentication and moving it to
> wildfly9 server with
> > OAuth2.0 authentication. I came across thru keycloak
> which does the same
> > OAuth2.0 authentication. I tried deploying my application
> in wildfly9
> > server by following the below link
> > 
> 
> > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/index.html
> > 
> > After starting the server I am logging in using the realm
> user into my
> > application which I have created using keycloak settings.
> I need the
> > user which I have created using my application and
> keycloak only need
> > provied authentication to my REST service.
> > 
> > Kindly help in this.
> > 
> > Thanks,
> > Senthil
> > 
> > On Wed, Jul 22, 2015 at 12:10 AM, Stian Thorgersen
> < stian at redhat.com <mailto: stian at redhat.com >
> <mailto: stian at redhat.com <mailto: stian at redhat.com >>
> > <mailto: stian at redhat.com <mailto: stian at redhat.com >
> <mailto: stian at redhat.com <mailto: stian at redhat.com >>>> wrote:
> > 
> > You'll need to add a lot more information than this
> if we're going
> > to be able to help you
> > 
> > ----- Original Message -----
> > > From: "Senthil Nathan" < sennatece at gmail.com
> <mailto: sennatece at gmail.com > <mailto: sennatece at gmail.com
> <mailto: sennatece at gmail.com >>
> > <mailto: sennatece at gmail.com
> <mailto: sennatece at gmail.com > <mailto: sennatece at gmail.com
> <mailto: sennatece at gmail.com >>>>
> > > To:keycloak-user at lists.jboss.org
> <mailto: To%3Akeycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>
> > <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>>
> > > Sent: Wednesday, 22 July, 2015 2:09:35 AM
> > > Subject: [keycloak-user] Keycloak - login into
> applciation
> > > 
> > > Hi,
> > > 
> > > I installed keycloak in wildfly9 server and I
> deployed my
> > application. When I
> > > accessed the home page of my application, Im
> unable to login in
> > using my
> > > application user. Can anybody help me in this.
> > > 
> > > Thanks,
> > > Senthil
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>>
> > > 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >
> <mailto: keycloak-user at lists.jboss.org
> <mailto: keycloak-user at lists.jboss.org >>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rajat.nair at hp.com  Mon Jul 27 08:03:47 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Mon, 27 Jul 2015 12:03:47 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using Infinispan
Message-ID: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>

Hi,

I'm in the process of setting up distributed user sessions using Infinispan on my Keycloak cluster. This is the configuration I use -
<cache-container name="keycloak" jndi-name="java:jboss/infinispan/Keycloak">
                <transport lock-timeout="60000"/>
                <invalidation-cache name="realms" mode="SYNC"/>
                <invalidation-cache name="users" mode="SYNC"/>
                <distributed-cache name="sessions" mode="SYNC" owners="2"/>
                <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
        </cache-container>


And in server.logs, I can see my servers communicate -
2015-07-27 10:27:24,662 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t7) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t10) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=57, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,669 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,808 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 57
2015-07-27 10:27:24,810 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 56
2015-07-27 10:27:24,988 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 57
2015-07-27 10:27:25,530 INFO  [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 57

I can successfully login, get a token and fetch user details with this token.

Problem is, if one of the nodes on the cluster goes down and if we try to reuse a token which was already issued (so workflow is - user logins in, get token, (a node in the cluster goes down) and then fetch user details using token) - we see an internal server exception. From the logs -

2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /auth/realms/scaletest/protocol/openid-connect/userinfo: java.lang.RuntimeException: request path: /auth/realms/scaletest/protocol/openid-connect/userinfo
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
        at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
        ... 31 more
Caused by: java.lang.NullPointerException
        at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128)
        at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        ... 42 more


The user guide says -
If you need to prevent node failures from requiring users to log in again, set the  owners attribute to 2 or more for the  sessions cache

Questions -

1.  Have we configured Infinispan incorrectly? We don't want the users to login again if any of the nodes in the cluster go down.

2.  Will changing distributed-cache to replicated-cache help in this scenario?

3.  Any way we can see the contents of the cache?

-- Rajat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150727/f02ed040/attachment-0001.html 

From stian at redhat.com  Mon Jul 27 08:24:17 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 08:24:17 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
Message-ID: <172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>

What version?

Firstly owners="2" should work fine as long as only one node dies and the other remains active. Secondly it should return a NPE, but an error if user session is not found.

----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 2:03:47 PM
> Subject: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> 
> 
> Hi,
> 
> 
> 
> I?m in the process of setting up distributed user sessions using Infinispan
> on my Keycloak cluster. This is the configuration I use ?
> 
> <cache-container name="keycloak" jndi-name="java:jboss/infinispan/Keycloak">
> 
> <transport lock-timeout="60000"/>
> 
> <invalidation-cache name="realms" mode="SYNC"/>
> 
> <invalidation-cache name="users" mode="SYNC"/>
> 
> <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> 
> <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> 
> </cache-container>
> 
> 
> 
> 
> 
> And in server.logs, I can see my servers communicate ?
> 
> 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t7)
> ISPN000310: Starting cluster-wide rebalance for cache users, topology
> CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns =
> 60, owners = (1)[test-server-110: 60]},
> pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110,
> test-server-111]}
> 
> 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t10)
> ISPN000310: Starting cluster-wide rebalance for cache realms, topology
> CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns =
> 60, owners = (1)[test-server-110: 60]},
> pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110,
> test-server-111]}
> 
> 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8)
> ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
> topology CacheTopology{id=57, rebalanceId=17,
> currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0,
> test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110,
> test-server-111]}
> 
> 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9)
> ISPN000310: Starting cluster-wide rebalance for cache sessions, topology
> CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80,
> owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80,
> owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null,
> actualMembers=[test-server-110, test-server-111]}
> 
> 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9)
> ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
> topology id = 57
> 
> 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12)
> ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id
> = 56
> 
> 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12)
> ISPN000336: Finished cluster-wide rebalance for cache realms, topology id =
> 57
> 
> 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8)
> ISPN000336: Finished cluster-wide rebalance for cache users, topology id =
> 57
> 
> 
> 
> I can successfully login, get a token and fetch user details with this token.
> 
> 
> 
> Problem is, if one of the nodes on the cluster goes down and if we try to
> reuse a token which was already issued (so workflow is ? user logins in, get
> token, (a node in the cluster goes down) and then fetch user details using
> token) ? we see an internal server exception. From the logs ?
> 
> 
> 
> 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1)
> UT005023: Exception handling request to
> /auth/realms/scaletest/protocol/openid-connect/userinfo:
> java.lang.RuntimeException: request path:
> /auth/realms/scaletest/protocol/openid-connect/userinfo
> 
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> 
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> 
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> 
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> 
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> 
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> 
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> 
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> 
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
> at
> io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
> 
> at
> io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> 
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> 
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> 
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> 
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 
> at java.lang.Thread.run(Unknown Source)
> 
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NullPointerException
> 
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> 
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> 
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> 
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> 
> at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> 
> ... 31 more
> 
> Caused by: java.lang.NullPointerException
> 
> at
> org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128)
> 
> at
> org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101)
> 
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> 
> at java.lang.reflect.Method.invoke(Unknown Source)
> 
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> 
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> 
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> 
> ... 42 more
> 
> 
> 
> 
> 
> The user guide says ?
> 
> If you need to prevent node failures from requiring users to log in again,
> set the owners attribute to 2 or more for the sessions cache
> 
> 
> 
> Questions -
> 
> 1. Have we configured Infinispan incorrectly? We don?t want the users to
> login again if any of the nodes in the cluster go down.
> 
> 2. Will changing distributed-cache to replicated-cache help in this scenario?
> 
> 3. Any way we can see the contents of the cache?
> 
> 
> 
> -- Rajat
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Jul 27 08:36:59 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 08:36:59 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
Message-ID: <1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>

Did you remember to change userSessions provider to infinispan in keycloak-server.json?

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 2:24:17 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> What version?
> 
> Firstly owners="2" should work fine as long as only one node dies and the
> other remains active. Secondly it should return a NPE, but an error if user
> session is not found.
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 2:03:47 PM
> > Subject: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > 
> > 
> > Hi,
> > 
> > 
> > 
> > I?m in the process of setting up distributed user sessions using Infinispan
> > on my Keycloak cluster. This is the configuration I use ?
> > 
> > <cache-container name="keycloak"
> > jndi-name="java:jboss/infinispan/Keycloak">
> > 
> > <transport lock-timeout="60000"/>
> > 
> > <invalidation-cache name="realms" mode="SYNC"/>
> > 
> > <invalidation-cache name="users" mode="SYNC"/>
> > 
> > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > 
> > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > 
> > </cache-container>
> > 
> > 
> > 
> > 
> > 
> > And in server.logs, I can see my servers communicate ?
> > 
> > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t7)
> > ISPN000310: Starting cluster-wide rebalance for cache users, topology
> > CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns
> > =
> > 60, owners = (1)[test-server-110: 60]},
> > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110,
> > test-server-111]}
> > 
> > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t10)
> > ISPN000310: Starting cluster-wide rebalance for cache realms, topology
> > CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns
> > =
> > 60, owners = (1)[test-server-110: 60]},
> > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110,
> > test-server-111]}
> > 
> > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t8)
> > ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
> > topology CacheTopology{id=57, rebalanceId=17,
> > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > 80+0]},
> > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0,
> > test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110,
> > test-server-111]}
> > 
> > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t9)
> > ISPN000310: Starting cluster-wide rebalance for cache sessions, topology
> > CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80,
> > owners = (1)[test-server-110: 80+0]},
> > pendingCH=DefaultConsistentHash{ns=80,
> > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null,
> > actualMembers=[test-server-110, test-server-111]}
> > 
> > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t9)
> > ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
> > topology id = 57
> > 
> > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t12)
> > ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id
> > = 56
> > 
> > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t12)
> > ISPN000336: Finished cluster-wide rebalance for cache realms, topology id =
> > 57
> > 
> > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t8)
> > ISPN000336: Finished cluster-wide rebalance for cache users, topology id =
> > 57
> > 
> > 
> > 
> > I can successfully login, get a token and fetch user details with this
> > token.
> > 
> > 
> > 
> > Problem is, if one of the nodes on the cluster goes down and if we try to
> > reuse a token which was already issued (so workflow is ? user logins in,
> > get
> > token, (a node in the cluster goes down) and then fetch user details using
> > token) ? we see an internal server exception. From the logs ?
> > 
> > 
> > 
> > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1)
> > UT005023: Exception handling request to
> > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > java.lang.RuntimeException: request path:
> > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > 
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> > 
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > 
> > at
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > 
> > at
> > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 
> > at
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 
> > at
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > 
> > at
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> > 
> > at
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > 
> > at
> > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > 
> > at
> > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 
> > at
> > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 
> > at
> > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
> > 
> > at
> > io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> > 
> > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> > 
> > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> > 
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> > 
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> > 
> > at java.lang.Thread.run(Unknown Source)
> > 
> > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > java.lang.NullPointerException
> > 
> > at
> > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> > 
> > at
> > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > 
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > 
> > at
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> > 
> > at
> > org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> > 
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > 
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> > 
> > ... 31 more
> > 
> > Caused by: java.lang.NullPointerException
> > 
> > at
> > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128)
> > 
> > at
> > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101)
> > 
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > 
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > 
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > 
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > 
> > at
> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> > 
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> > 
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > 
> > ... 42 more
> > 
> > 
> > 
> > 
> > 
> > The user guide says ?
> > 
> > If you need to prevent node failures from requiring users to log in again,
> > set the owners attribute to 2 or more for the sessions cache
> > 
> > 
> > 
> > Questions -
> > 
> > 1. Have we configured Infinispan incorrectly? We don?t want the users to
> > login again if any of the nodes in the cluster go down.
> > 
> > 2. Will changing distributed-cache to replicated-cache help in this
> > scenario?
> > 
> > 3. Any way we can see the contents of the cache?
> > 
> > 
> > 
> > -- Rajat
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mstrukel at redhat.com  Mon Jul 27 09:13:29 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 27 Jul 2015 09:13:29 -0400 (EDT)
Subject: [keycloak-user] [keycloak-dev] Securing wars via keycloak
	subsystem
In-Reply-To: <24A96690C67C15499D588133A8985E2109FF2428@EX-TT-AC-01.traveltainment.int>
References: <24A96690C67C15499D588133A8985E2109FF2428@EX-TT-AC-01.traveltainment.int>
Message-ID: <108178710.690597.1438002809195.JavaMail.zimbra@redhat.com>

Moved this conversation from keycloak-dev to keycloak-user at lists.jboss.org ...

You can't have keycloak server deployed on Wildfly 8 any more. So I assume you don't have the server parts deployed at all.

If you want to setup keycloak server and your web application in the same Wildfly instance the best way to do that is to use keycloak-demo-1.3.1.Final.zip which you can download here: http://sourceforge.net/projects/keycloak/files/1.3.1.Final

It is based on Wildfly 9.0.0.Final. You can then deploy your wars and add <secure-deployment> section to keycloak subsystem configuration in standalone.xml file.


The alternative is to run keycloak server separately - in that case use keycloak-1.3.1.Final.zip, and start it first.

You then download keycloak-wf8-adapter-dist-1.3.1.Final.zip from http://sourceforge.net/projects/keycloak/files/1.3.1.Final/adapters/.
Unpack it into your Wildfly 8.2.0 where you have deployed your .war. Make sure to add <secure-deployment> section to your Wildfly 8.2.0 where your .war is deployed, and not to the keycloak server instance.
Also adjust the value of <auth-server-url> to point to the correct server url.

If you want to run both server and client on the same host for development you can start either one with:

bin/standalone.sh -Djboss.socket.binding.port-offset=100

Which will bind all the ports to their default value +100 - e.g. what would otherwise be port 8080 would then become 8180.

- marko


----- Original Message -----
> 
> 
> Hey guys,
> 
> 
> 
> as the subject says I want to secure my war files via keycloak subsystem. I
> use an wildfly 8 server in standalone mode and got the following
> configuration from the keycloak admin console (by now I configured keycloak
> with keycloak.json):
> 
> ?<secure-deployment name="TOMAMappingConfigurationService.war">
> 
> <realm>TOMAMappingConfigurationService</realm>
> 
> <resource>TOMAMappingConfigurationService</resource>
> 
> <use-resource-role-mappings>true</use-resource-role-mappings>
> 
> <public-client>true</public-client>
> 
> <realm-public-key>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAioI1Q9NTQ+FB/6nFRl6QXqjoNNHld8K8KgdL9xhDJtAOn2jhY9/sfQASs5heBWh9IQeVlYFkhmN5jYzKtPMLZnlMTW6fE4yTRSw5RdbGldgX8LedFAt5vSU2rVJWMkExDynDe8zHNbMKvereFeTQ3oDqEA/Ks22fUdmf2Pj+Cpzuj+ncyRYSut02MTGpQML9975D+1z5AmlokkWlk+VADjZ/3zberEJS8I49uQryqtC6OtxayVezEj270Iwx9lwmRIa2aoJZGQRncafW0Dukgx+lAxJinjiSR0UngTXwQXw1OfH9xfi7v6oHcrmExp4xahKom+cW9MyhCL51ElJi4QIDAQAB</realm-public-key>
> 
> <auth-server-url>http://localhost:8080/auth</auth-server-url>
> 
> <ssl-required>EXTERNAL</ssl-required>
> 
> </secure-deployment>
> 
> ?
> 
> As in the documentation described I deleted the keycloak.json files and the
> part of the web.xml file where keycloak as authentication method is defined.
> 
> 
> 
> Now I have the problem, that keycloak seems not to be deployed. I cannot
> access the admin console or login to my application because of an ?404 ? Not
> found?-Error.
> 
> 
> 
> Any ideas what I did wrong?
> 
> 
> 
> PS: Excuse my English. J
> 
> 
> 
> Kind regards,
> 
> Lars
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


From rajat.nair at hp.com  Mon Jul 27 09:20:27 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Mon, 27 Jul 2015 13:20:27 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>

Thanks for quick reply Stian.

> What version?
We are using Keycloak 1.3.1 Final.
 
> Did you remember to change userSessions provider to infinispan in keycloak-server.json?
Yes. We got following in keycloak-server.json - 
"userSessions": {
"provider": "infinispan"
}

> Firstly owners="2" should work fine as long as only one node dies and 
> the other remains active. Secondly it should return a NPE, but an 
> error if user session is not found.
Could you elaborate on your 2nd point? 

-- Rajat

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: 27 July 2015 18:07
To: Nair, Rajat
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan

Did you remember to change userSessions provider to infinispan in keycloak-server.json?

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 2:24:17 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> What version?
> 
> Firstly owners="2" should work fine as long as only one node dies and 
> the other remains active. Secondly it should return a NPE, but an 
> error if user session is not found.
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 2:03:47 PM
> > Subject: [keycloak-user] Distributed Keycloak user sessions using 
> > Infinispan
> > 
> > 
> > 
> > Hi,
> > 
> > 
> > 
> > I?m in the process of setting up distributed user sessions using 
> > Infinispan on my Keycloak cluster. This is the configuration I use ?
> > 
> > <cache-container name="keycloak"
> > jndi-name="java:jboss/infinispan/Keycloak">
> > 
> > <transport lock-timeout="60000"/>
> > 
> > <invalidation-cache name="realms" mode="SYNC"/>
> > 
> > <invalidation-cache name="users" mode="SYNC"/>
> > 
> > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > 
> > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > 
> > </cache-container>
> > 
> > 
> > 
> > 
> > 
> > And in server.logs, I can see my servers communicate ?
> > 
> > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t7)
> > ISPN000310: Starting cluster-wide rebalance for cache users, 
> > topology CacheTopology{id=57, rebalanceId=17, 
> > currentCH=ReplicatedConsistentHash{ns
> > =
> > 60, owners = (1)[test-server-110: 60]}, 
> > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > 30, test-server-111: 30]}, unionCH=null, 
> > actualMembers=[test-server-110, test-server-111]}
> > 
> > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t10)
> > ISPN000310: Starting cluster-wide rebalance for cache realms, 
> > topology CacheTopology{id=57, rebalanceId=17, 
> > currentCH=ReplicatedConsistentHash{ns
> > =
> > 60, owners = (1)[test-server-110: 60]}, 
> > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > 30, test-server-111: 30]}, unionCH=null, 
> > actualMembers=[test-server-110, test-server-111]}
> > 
> > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t8)
> > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, 
> > topology CacheTopology{id=57, rebalanceId=17, 
> > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > 80+0]},
> > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 
> > 40+0,
> > test-server-111: 40+0]}, unionCH=null, 
> > actualMembers=[test-server-110, test-server-111]}
> > 
> > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t9)
> > ISPN000310: Starting cluster-wide rebalance for cache sessions, 
> > topology CacheTopology{id=56, rebalanceId=17, 
> > currentCH=DefaultConsistentHash{ns=80,
> > owners = (1)[test-server-110: 80+0]}, 
> > pendingCH=DefaultConsistentHash{ns=80,
> > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, 
> > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > 
> > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t9)
> > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, 
> > topology id = 57
> > 
> > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t12)
> > ISPN000336: Finished cluster-wide rebalance for cache sessions, 
> > topology id = 56
> > 
> > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t12)
> > ISPN000336: Finished cluster-wide rebalance for cache realms, 
> > topology id =
> > 57
> > 
> > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > (remote-thread--p3-t8)
> > ISPN000336: Finished cluster-wide rebalance for cache users, 
> > topology id =
> > 57
> > 
> > 
> > 
> > I can successfully login, get a token and fetch user details with 
> > this token.
> > 
> > 
> > 
> > Problem is, if one of the nodes on the cluster goes down and if we 
> > try to reuse a token which was already issued (so workflow is ? user 
> > logins in, get token, (a node in the cluster goes down) and then 
> > fetch user details using
> > token) ? we see an internal server exception. From the logs ?
> > 
> > 
> > 
> > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1)
> > UT005023: Exception handling request to
> > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > java.lang.RuntimeException: request path:
> > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > 
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > KeycloakSessionServletFilter.java:54)
> > 
> > at 
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > 0)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > FilterHandler.java:132)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandl
> > er.java:85)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.han
> > dleRequest(ServletSecurityRoleHandler.java:62)
> > 
> > at
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest
> > (ServletDispatchingHandler.java:36)
> > 
> > at
> > org.wildfly.extension.undertow.security.SecurityContextAssociationHa
> > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > Handler.java:43)
> > 
> > at
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > Handler.java:43)
> > 
> > at
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleR
> > equest(AbstractConfidentialityHandler.java:46)
> > 
> > at
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java
> > :64)
> > 
> > at
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handle
> > Request(AuthenticationMechanismsHandler.java:58)
> > 
> > at
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > 
> > at
> > io.undertow.security.handlers.NotificationReceiverHandler.handleRequ
> > est(NotificationReceiverHandler.java:50)
> > 
> > at
> > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(S
> > ecurityInitialHandler.java:76)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > Handler.java:43)
> > 
> > at
> > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.ha
> > ndleRequest(JACCContextIdHandler.java:61)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > Handler.java:43)
> > 
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > Handler.java:43)
> > 
> > at
> > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHand
> > ler.java:62)
> > 
> > at
> > io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsCh
> > ainHandler.java:59)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReques
> > t(ServletInitialHandler.java:274)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(S
> > ervletInitialHandler.java:253)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servle
> > tInitialHandler.java:80)
> > 
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(S
> > ervletInitialHandler.java:172)
> > 
> > at 
> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199
> > )
> > 
> > at 
> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > 774)
> > 
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> > 
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown 
> > Source)
> > 
> > at java.lang.Thread.run(Unknown Source)
> > 
> > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > java.lang.NullPointerException
> > 
> > at
> > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> > ExceptionHandler.java:76)
> > 
> > at
> > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHa
> > ndler.java:212)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synchro
> > nousDispatcher.java:149)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > atcher.java:372)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > atcher.java:179)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
> > .service(ServletContainerDispatcher.java:220)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > ice(HttpServletDispatcher.java:56)
> > 
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > ice(HttpServletDispatcher.java:51)
> > 
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > 
> > at
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHan
> > dler.java:86)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > FilterHandler.java:130)
> > 
> > at
> > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Client
> > ConnectionFilter.java:41)
> > 
> > at 
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > 0)
> > 
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > FilterHandler.java:132)
> > 
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > KeycloakSessionServletFilter.java:40)
> > 
> > ... 31 more
> > 
> > Caused by: java.lang.NullPointerException
> > 
> > at
> > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(
> > UserInfoEndpoint.java:128)
> > 
> > at
> > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoG
> > et(UserInfoEndpoint.java:101)
> > 
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > 
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > 
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > 
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > 
> > at
> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl
> > .java:137)
> > 
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
> > eMethodInvoker.java:296)
> > 
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
> > nvoker.java:250)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > ResourceLocatorInvoker.java:140)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > rInvoker.java:109)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > ResourceLocatorInvoker.java:135)
> > 
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > rInvoker.java:103)
> > 
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > atcher.java:356)
> > 
> > ... 42 more
> > 
> > 
> > 
> > 
> > 
> > The user guide says ?
> > 
> > If you need to prevent node failures from requiring users to log in 
> > again, set the owners attribute to 2 or more for the sessions cache
> > 
> > 
> > 
> > Questions -
> > 
> > 1. Have we configured Infinispan incorrectly? We don?t want the 
> > users to login again if any of the nodes in the cluster go down.
> > 
> > 2. Will changing distributed-cache to replicated-cache help in this 
> > scenario?
> > 
> > 3. Any way we can see the contents of the cache?
> > 
> > 
> > 
> > -- Rajat
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Jul 27 09:26:54 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 09:26:54 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
Message-ID: <59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:20:27 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> Thanks for quick reply Stian.
> 
> > What version?
> We are using Keycloak 1.3.1 Final.
>  
> > Did you remember to change userSessions provider to infinispan in
> > keycloak-server.json?
> Yes. We got following in keycloak-server.json -
> "userSessions": {
> "provider": "infinispan"
> }
> 
> > Firstly owners="2" should work fine as long as only one node dies and
> > the other remains active. Secondly it should return a NPE, but an
> > error if user session is not found.
> Could you elaborate on your 2nd point?

Do you have both nodes fully up and running before you kill one node?

It's a bug - if session is expired it should return an error message, not a NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)

> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 27 July 2015 18:07
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> Infinispan
> 
> Did you remember to change userSessions provider to infinispan in
> keycloak-server.json?
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Rajat Nair" <rajat.nair at hp.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 2:24:17 PM
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > What version?
> > 
> > Firstly owners="2" should work fine as long as only one node dies and
> > the other remains active. Secondly it should return a NPE, but an
> > error if user session is not found.
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > Subject: [keycloak-user] Distributed Keycloak user sessions using
> > > Infinispan
> > > 
> > > 
> > > 
> > > Hi,
> > > 
> > > 
> > > 
> > > I?m in the process of setting up distributed user sessions using
> > > Infinispan on my Keycloak cluster. This is the configuration I use ?
> > > 
> > > <cache-container name="keycloak"
> > > jndi-name="java:jboss/infinispan/Keycloak">
> > >  lock-timeout="60000"/>
> > > 
> > > <invalidation-cache name="realms" mode="SYNC"/>
> > > 
> > > <invalidation-cache name="users" mode="SYNC"/>
> > > 
> > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > 
> > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > 
> > > </cache-container>
> > > 
> > > 
> > > 
> > > 
> > > 
> > > And in server.logs, I can see my servers communicate ?
> > > 
> > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t7)
> > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > topology CacheTopology{id=57, rebalanceId=17,
> > > currentCH=ReplicatedConsistentHash{ns
> > > =
> > > 60, owners = (1)[test-server-110: 60]},
> > > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > > 30, test-server-111: 30]}, unionCH=null,
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t10)
> > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > topology CacheTopology{id=57, rebalanceId=17,
> > > currentCH=ReplicatedConsistentHash{ns
> > > =
> > > 60, owners = (1)[test-server-110: 60]},
> > > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > > 30, test-server-111: 30]}, unionCH=null,
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t8)
> > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
> > > topology CacheTopology{id=57, rebalanceId=17,
> > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > 80+0]},
> > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > 40+0,
> > > test-server-111: 40+0]}, unionCH=null,
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t9)
> > > ISPN000310: Starting cluster-wide rebalance for cache sessions,
> > > topology CacheTopology{id=56, rebalanceId=17,
> > > currentCH=DefaultConsistentHash{ns=80,
> > > owners = (1)[test-server-110: 80+0]},
> > > pendingCH=DefaultConsistentHash{ns=80,
> > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t9)
> > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
> > > topology id = 57
> > > 
> > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t12)
> > > ISPN000336: Finished cluster-wide rebalance for cache sessions,
> > > topology id = 56
> > > 
> > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t12)
> > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > topology id =
> > > 57
> > > 
> > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t8)
> > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > topology id =
> > > 57
> > > 
> > > 
> > > 
> > > I can successfully login, get a token and fetch user details with
> > > this token.
> > > 
> > > 
> > > 
> > > Problem is, if one of the nodes on the cluster goes down and if we
> > > try to reuse a token which was already issued (so workflow is ? user
> > > logins in, get token, (a node in the cluster goes down) and then
> > > fetch user details using
> > > token) ? we see an internal server exception. From the logs ?
> > > 
> > > 
> > > 
> > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1)
> > > UT005023: Exception handling request to
> > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > java.lang.RuntimeException: request path:
> > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > 
> > > at
> > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > > KeycloakSessionServletFilter.java:54)
> > > 
> > > at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > > 0)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > FilterHandler.java:132)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandl
> > > er.java:85)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.han
> > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest
> > > (ServletDispatchingHandler.java:36)
> > > 
> > > at
> > > org.wildfly.extension.undertow.security.SecurityContextAssociationHa
> > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleR
> > > equest(AbstractConfidentialityHandler.java:46)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java
> > > :64)
> > > 
> > > at
> > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handle
> > > Request(AuthenticationMechanismsHandler.java:58)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > 
> > > at
> > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequ
> > > est(NotificationReceiverHandler.java:50)
> > > 
> > > at
> > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(S
> > > ecurityInitialHandler.java:76)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > Handler.java:43)
> > > 
> > > at
> > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.ha
> > > ndleRequest(JACCContextIdHandler.java:61)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHand
> > > ler.java:62)
> > > 
> > > at
> > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsCh
> > > ainHandler.java:59)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReques
> > > t(ServletInitialHandler.java:274)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(S
> > > ervletInitialHandler.java:253)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servle
> > > tInitialHandler.java:80)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(S
> > > ervletInitialHandler.java:172)
> > > 
> > > at
> > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199
> > > )
> > > 
> > > at
> > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > 774)
> > > 
> > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> > > 
> > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > Source)
> > > 
> > > at java.lang.Thread.run(Unknown Source)
> > > 
> > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > java.lang.NullPointerException
> > > 
> > > at
> > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> > > ExceptionHandler.java:76)
> > > 
> > > at
> > > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHa
> > > ndler.java:212)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synchro
> > > nousDispatcher.java:149)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > atcher.java:372)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > atcher.java:179)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
> > > .service(ServletContainerDispatcher.java:220)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > > ice(HttpServletDispatcher.java:56)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > > ice(HttpServletDispatcher.java:51)
> > > 
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHan
> > > dler.java:86)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > FilterHandler.java:130)
> > > 
> > > at
> > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Client
> > > ConnectionFilter.java:41)
> > > 
> > > at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > > 0)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > FilterHandler.java:132)
> > > 
> > > at
> > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > > KeycloakSessionServletFilter.java:40)
> > > 
> > > ... 31 more
> > > 
> > > Caused by: java.lang.NullPointerException
> > > 
> > > at
> > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(
> > > UserInfoEndpoint.java:128)
> > > 
> > > at
> > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoG
> > > et(UserInfoEndpoint.java:101)
> > > 
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > 
> > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > 
> > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > > 
> > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > 
> > > at
> > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl
> > > .java:137)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
> > > eMethodInvoker.java:296)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
> > > nvoker.java:250)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > > ResourceLocatorInvoker.java:140)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > > rInvoker.java:109)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > > ResourceLocatorInvoker.java:135)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > > rInvoker.java:103)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > atcher.java:356)
> > > 
> > > ... 42 more
> > > 
> > > 
> > > 
> > > 
> > > 
> > > The user guide says ?
> > > 
> > > If you need to prevent node failures from requiring users to log in
> > > again, set the owners attribute to 2 or more for the sessions cache
> > > 
> > > 
> > > 
> > > Questions -
> > > 
> > > 1. Have we configured Infinispan incorrectly? We don?t want the
> > > users to login again if any of the nodes in the cluster go down.
> > > 
> > > 2. Will changing distributed-cache to replicated-cache help in this
> > > scenario?
> > > 
> > > 3. Any way we can see the contents of the cache?
> > > 
> > > 
> > > 
> > > -- Rajat
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From stian at redhat.com  Mon Jul 27 09:38:02 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 09:38:02 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
Message-ID: <90967314.715102.1438004282164.JavaMail.zimbra@redhat.com>

Just confirmed that this is working fine here with distributed cache and owners=2. I can stop/start nodes and still get user info.


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:26:54 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> 
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:20:27 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Thanks for quick reply Stian.
> > 
> > > What version?
> > We are using Keycloak 1.3.1 Final.
> >  
> > > Did you remember to change userSessions provider to infinispan in
> > > keycloak-server.json?
> > Yes. We got following in keycloak-server.json -
> > "userSessions": {
> > "provider": "infinispan"
> > }
> > 
> > > Firstly owners="2" should work fine as long as only one node dies and
> > > the other remains active. Secondly it should return a NPE, but an
> > > error if user session is not found.
> > Could you elaborate on your 2nd point?
> 
> Do you have both nodes fully up and running before you kill one node?
> 
> It's a bug - if session is expired it should return an error message, not a
> NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> 
> > 
> > -- Rajat
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: 27 July 2015 18:07
> > To: Nair, Rajat
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Did you remember to change userSessions provider to infinispan in
> > keycloak-server.json?
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > > Infinispan
> > > 
> > > What version?
> > > 
> > > Firstly owners="2" should work fine as long as only one node dies and
> > > the other remains active. Secondly it should return a NPE, but an
> > > error if user session is not found.
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > Subject: [keycloak-user] Distributed Keycloak user sessions using
> > > > Infinispan
> > > > 
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I?m in the process of setting up distributed user sessions using
> > > > Infinispan on my Keycloak cluster. This is the configuration I use ?
> > > > 
> > > > <cache-container name="keycloak"
> > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > >  lock-timeout="60000"/>
> > > > 
> > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > 
> > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > 
> > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > 
> > > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > > 
> > > > </cache-container>
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > And in server.logs, I can see my servers communicate ?
> > > > 
> > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t7)
> > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]},
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t10)
> > > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]},
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
> > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > 80+0]},
> > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > 40+0,
> > > > test-server-111: 40+0]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000310: Starting cluster-wide rebalance for cache sessions,
> > > > topology CacheTopology{id=56, rebalanceId=17,
> > > > currentCH=DefaultConsistentHash{ns=80,
> > > > owners = (1)[test-server-110: 80+0]},
> > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
> > > > topology id = 57
> > > > 
> > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache sessions,
> > > > topology id = 56
> > > > 
> > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > > topology id =
> > > > 57
> > > > 
> > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > topology id =
> > > > 57
> > > > 
> > > > 
> > > > 
> > > > I can successfully login, get a token and fetch user details with
> > > > this token.
> > > > 
> > > > 
> > > > 
> > > > Problem is, if one of the nodes on the cluster goes down and if we
> > > > try to reuse a token which was already issued (so workflow is ? user
> > > > logins in, get token, (a node in the cluster goes down) and then
> > > > fetch user details using
> > > > token) ? we see an internal server exception. From the logs ?
> > > > 
> > > > 
> > > > 
> > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1)
> > > > UT005023: Exception handling request to
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > java.lang.RuntimeException: request path:
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > > > KeycloakSessionServletFilter.java:54)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandl
> > > > er.java:85)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.han
> > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest
> > > > (ServletDispatchingHandler.java:36)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.SecurityContextAssociationHa
> > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleR
> > > > equest(AbstractConfidentialityHandler.java:46)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java
> > > > :64)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handle
> > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequ
> > > > est(NotificationReceiverHandler.java:50)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(S
> > > > ecurityInitialHandler.java:76)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.ha
> > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHand
> > > > ler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsCh
> > > > ainHandler.java:59)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReques
> > > > t(ServletInitialHandler.java:274)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(S
> > > > ervletInitialHandler.java:253)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servle
> > > > tInitialHandler.java:80)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(S
> > > > ervletInitialHandler.java:172)
> > > > 
> > > > at
> > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199
> > > > )
> > > > 
> > > > at
> > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > 774)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > Source)
> > > > 
> > > > at java.lang.Thread.run(Unknown Source)
> > > > 
> > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> > > > ExceptionHandler.java:76)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHa
> > > > ndler.java:212)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synchro
> > > > nousDispatcher.java:149)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > > atcher.java:372)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > > atcher.java:179)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
> > > > .service(ServletContainerDispatcher.java:220)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > > > ice(HttpServletDispatcher.java:56)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
> > > > ice(HttpServletDispatcher.java:51)
> > > > 
> > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHan
> > > > dler.java:86)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > > FilterHandler.java:130)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Client
> > > > ConnectionFilter.java:41)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> > > > KeycloakSessionServletFilter.java:40)
> > > > 
> > > > ... 31 more
> > > > 
> > > > Caused by: java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(
> > > > UserInfoEndpoint.java:128)
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoG
> > > > et(UserInfoEndpoint.java:101)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > 
> > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > > > 
> > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl
> > > > .java:137)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
> > > > eMethodInvoker.java:296)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
> > > > nvoker.java:250)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > > > ResourceLocatorInvoker.java:140)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > > > rInvoker.java:109)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> > > > ResourceLocatorInvoker.java:135)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato
> > > > rInvoker.java:103)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
> > > > atcher.java:356)
> > > > 
> > > > ... 42 more
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > The user guide says ?
> > > > 
> > > > If you need to prevent node failures from requiring users to log in
> > > > again, set the owners attribute to 2 or more for the sessions cache
> > > > 
> > > > 
> > > > 
> > > > Questions -
> > > > 
> > > > 1. Have we configured Infinispan incorrectly? We don?t want the
> > > > users to login again if any of the nodes in the cluster go down.
> > > > 
> > > > 2. Will changing distributed-cache to replicated-cache help in this
> > > > scenario?
> > > > 
> > > > 3. Any way we can see the contents of the cache?
> > > > 
> > > > 
> > > > 
> > > > -- Rajat
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rajat.nair at hp.com  Mon Jul 27 09:41:36 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Mon, 27 Jul 2015 13:41:36 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>

> Do you have both nodes fully up and running before you kill one node?
Yes. 
This is what we tried - 
Case 1
1. Two node cluster (both running Keycloak engines) - both up and running. Configured load balancing using mod_cluster.
2. Login and get token. 
3. Bring down one node.
4. Get user info using existing token. This is when we get NPE. 

Case 2
1. Start with 1 Node down. We bring it back up. We wait for some time so that Infinispan can sync.
2. Bring down other node.
3. Try to get user info using existing token. Again we see NPE.

>It's a bug - if session is expired it should return an error message, not a NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
Thanks for tracking this.

-- Rajat

----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:20:27 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> Thanks for quick reply Stian.
> 
> > What version?
> We are using Keycloak 1.3.1 Final.
>  
> > Did you remember to change userSessions provider to infinispan in 
> > keycloak-server.json?
> Yes. We got following in keycloak-server.json -
> "userSessions": {
> "provider": "infinispan"
> }
> 
> > Firstly owners="2" should work fine as long as only one node dies 
> > and the other remains active. Secondly it should return a NPE, but 
> > an error if user session is not found.
> Could you elaborate on your 2nd point?

Do you have both nodes fully up and running before you kill one node?

It's a bug - if session is expired it should return an error message, not a NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)

> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 27 July 2015 18:07
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> Did you remember to change userSessions provider to infinispan in 
> keycloak-server.json?
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Rajat Nair" <rajat.nair at hp.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 2:24:17 PM
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > using Infinispan
> > 
> > What version?
> > 
> > Firstly owners="2" should work fine as long as only one node dies 
> > and the other remains active. Secondly it should return a NPE, but 
> > an error if user session is not found.
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > Subject: [keycloak-user] Distributed Keycloak user sessions using 
> > > Infinispan
> > > 
> > > 
> > > 
> > > Hi,
> > > 
> > > 
> > > 
> > > I?m in the process of setting up distributed user sessions using 
> > > Infinispan on my Keycloak cluster. This is the configuration I use 
> > > ?
> > > 
> > > <cache-container name="keycloak"
> > > jndi-name="java:jboss/infinispan/Keycloak">
> > >  lock-timeout="60000"/>
> > > 
> > > <invalidation-cache name="realms" mode="SYNC"/>
> > > 
> > > <invalidation-cache name="users" mode="SYNC"/>
> > > 
> > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > 
> > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > 
> > > </cache-container>
> > > 
> > > 
> > > 
> > > 
> > > 
> > > And in server.logs, I can see my servers communicate ?
> > > 
> > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t7)
> > > ISPN000310: Starting cluster-wide rebalance for cache users, 
> > > topology CacheTopology{id=57, rebalanceId=17, 
> > > currentCH=ReplicatedConsistentHash{ns
> > > =
> > > 60, owners = (1)[test-server-110: 60]}, 
> > > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > > 30, test-server-111: 30]}, unionCH=null, 
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t10)
> > > ISPN000310: Starting cluster-wide rebalance for cache realms, 
> > > topology CacheTopology{id=57, rebalanceId=17, 
> > > currentCH=ReplicatedConsistentHash{ns
> > > =
> > > 60, owners = (1)[test-server-110: 60]}, 
> > > pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110:
> > > 30, test-server-111: 30]}, unionCH=null, 
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t8)
> > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > loginFailures, topology CacheTopology{id=57, rebalanceId=17, 
> > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > 80+0]},
> > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > 40+0,
> > > test-server-111: 40+0]}, unionCH=null, 
> > > actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t9)
> > > ISPN000310: Starting cluster-wide rebalance for cache sessions, 
> > > topology CacheTopology{id=56, rebalanceId=17, 
> > > currentCH=DefaultConsistentHash{ns=80,
> > > owners = (1)[test-server-110: 80+0]}, 
> > > pendingCH=DefaultConsistentHash{ns=80,
> > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, 
> > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > 
> > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t9)
> > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > loginFailures, topology id = 57
> > > 
> > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t12)
> > > ISPN000336: Finished cluster-wide rebalance for cache sessions, 
> > > topology id = 56
> > > 
> > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t12)
> > > ISPN000336: Finished cluster-wide rebalance for cache realms, 
> > > topology id =
> > > 57
> > > 
> > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > (remote-thread--p3-t8)
> > > ISPN000336: Finished cluster-wide rebalance for cache users, 
> > > topology id =
> > > 57
> > > 
> > > 
> > > 
> > > I can successfully login, get a token and fetch user details with 
> > > this token.
> > > 
> > > 
> > > 
> > > Problem is, if one of the nodes on the cluster goes down and if we 
> > > try to reuse a token which was already issued (so workflow is ? 
> > > user logins in, get token, (a node in the cluster goes down) and 
> > > then fetch user details using
> > > token) ? we see an internal server exception. From the logs ?
> > > 
> > > 
> > > 
> > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default 
> > > task-1)
> > > UT005023: Exception handling request to
> > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > java.lang.RuntimeException: request path:
> > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > 
> > > at
> > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > r(
> > > KeycloakSessionServletFilter.java:54)
> > > 
> > > at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > :6
> > > 0)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > r(
> > > FilterHandler.java:132)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHan
> > > dl
> > > er.java:85)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.h
> > > an
> > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleReque
> > > st
> > > (ServletDispatchingHandler.java:36)
> > > 
> > > at
> > > org.wildfly.extension.undertow.security.SecurityContextAssociation
> > > Ha
> > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > te
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.SSLInformationAssociationHan
> > > dl
> > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHan
> > > dl
> > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > te
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.security.handlers.AbstractConfidentialityHandler.handl
> > > eR
> > > equest(AbstractConfidentialityHandler.java:46)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.ServletConfidentialityConstr
> > > ai 
> > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
> > > va
> > > :64)
> > > 
> > > at
> > > io.undertow.security.handlers.AuthenticationMechanismsHandler.hand
> > > le
> > > Request(AuthenticationMechanismsHandler.java:58)
> > > 
> > > at
> > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHa
> > > nd
> > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > 
> > > at
> > > io.undertow.security.handlers.NotificationReceiverHandler.handleRe
> > > qu
> > > est(NotificationReceiverHandler.java:50)
> > > 
> > > at
> > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest
> > > (S
> > > ecurityInitialHandler.java:76)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > te
> > > Handler.java:43)
> > > 
> > > at
> > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > ha
> > > ndleRequest(JACCContextIdHandler.java:61)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > te
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > te
> > > Handler.java:43)
> > > 
> > > at
> > > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHa
> > > nd
> > > ler.java:62)
> > > 
> > > at
> > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Metrics
> > > Ch
> > > ainHandler.java:59)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequ
> > > es
> > > t(ServletInitialHandler.java:274)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest
> > > (S
> > > ervletInitialHandler.java:253)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Serv
> > > le
> > > tInitialHandler.java:80)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest
> > > (S
> > > ervletInitialHandler.java:172)
> > > 
> > > at
> > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:1
> > > 99
> > > )
> > > 
> > > at
> > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > 774)
> > > 
> > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
> > > Source)
> > > 
> > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > Source)
> > > 
> > > at java.lang.Thread.run(Unknown Source)
> > > 
> > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > java.lang.NullPointerException
> > > 
> > > at
> > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExceptio
> > > n(
> > > ExceptionHandler.java:76)
> > > 
> > > at
> > > org.jboss.resteasy.core.ExceptionHandler.handleException(Exception
> > > Ha
> > > ndler.java:212)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synch
> > > ro
> > > nousDispatcher.java:149)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > sp
> > > atcher.java:372)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > sp
> > > atcher.java:179)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatch
> > > er
> > > .service(ServletContainerDispatcher.java:220)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > rv
> > > ice(HttpServletDispatcher.java:56)
> > > 
> > > at
> > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > rv
> > > ice(HttpServletDispatcher.java:51)
> > > 
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > 
> > > at
> > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletH
> > > an
> > > dler.java:86)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > r(
> > > FilterHandler.java:130)
> > > 
> > > at
> > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Clie
> > > nt
> > > ConnectionFilter.java:41)
> > > 
> > > at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > :6
> > > 0)
> > > 
> > > at
> > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > r(
> > > FilterHandler.java:132)
> > > 
> > > at
> > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > r(
> > > KeycloakSessionServletFilter.java:40)
> > > 
> > > ... 31 more
> > > 
> > > Caused by: java.lang.NullPointerException
> > > 
> > > at
> > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > o(
> > > UserInfoEndpoint.java:128)
> > > 
> > > at
> > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > oG
> > > et(UserInfoEndpoint.java:101)
> > > 
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > 
> > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > 
> > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > > 
> > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > 
> > > at
> > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorIm
> > > pl
> > > .java:137)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resou
> > > rc
> > > eMethodInvoker.java:296)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMetho
> > > dI
> > > nvoker.java:250)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > t(
> > > ResourceLocatorInvoker.java:140)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > to
> > > rInvoker.java:109)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > t(
> > > ResourceLocatorInvoker.java:135)
> > > 
> > > at
> > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > to
> > > rInvoker.java:103)
> > > 
> > > at
> > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > sp
> > > atcher.java:356)
> > > 
> > > ... 42 more
> > > 
> > > 
> > > 
> > > 
> > > 
> > > The user guide says ?
> > > 
> > > If you need to prevent node failures from requiring users to log 
> > > in again, set the owners attribute to 2 or more for the sessions 
> > > cache
> > > 
> > > 
> > > 
> > > Questions -
> > > 
> > > 1. Have we configured Infinispan incorrectly? We don?t want the 
> > > users to login again if any of the nodes in the cluster go down.
> > > 
> > > 2. Will changing distributed-cache to replicated-cache help in 
> > > this scenario?
> > > 
> > > 3. Any way we can see the contents of the cache?
> > > 
> > > 
> > > 
> > > -- Rajat
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From stian at redhat.com  Mon Jul 27 09:45:46 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 09:45:46 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
Message-ID: <1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>

Can you send me your standalone-ha.xml and keycloak-server.json?

----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:41:36 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> > Do you have both nodes fully up and running before you kill one node?
> Yes.
> This is what we tried -
> Case 1
> 1. Two node cluster (both running Keycloak engines) - both up and running.
> Configured load balancing using mod_cluster.
> 2. Login and get token.
> 3. Bring down one node.
> 4. Get user info using existing token. This is when we get NPE.
> 
> Case 2
> 1. Start with 1 Node down. We bring it back up. We wait for some time so that
> Infinispan can sync.
> 2. Bring down other node.
> 3. Try to get user info using existing token. Again we see NPE.
> 
> >It's a bug - if session is expired it should return an error message, not a
> >NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> Thanks for tracking this.
> 
> -- Rajat
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:20:27 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Thanks for quick reply Stian.
> > 
> > > What version?
> > We are using Keycloak 1.3.1 Final.
> >  
> > > Did you remember to change userSessions provider to infinispan in
> > > keycloak-server.json?
> > Yes. We got following in keycloak-server.json -
> > "userSessions": {
> > "provider": "infinispan"
> > }
> > 
> > > Firstly owners="2" should work fine as long as only one node dies
> > > and the other remains active. Secondly it should return a NPE, but
> > > an error if user session is not found.
> > Could you elaborate on your 2nd point?
> 
> Do you have both nodes fully up and running before you kill one node?
> 
> It's a bug - if session is expired it should return an error message, not a
> NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> 
> > 
> > -- Rajat
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: 27 July 2015 18:07
> > To: Nair, Rajat
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Did you remember to change userSessions provider to infinispan in
> > keycloak-server.json?
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > using Infinispan
> > > 
> > > What version?
> > > 
> > > Firstly owners="2" should work fine as long as only one node dies
> > > and the other remains active. Secondly it should return a NPE, but
> > > an error if user session is not found.
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > Subject: [keycloak-user] Distributed Keycloak user sessions using
> > > > Infinispan
> > > > 
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I?m in the process of setting up distributed user sessions using
> > > > Infinispan on my Keycloak cluster. This is the configuration I use
> > > > ?
> > > > 
> > > > <cache-container name="keycloak"
> > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > >  lock-timeout="60000"/>
> > > > 
> > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > 
> > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > 
> > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > 
> > > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > > 
> > > > </cache-container>
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > And in server.logs, I can see my servers communicate ?
> > > > 
> > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t7)
> > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]},
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t10)
> > > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]},
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17,
> > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > 80+0]},
> > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > 40+0,
> > > > test-server-111: 40+0]}, unionCH=null,
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000310: Starting cluster-wide rebalance for cache sessions,
> > > > topology CacheTopology{id=56, rebalanceId=17,
> > > > currentCH=DefaultConsistentHash{ns=80,
> > > > owners = (1)[test-server-110: 80+0]},
> > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > loginFailures, topology id = 57
> > > > 
> > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache sessions,
> > > > topology id = 56
> > > > 
> > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > > topology id =
> > > > 57
> > > > 
> > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > topology id =
> > > > 57
> > > > 
> > > > 
> > > > 
> > > > I can successfully login, get a token and fetch user details with
> > > > this token.
> > > > 
> > > > 
> > > > 
> > > > Problem is, if one of the nodes on the cluster goes down and if we
> > > > try to reuse a token which was already issued (so workflow is ?
> > > > user logins in, get token, (a node in the cluster goes down) and
> > > > then fetch user details using
> > > > token) ? we see an internal server exception. From the logs ?
> > > > 
> > > > 
> > > > 
> > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > task-1)
> > > > UT005023: Exception handling request to
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > java.lang.RuntimeException: request path:
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > > r(
> > > > KeycloakSessionServletFilter.java:54)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > > :6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > r(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHan
> > > > dl
> > > > er.java:85)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.h
> > > > an
> > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleReque
> > > > st
> > > > (ServletDispatchingHandler.java:36)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.SecurityContextAssociation
> > > > Ha
> > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > te
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.SSLInformationAssociationHan
> > > > dl
> > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHan
> > > > dl
> > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > te
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handl
> > > > eR
> > > > equest(AbstractConfidentialityHandler.java:46)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstr
> > > > ai
> > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
> > > > va
> > > > :64)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.hand
> > > > le
> > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHa
> > > > nd
> > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.NotificationReceiverHandler.handleRe
> > > > qu
> > > > est(NotificationReceiverHandler.java:50)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest
> > > > (S
> > > > ecurityInitialHandler.java:76)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > te
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > ha
> > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > te
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > te
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHa
> > > > nd
> > > > ler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Metrics
> > > > Ch
> > > > ainHandler.java:59)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequ
> > > > es
> > > > t(ServletInitialHandler.java:274)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest
> > > > (S
> > > > ervletInitialHandler.java:253)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Serv
> > > > le
> > > > tInitialHandler.java:80)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest
> > > > (S
> > > > ervletInitialHandler.java:172)
> > > > 
> > > > at
> > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:1
> > > > 99
> > > > )
> > > > 
> > > > at
> > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > 774)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > Source)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > Source)
> > > > 
> > > > at java.lang.Thread.run(Unknown Source)
> > > > 
> > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExceptio
> > > > n(
> > > > ExceptionHandler.java:76)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Exception
> > > > Ha
> > > > ndler.java:212)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synch
> > > > ro
> > > > nousDispatcher.java:149)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > sp
> > > > atcher.java:372)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > sp
> > > > atcher.java:179)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatch
> > > > er
> > > > .service(ServletContainerDispatcher.java:220)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > > rv
> > > > ice(HttpServletDispatcher.java:56)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > > rv
> > > > ice(HttpServletDispatcher.java:51)
> > > > 
> > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletH
> > > > an
> > > > dler.java:86)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > r(
> > > > FilterHandler.java:130)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Clie
> > > > nt
> > > > ConnectionFilter.java:41)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > > :6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > r(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > > r(
> > > > KeycloakSessionServletFilter.java:40)
> > > > 
> > > > ... 31 more
> > > > 
> > > > Caused by: java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > > o(
> > > > UserInfoEndpoint.java:128)
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > > oG
> > > > et(UserInfoEndpoint.java:101)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > 
> > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > > > 
> > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorIm
> > > > pl
> > > > .java:137)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resou
> > > > rc
> > > > eMethodInvoker.java:296)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMetho
> > > > dI
> > > > nvoker.java:250)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > > t(
> > > > ResourceLocatorInvoker.java:140)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > > to
> > > > rInvoker.java:109)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > > t(
> > > > ResourceLocatorInvoker.java:135)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > > to
> > > > rInvoker.java:103)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > sp
> > > > atcher.java:356)
> > > > 
> > > > ... 42 more
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > The user guide says ?
> > > > 
> > > > If you need to prevent node failures from requiring users to log
> > > > in again, set the owners attribute to 2 or more for the sessions
> > > > cache
> > > > 
> > > > 
> > > > 
> > > > Questions -
> > > > 
> > > > 1. Have we configured Infinispan incorrectly? We don?t want the
> > > > users to login again if any of the nodes in the cluster go down.
> > > > 
> > > > 2. Will changing distributed-cache to replicated-cache help in
> > > > this scenario?
> > > > 
> > > > 3. Any way we can see the contents of the cache?
> > > > 
> > > > 
> > > > 
> > > > -- Rajat
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


From rajat.nair at hp.com  Mon Jul 27 09:45:13 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Mon, 27 Jul 2015 13:45:13 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <90967314.715102.1438004282164.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<90967314.715102.1438004282164.JavaMail.zimbra@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F0413D5@G9W0758.americas.hpqcorp.net>

Is this working on Keycloak 1.3.1 Final?

Can you describe your node - network setup? I mean, did you run 2 Keycloak nodes in standalone HA mode on different boxes? Only additional thing in our setup is Mod_cluster.

-- Rajat

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: 27 July 2015 19:08
To: Nair, Rajat
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan

Just confirmed that this is working fine here with distributed cache and owners=2. I can stop/start nodes and still get user info.


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:26:54 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> 
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:20:27 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions 
> > using Infinispan
> > 
> > Thanks for quick reply Stian.
> > 
> > > What version?
> > We are using Keycloak 1.3.1 Final.
> >  
> > > Did you remember to change userSessions provider to infinispan in 
> > > keycloak-server.json?
> > Yes. We got following in keycloak-server.json -
> > "userSessions": {
> > "provider": "infinispan"
> > }
> > 
> > > Firstly owners="2" should work fine as long as only one node dies 
> > > and the other remains active. Secondly it should return a NPE, but 
> > > an error if user session is not found.
> > Could you elaborate on your 2nd point?
> 
> Do you have both nodes fully up and running before you kill one node?
> 
> It's a bug - if session is expired it should return an error message, 
> not a NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> 
> > 
> > -- Rajat
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: 27 July 2015 18:07
> > To: Nair, Rajat
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > using Infinispan
> > 
> > Did you remember to change userSessions provider to infinispan in 
> > keycloak-server.json?
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > > using Infinispan
> > > 
> > > What version?
> > > 
> > > Firstly owners="2" should work fine as long as only one node dies 
> > > and the other remains active. Secondly it should return a NPE, but 
> > > an error if user session is not found.
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > Subject: [keycloak-user] Distributed Keycloak user sessions 
> > > > using Infinispan
> > > > 
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I?m in the process of setting up distributed user sessions using 
> > > > Infinispan on my Keycloak cluster. This is the configuration I 
> > > > use ?
> > > > 
> > > > <cache-container name="keycloak"
> > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > >  lock-timeout="60000"/>
> > > > 
> > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > 
> > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > 
> > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > 
> > > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > > 
> > > > </cache-container>
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > And in server.logs, I can see my servers communicate ?
> > > > 
> > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t7)
> > > > ISPN000310: Starting cluster-wide rebalance for cache users, 
> > > > topology CacheTopology{id=57, rebalanceId=17, 
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t10)
> > > > ISPN000310: Starting cluster-wide rebalance for cache realms, 
> > > > topology CacheTopology{id=57, rebalanceId=17, 
> > > > currentCH=ReplicatedConsistentHash{ns
> > > > =
> > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > (2)[test-server-110:
> > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17, 
> > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > 80+0]},
> > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > 40+0,
> > > > test-server-111: 40+0]}, unionCH=null, 
> > > > actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000310: Starting cluster-wide rebalance for cache sessions, 
> > > > topology CacheTopology{id=56, rebalanceId=17, 
> > > > currentCH=DefaultConsistentHash{ns=80,
> > > > owners = (1)[test-server-110: 80+0]}, 
> > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, 
> > > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > > 
> > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t9)
> > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > loginFailures, topology id = 57
> > > > 
> > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache sessions, 
> > > > topology id = 56
> > > > 
> > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t12)
> > > > ISPN000336: Finished cluster-wide rebalance for cache realms, 
> > > > topology id =
> > > > 57
> > > > 
> > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > (remote-thread--p3-t8)
> > > > ISPN000336: Finished cluster-wide rebalance for cache users, 
> > > > topology id =
> > > > 57
> > > > 
> > > > 
> > > > 
> > > > I can successfully login, get a token and fetch user details 
> > > > with this token.
> > > > 
> > > > 
> > > > 
> > > > Problem is, if one of the nodes on the cluster goes down and if 
> > > > we try to reuse a token which was already issued (so workflow is 
> > > > ? user logins in, get token, (a node in the cluster goes down) 
> > > > and then fetch user details using
> > > > token) ? we see an internal server exception. From the logs ?
> > > > 
> > > > 
> > > > 
> > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default 
> > > > task-1)
> > > > UT005023: Exception handling request to
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > java.lang.RuntimeException: request path:
> > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFil
> > > > ter(
> > > > KeycloakSessionServletFilter.java:54)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.ja
> > > > va:6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > ter(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterH
> > > > andl
> > > > er.java:85)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler
> > > > .han
> > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleReq
> > > > uest
> > > > (ServletDispatchingHandler.java:36)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.SecurityContextAssociati
> > > > onHa
> > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > cate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.SSLInformationAssociationH
> > > > andl
> > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallH
> > > > andl
> > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > cate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AbstractConfidentialityHandler.han
> > > > dleR
> > > > equest(AbstractConfidentialityHandler.java:46)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.ServletConfidentialityCons
> > > > trai 
> > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.
> > > > java
> > > > :64)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.ha
> > > > ndle
> > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSession
> > > > Hand
> > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.NotificationReceiverHandler.handle
> > > > Requ
> > > > est(NotificationReceiverHandler.java:50)
> > > > 
> > > > at
> > > > io.undertow.security.handlers.SecurityInitialHandler.handleReque
> > > > st(S
> > > > ecurityInitialHandler.java:76)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > cate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandle
> > > > r.ha
> > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > cate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > cate
> > > > Handler.java:43)
> > > > 
> > > > at
> > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Metrics
> > > > Hand
> > > > ler.java:62)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Metri
> > > > csCh
> > > > ainHandler.java:59)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRe
> > > > ques
> > > > t(ServletInitialHandler.java:274)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReque
> > > > st(S
> > > > ervletInitialHandler.java:253)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Se
> > > > rvle
> > > > tInitialHandler.java:80)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReque
> > > > st(S
> > > > ervletInitialHandler.java:172)
> > > > 
> > > > at
> > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java
> > > > :199
> > > > )
> > > > 
> > > > at
> > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > 774)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown 
> > > > Source)
> > > > 
> > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > Source)
> > > > 
> > > > at java.lang.Thread.run(Unknown Source)
> > > > 
> > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExcept
> > > > ion(
> > > > ExceptionHandler.java:76)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Excepti
> > > > onHa
> > > > ndler.java:212)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Syn
> > > > chro
> > > > nousDispatcher.java:149)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > Disp
> > > > atcher.java:372)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > Disp
> > > > atcher.java:179)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispat
> > > > cher
> > > > .service(ServletContainerDispatcher.java:220)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.
> > > > serv
> > > > ice(HttpServletDispatcher.java:56)
> > > > 
> > > > at
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.
> > > > serv
> > > > ice(HttpServletDispatcher.java:51)
> > > > 
> > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Servle
> > > > tHan
> > > > dler.java:86)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > ter(
> > > > FilterHandler.java:130)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Cl
> > > > ient
> > > > ConnectionFilter.java:41)
> > > > 
> > > > at
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.ja
> > > > va:6
> > > > 0)
> > > > 
> > > > at
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > ter(
> > > > FilterHandler.java:132)
> > > > 
> > > > at
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFil
> > > > ter(
> > > > KeycloakSessionServletFilter.java:40)
> > > > 
> > > > ... 31 more
> > > > 
> > > > Caused by: java.lang.NullPointerException
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserI
> > > > nfo(
> > > > UserInfoEndpoint.java:128)
> > > > 
> > > > at
> > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserI
> > > > nfoG
> > > > et(UserInfoEndpoint.java:101)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > 
> > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown 
> > > > Source)
> > > > 
> > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjector
> > > > Impl
> > > > .java:137)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Res
> > > > ourc
> > > > eMethodInvoker.java:296)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMet
> > > > hodI
> > > > nvoker.java:250)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObj
> > > > ect(
> > > > ResourceLocatorInvoker.java:140)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLo
> > > > cato
> > > > rInvoker.java:109)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObj
> > > > ect(
> > > > ResourceLocatorInvoker.java:135)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLo
> > > > cato
> > > > rInvoker.java:103)
> > > > 
> > > > at
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > Disp
> > > > atcher.java:356)
> > > > 
> > > > ... 42 more
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > The user guide says ?
> > > > 
> > > > If you need to prevent node failures from requiring users to log 
> > > > in again, set the owners attribute to 2 or more for the sessions 
> > > > cache
> > > > 
> > > > 
> > > > 
> > > > Questions -
> > > > 
> > > > 1. Have we configured Infinispan incorrectly? We don?t want the 
> > > > users to login again if any of the nodes in the cluster go down.
> > > > 
> > > > 2. Will changing distributed-cache to replicated-cache help in 
> > > > this scenario?
> > > > 
> > > > 3. Any way we can see the contents of the cache?
> > > > 
> > > > 
> > > > 
> > > > -- Rajat
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Jul 27 09:46:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 09:46:14 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
	<1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
Message-ID: <1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>

Also, any chance you can try it out with master? I've been testing with that as we're about to do 1.4 release soon

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:45:46 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> Can you send me your standalone-ha.xml and keycloak-server.json?
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:41:36 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > > Do you have both nodes fully up and running before you kill one node?
> > Yes.
> > This is what we tried -
> > Case 1
> > 1. Two node cluster (both running Keycloak engines) - both up and running.
> > Configured load balancing using mod_cluster.
> > 2. Login and get token.
> > 3. Bring down one node.
> > 4. Get user info using existing token. This is when we get NPE.
> > 
> > Case 2
> > 1. Start with 1 Node down. We bring it back up. We wait for some time so
> > that
> > Infinispan can sync.
> > 2. Bring down other node.
> > 3. Try to get user info using existing token. Again we see NPE.
> > 
> > >It's a bug - if session is expired it should return an error message, not
> > >a
> > >NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> > Thanks for tracking this.
> > 
> > -- Rajat
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions using
> > > Infinispan
> > > 
> > > Thanks for quick reply Stian.
> > > 
> > > > What version?
> > > We are using Keycloak 1.3.1 Final.
> > >  
> > > > Did you remember to change userSessions provider to infinispan in
> > > > keycloak-server.json?
> > > Yes. We got following in keycloak-server.json -
> > > "userSessions": {
> > > "provider": "infinispan"
> > > }
> > > 
> > > > Firstly owners="2" should work fine as long as only one node dies
> > > > and the other remains active. Secondly it should return a NPE, but
> > > > an error if user session is not found.
> > > Could you elaborate on your 2nd point?
> > 
> > Do you have both nodes fully up and running before you kill one node?
> > 
> > It's a bug - if session is expired it should return an error message, not a
> > NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> > 
> > > 
> > > -- Rajat
> > > 
> > > -----Original Message-----
> > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > Sent: 27 July 2015 18:07
> > > To: Nair, Rajat
> > > Cc: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > > Infinispan
> > > 
> > > Did you remember to change userSessions provider to infinispan in
> > > keycloak-server.json?
> > > 
> > > ----- Original Message -----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > > using Infinispan
> > > > 
> > > > What version?
> > > > 
> > > > Firstly owners="2" should work fine as long as only one node dies
> > > > and the other remains active. Secondly it should return a NPE, but
> > > > an error if user session is not found.
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > Subject: [keycloak-user] Distributed Keycloak user sessions using
> > > > > Infinispan
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > 
> > > > > 
> > > > > I?m in the process of setting up distributed user sessions using
> > > > > Infinispan on my Keycloak cluster. This is the configuration I use
> > > > > ?
> > > > > 
> > > > > <cache-container name="keycloak"
> > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > >  lock-timeout="60000"/>
> > > > > 
> > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > 
> > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > 
> > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > 
> > > > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > > > 
> > > > > </cache-container>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > And in server.logs, I can see my servers communicate ?
> > > > > 
> > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t7)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t10)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > > 80+0]},
> > > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > > 40+0,
> > > > > test-server-111: 40+0]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache sessions,
> > > > > topology CacheTopology{id=56, rebalanceId=17,
> > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > owners = (1)[test-server-110: 80+0]},
> > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > loginFailures, topology id = 57
> > > > > 
> > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache sessions,
> > > > > topology id = 56
> > > > > 
> > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 
> > > > > 
> > > > > I can successfully login, get a token and fetch user details with
> > > > > this token.
> > > > > 
> > > > > 
> > > > > 
> > > > > Problem is, if one of the nodes on the cluster goes down and if we
> > > > > try to reuse a token which was already issued (so workflow is ?
> > > > > user logins in, get token, (a node in the cluster goes down) and
> > > > > then fetch user details using
> > > > > token) ? we see an internal server exception. From the logs ?
> > > > > 
> > > > > 
> > > > > 
> > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > task-1)
> > > > > UT005023: Exception handling request to
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > java.lang.RuntimeException: request path:
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > > > r(
> > > > > KeycloakSessionServletFilter.java:54)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > > > :6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > > r(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHan
> > > > > dl
> > > > > er.java:85)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.h
> > > > > an
> > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleReque
> > > > > st
> > > > > (ServletDispatchingHandler.java:36)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.SecurityContextAssociation
> > > > > Ha
> > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.SSLInformationAssociationHan
> > > > > dl
> > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHan
> > > > > dl
> > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handl
> > > > > eR
> > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstr
> > > > > ai
> > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.ja
> > > > > va
> > > > > :64)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.hand
> > > > > le
> > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHa
> > > > > nd
> > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.NotificationReceiverHandler.handleRe
> > > > > qu
> > > > > est(NotificationReceiverHandler.java:50)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest
> > > > > (S
> > > > > ecurityInitialHandler.java:76)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > > ha
> > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHa
> > > > > nd
> > > > > ler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Metrics
> > > > > Ch
> > > > > ainHandler.java:59)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequ
> > > > > es
> > > > > t(ServletInitialHandler.java:274)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest
> > > > > (S
> > > > > ervletInitialHandler.java:253)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Serv
> > > > > le
> > > > > tInitialHandler.java:80)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest
> > > > > (S
> > > > > ervletInitialHandler.java:172)
> > > > > 
> > > > > at
> > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:1
> > > > > 99
> > > > > )
> > > > > 
> > > > > at
> > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > 774)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.lang.Thread.run(Unknown Source)
> > > > > 
> > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExceptio
> > > > > n(
> > > > > ExceptionHandler.java:76)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Exception
> > > > > Ha
> > > > > ndler.java:212)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Synch
> > > > > ro
> > > > > nousDispatcher.java:149)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > > sp
> > > > > atcher.java:372)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > > sp
> > > > > atcher.java:179)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatch
> > > > > er
> > > > > .service(ServletContainerDispatcher.java:220)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > > > rv
> > > > > ice(HttpServletDispatcher.java:56)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.se
> > > > > rv
> > > > > ice(HttpServletDispatcher.java:51)
> > > > > 
> > > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletH
> > > > > an
> > > > > dler.java:86)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > > r(
> > > > > FilterHandler.java:130)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Clie
> > > > > nt
> > > > > ConnectionFilter.java:41)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java
> > > > > :6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilte
> > > > > r(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilte
> > > > > r(
> > > > > KeycloakSessionServletFilter.java:40)
> > > > > 
> > > > > ... 31 more
> > > > > 
> > > > > Caused by: java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > > > o(
> > > > > UserInfoEndpoint.java:128)
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInf
> > > > > oG
> > > > > et(UserInfoEndpoint.java:101)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > 
> > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> > > > > 
> > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorIm
> > > > > pl
> > > > > .java:137)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resou
> > > > > rc
> > > > > eMethodInvoker.java:296)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMetho
> > > > > dI
> > > > > nvoker.java:250)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > > > t(
> > > > > ResourceLocatorInvoker.java:140)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > > > to
> > > > > rInvoker.java:109)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObjec
> > > > > t(
> > > > > ResourceLocatorInvoker.java:135)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLoca
> > > > > to
> > > > > rInvoker.java:103)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDi
> > > > > sp
> > > > > atcher.java:356)
> > > > > 
> > > > > ... 42 more
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > The user guide says ?
> > > > > 
> > > > > If you need to prevent node failures from requiring users to log
> > > > > in again, set the owners attribute to 2 or more for the sessions
> > > > > cache
> > > > > 
> > > > > 
> > > > > 
> > > > > Questions -
> > > > > 
> > > > > 1. Have we configured Infinispan incorrectly? We don?t want the
> > > > > users to login again if any of the nodes in the cluster go down.
> > > > > 
> > > > > 2. Will changing distributed-cache to replicated-cache help in
> > > > > this scenario?
> > > > > 
> > > > > 3. Any way we can see the contents of the cache?
> > > > > 
> > > > > 
> > > > > 
> > > > > -- Rajat
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > 
> 


From stian at redhat.com  Mon Jul 27 09:48:59 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jul 2015 09:48:59 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F0413D5@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<90967314.715102.1438004282164.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413D5@G9W0758.americas.hpqcorp.net>
Message-ID: <903258624.721440.1438004939195.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:45:13 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> Is this working on Keycloak 1.3.1 Final?
> 
> Can you describe your node - network setup? I mean, did you run 2 Keycloak
> nodes in standalone HA mode on different boxes? Only additional thing in our
> setup is Mod_cluster.

I've used Undertow as reverse proxy and 2 nodes running on same box using port-offset, but that shouldn't matter as long as clustering/jgroups is working.

I've tested with master (soon to be released 1.4). As I'm busy with testing the release I don't have time to check with 1.3.1.

> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 27 July 2015 19:08
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> Infinispan
> 
> Just confirmed that this is working fine here with distributed cache and
> owners=2. I can stop/start nodes and still get user info.
> 
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Rajat Nair" <rajat.nair at hp.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:26:54 PM
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions
> > > using Infinispan
> > > 
> > > Thanks for quick reply Stian.
> > > 
> > > > What version?
> > > We are using Keycloak 1.3.1 Final.
> > >  
> > > > Did you remember to change userSessions provider to infinispan in
> > > > keycloak-server.json?
> > > Yes. We got following in keycloak-server.json -
> > > "userSessions": {
> > > "provider": "infinispan"
> > > }
> > > 
> > > > Firstly owners="2" should work fine as long as only one node dies
> > > > and the other remains active. Secondly it should return a NPE, but
> > > > an error if user session is not found.
> > > Could you elaborate on your 2nd point?
> > 
> > Do you have both nodes fully up and running before you kill one node?
> > 
> > It's a bug - if session is expired it should return an error message,
> > not a NPE (see https://issues.jboss.org/browse/KEYCLOAK-1710)
> > 
> > > 
> > > -- Rajat
> > > 
> > > -----Original Message-----
> > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > Sent: 27 July 2015 18:07
> > > To: Nair, Rajat
> > > Cc: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > using Infinispan
> > > 
> > > Did you remember to change userSessions provider to infinispan in
> > > keycloak-server.json?
> > > 
> > > ----- Original Message -----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > > using Infinispan
> > > > 
> > > > What version?
> > > > 
> > > > Firstly owners="2" should work fine as long as only one node dies
> > > > and the other remains active. Secondly it should return a NPE, but
> > > > an error if user session is not found.
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > Subject: [keycloak-user] Distributed Keycloak user sessions
> > > > > using Infinispan
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > 
> > > > > 
> > > > > I?m in the process of setting up distributed user sessions using
> > > > > Infinispan on my Keycloak cluster. This is the configuration I
> > > > > use ?
> > > > > 
> > > > > <cache-container name="keycloak"
> > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > >  lock-timeout="60000"/>
> > > > > 
> > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > 
> > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > 
> > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > 
> > > > > <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
> > > > > 
> > > > > </cache-container>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > And in server.logs, I can see my servers communicate ?
> > > > > 
> > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t7)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t10)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17,
> > > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > > 80+0]},
> > > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > > 40+0,
> > > > > test-server-111: 40+0]}, unionCH=null,
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache sessions,
> > > > > topology CacheTopology{id=56, rebalanceId=17,
> > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > owners = (1)[test-server-110: 80+0]},
> > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > > unionCH=null, actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > loginFailures, topology id = 57
> > > > > 
> > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache sessions,
> > > > > topology id = 56
> > > > > 
> > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 
> > > > > 
> > > > > I can successfully login, get a token and fetch user details
> > > > > with this token.
> > > > > 
> > > > > 
> > > > > 
> > > > > Problem is, if one of the nodes on the cluster goes down and if
> > > > > we try to reuse a token which was already issued (so workflow is
> > > > > ? user logins in, get token, (a node in the cluster goes down)
> > > > > and then fetch user details using
> > > > > token) ? we see an internal server exception. From the logs ?
> > > > > 
> > > > > 
> > > > > 
> > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > task-1)
> > > > > UT005023: Exception handling request to
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > java.lang.RuntimeException: request path:
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFil
> > > > > ter(
> > > > > KeycloakSessionServletFilter.java:54)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.ja
> > > > > va:6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > > ter(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterH
> > > > > andl
> > > > > er.java:85)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler
> > > > > .han
> > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleReq
> > > > > uest
> > > > > (ServletDispatchingHandler.java:36)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.SecurityContextAssociati
> > > > > onHa
> > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > > cate
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.SSLInformationAssociationH
> > > > > andl
> > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallH
> > > > > andl
> > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > > cate
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AbstractConfidentialityHandler.han
> > > > > dleR
> > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletConfidentialityCons
> > > > > trai
> > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.
> > > > > java
> > > > > :64)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.ha
> > > > > ndle
> > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSession
> > > > > Hand
> > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.NotificationReceiverHandler.handle
> > > > > Requ
> > > > > est(NotificationReceiverHandler.java:50)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.SecurityInitialHandler.handleReque
> > > > > st(S
> > > > > ecurityInitialHandler.java:76)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > > cate
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandle
> > > > > r.ha
> > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > > cate
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predi
> > > > > cate
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Metrics
> > > > > Hand
> > > > > ler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Metri
> > > > > csCh
> > > > > ainHandler.java:59)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRe
> > > > > ques
> > > > > t(ServletInitialHandler.java:274)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReque
> > > > > st(S
> > > > > ervletInitialHandler.java:253)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Se
> > > > > rvle
> > > > > tInitialHandler.java:80)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReque
> > > > > st(S
> > > > > ervletInitialHandler.java:172)
> > > > > 
> > > > > at
> > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java
> > > > > :199
> > > > > )
> > > > > 
> > > > > at
> > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > 774)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.lang.Thread.run(Unknown Source)
> > > > > 
> > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExcept
> > > > > ion(
> > > > > ExceptionHandler.java:76)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Excepti
> > > > > onHa
> > > > > ndler.java:212)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(Syn
> > > > > chro
> > > > > nousDispatcher.java:149)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > > Disp
> > > > > atcher.java:372)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > > Disp
> > > > > atcher.java:179)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispat
> > > > > cher
> > > > > .service(ServletContainerDispatcher.java:220)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.
> > > > > serv
> > > > > ice(HttpServletDispatcher.java:56)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.
> > > > > serv
> > > > > ice(HttpServletDispatcher.java:51)
> > > > > 
> > > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Servle
> > > > > tHan
> > > > > dler.java:86)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > > ter(
> > > > > FilterHandler.java:130)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(Cl
> > > > > ient
> > > > > ConnectionFilter.java:41)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.ja
> > > > > va:6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFil
> > > > > ter(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFil
> > > > > ter(
> > > > > KeycloakSessionServletFilter.java:40)
> > > > > 
> > > > > ... 31 more
> > > > > 
> > > > > Caused by: java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserI
> > > > > nfo(
> > > > > UserInfoEndpoint.java:128)
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserI
> > > > > nfoG
> > > > > et(UserInfoEndpoint.java:101)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > 
> > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjector
> > > > > Impl
> > > > > .java:137)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Res
> > > > > ourc
> > > > > eMethodInvoker.java:296)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMet
> > > > > hodI
> > > > > nvoker.java:250)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObj
> > > > > ect(
> > > > > ResourceLocatorInvoker.java:140)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLo
> > > > > cato
> > > > > rInvoker.java:109)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObj
> > > > > ect(
> > > > > ResourceLocatorInvoker.java:135)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLo
> > > > > cato
> > > > > rInvoker.java:103)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronous
> > > > > Disp
> > > > > atcher.java:356)
> > > > > 
> > > > > ... 42 more
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > The user guide says ?
> > > > > 
> > > > > If you need to prevent node failures from requiring users to log
> > > > > in again, set the owners attribute to 2 or more for the sessions
> > > > > cache
> > > > > 
> > > > > 
> > > > > 
> > > > > Questions -
> > > > > 
> > > > > 1. Have we configured Infinispan incorrectly? We don?t want the
> > > > > users to login again if any of the nodes in the cluster go down.
> > > > > 
> > > > > 2. Will changing distributed-cache to replicated-cache help in
> > > > > this scenario?
> > > > > 
> > > > > 3. Any way we can see the contents of the cache?
> > > > > 
> > > > > 
> > > > > 
> > > > > -- Rajat
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From pablo.m.gore at gmail.com  Mon Jul 27 11:29:25 2015
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Mon, 27 Jul 2015 12:29:25 -0300
Subject: [keycloak-user] keycloack-server.war
Message-ID: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>

Hi
I have a maven project that is in charge of create the tomcat distribution
for keycloak.
Until version 1.2.0-Beta1 we have used keycloak-server.war , but when I try
to migrate to keycloak 1.3.1-Final , this dependency apparently does not
exist any more.

<artifactItem>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-server</artifactId>
    <version>$1.3.1-Final</version>
    <type>war</type>
    <outputDirectory>${outputDirectoryForWar}</outputDirectory>
</artifactItem>

Someone could help me with this issue ?

where I could find the server war now or what is the new name for this
dependency?

Thanks and regards.

Pablo Gore

Here is my pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-parent</artifactId>
        <version>1.3.1-Final</version>



    </parent>

    <artifactId>keycloak-tomcat-dist</artifactId>
    <packaging>pom</packaging>
    <name>Tomcat 8 with Keycloack</name>
    <version>${project.parent.version}-1.0.4</version>
    <description/>
    <properties>
        <!-- Versions -->
        <tomcat.version>8.0.20</tomcat.version>
        <jax.version>2.3.7.Final</jax.version>
        <jackson.version>1.9.9</jackson.version>
        <hibernate.version>4.2.7.SP1</hibernate.version>
        <!-- Locations -->
        <outputDirectory>${project.build.directory}/unpacked</outputDirectory>
        <outputDirectoryConf>${outputDirectory}/apache-tomcat-${tomcat.version}/conf</outputDirectoryConf>
        <outputDirectoryForWar>${outputDirectory}/apache-tomcat-${tomcat.version}/webapps/keycloak
        </outputDirectoryForWar>
        <outputDirectoryForLibs>${outputDirectory}/apache-tomcat-${tomcat.version}/lib</outputDirectoryForLibs>
        <configFile>${outputDirectoryForWar}/WEB-INF/classes/META-INF/keycloak-server.json</configFile>
    </properties>
    <dependencies/>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-deploy-plugin</artifactId>
                <configuration>
                    <skip>true</skip>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <executions>
                    <!-- Get Tomcat -->
                    <execution>
                        <id>unpack</id>
                        <phase>prepare-package</phase>
                        <goals>
                            <goal>unpack</goal>
                        </goals>
                        <configuration>
                            <!--useJvmChmod>false</useJvmChmod-->
                            <artifactItems>
                                <artifactItem>
                                    <groupId>org.apache.tomcat</groupId>
                                    <artifactId>tomcat</artifactId>
                                    <version>${tomcat.version}</version>
                                    <type>tar.gz</type>

<outputDirectory>${outputDirectory}</outputDirectory>
                                </artifactItem>
                            </artifactItems>
                        </configuration>
                    </execution>
                    <!-- Get keycloak -->
                    <execution>
                        <id>get-keycloak</id>
                        <phase>prepare-package</phase>
                        <goals>
                            <goal>unpack</goal>
                        </goals>
                        <configuration>
                            <artifactItems>
                                <artifactItem>
                                    <groupId>org.keycloak</groupId>
                                    <artifactId>keycloak-server</artifactId>
                                    <version>${project.parent.version}</version>
                                    <type>war</type>

<outputDirectory>${outputDirectoryForWar}</outputDirectory>
                                </artifactItem>
                            </artifactItems>
                        </configuration>
                    </execution>
                    <!-- Get dependencies -->
                    <execution>
                        <id>mimic-jboss-6.2</id>
                        <phase>prepare-package</phase>
                        <goals>
                            <goal>copy</goal>
                        </goals>
                        <configuration>
                            <artifactItems>
                                <dependency>
                                    <groupId>org.apache.httpcomponents</groupId>
                                    <artifactId>httpclient</artifactId>
                                    <version>4.2.6</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </dependency>
                                <dependency>
                                    <groupId>org.apache.httpcomponents</groupId>
                                    <artifactId>httpcore</artifactId>
                                    <version>4.2.5</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </dependency>
                                <dependency>
                                    <groupId>commons-logging</groupId>
                                    <artifactId>commons-logging</artifactId>
                                    <version>1.1.1</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </dependency>
                                <dependency>
                                    <groupId>commons-io</groupId>
                                    <artifactId>commons-io</artifactId>
                                    <version>2.1</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </dependency>
                                <!-- Mimic JBoss 6.2 -->
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>
                                    <artifactId>resteasy-jaxrs</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>

<artifactId>async-http-servlet-3.0</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>
                                    <artifactId>jaxrs-api</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>

<artifactId>resteasy-jaxb-provider</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>

<artifactId>resteasy-jackson-provider</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>

<artifactId>resteasy-multipart-provider</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <!-- This needs Bouncycastle
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>
                                    <artifactId>resteasy-crypto</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                -->
                                <artifactItem>
                                    <groupId>org.jboss.resteasy</groupId>
                                    <artifactId>tjws</artifactId>
                                    <version>${jax.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.scannotation</groupId>
                                    <artifactId>scannotation</artifactId>
                                    <version>1.0.3</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.codehaus.jackson</groupId>
                                    <artifactId>jackson-mapper-asl</artifactId>
                                    <version>${jackson.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.codehaus.jackson</groupId>
                                    <artifactId>jackson-core-asl</artifactId>
                                    <version>${jackson.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.codehaus.jackson</groupId>
                                    <artifactId>jackson-jaxrs</artifactId>
                                    <version>${jackson.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.codehaus.jackson</groupId>
                                    <artifactId>jackson-xc</artifactId>
                                    <version>${jackson.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.infinispan</groupId>
                                    <artifactId>infinispan-core</artifactId>
                                    <version>5.2.7.Final</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.hibernate</groupId>
                                    <artifactId>hibernate-core</artifactId>
                                    <version>${hibernate.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.hibernate</groupId>

<artifactId>hibernate-entitymanager</artifactId>
                                    <version>${hibernate.version}</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>

<groupId>org.hibernate.javax.persistence</groupId>

<artifactId>hibernate-jpa-2.0-api</artifactId>
                                    <version>1.0.1.Final</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.jboss.logging</groupId>
                                    <artifactId>jboss-logging</artifactId>
                                    <version>3.1.2.GA</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>

<groupId>org.jboss.spec.javax.transaction</groupId>

<artifactId>jboss-transaction-api_1.1_spec</artifactId>
                                    <version>1.0.1.Final</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>dom4j</groupId>
                                    <artifactId>dom4j</artifactId>
                                    <version>1.6.1</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.hibernate.common</groupId>

<artifactId>hibernate-commons-annotations</artifactId>
                                    <version>4.0.1.Final</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.javassist</groupId>
                                    <artifactId>javassist</artifactId>
                                    <version>3.18.1-GA</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>antlr</groupId>
                                    <artifactId>antlr</artifactId>
                                    <version>2.7.7</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>javax.mail</groupId>
                                    <artifactId>mail</artifactId>
                                    <version>1.4.5</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>com.google.zxing</groupId>
                                    <artifactId>core</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>com.google.zxing</groupId>
                                    <artifactId>javase</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>com.icegreen</groupId>
                                    <artifactId>greenmail</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>de.idyl</groupId>
                                    <artifactId>winzipaes</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>xml-apis</groupId>
                                    <artifactId>xml-apis</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.slf4j</groupId>
                                    <artifactId>slf4j-api</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                                <artifactItem>
                                    <groupId>org.slf4j</groupId>
                                    <artifactId>slf4j-simple</artifactId>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>
                            </artifactItems>
                        </configuration>
                    </execution>
                    <!-- Get PostgreSQL driver -->
                    <execution>
                        <id>get-postgresql-jdbc-driver</id>
                        <phase>prepare-package</phase>
                        <goals>
                            <goal>copy</goal>
                        </goals>
                        <configuration>
                            <artifactItems>
                                mysql:mysql-connector-java
                                <artifactItem>
                                    <groupId>mysql</groupId>

<artifactId>mysql-connector-java</artifactId>
                                    <version>5.1.34</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>

                                <artifactItem>
                                    <groupId>org.postgresql</groupId>
                                    <artifactId>postgresql</artifactId>
                                    <version>9.4-1200-jdbc41</version>
                                    <type>jar</type>

<outputDirectory>${outputDirectoryForLibs}</outputDirectory>
                                </artifactItem>

                            </artifactItems>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
            <!-- Setup data-source -->
            <plugin>
                <artifactId>maven-resources-plugin</artifactId>
                <version>2.7</version>
                <executions>
                    <execution>
                        <id>setup-data-source</id>
                        <phase>package</phase>
                        <goals>
                            <goal>copy-resources</goal>
                        </goals>
                        <configuration>

<outputDirectory>${outputDirectoryConf}</outputDirectory>
                            <encoding>UTF-8</encoding>
                            <resources>
                                <resource>
                                    <directory>.</directory>
                                    <includes>
                                        <include>context.xml</include>
                                    </includes>
                                    <filtering>false</filtering>
                                </resource>
                            </resources>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
            <!-- Fix keyclock-configuration -->
            <plugin>
                <groupId>com.google.code.maven-replacer-plugin</groupId>
                <artifactId>replacer</artifactId>
                <version>1.5.3</version>
                <executions>
                    <execution>
                        <id>fix-data-source</id>
                        <phase>package</phase>
                        <goals>
                            <goal>replace</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <file>${configFile}</file>
                    <replacements>
                        <!-- fix-data-source -->
                        <replacement>
                            <token>java:jboss/datasources/KeycloakDS</token>
                            <value>java:/comp/env/jdbc/KeycloakDS</value>
                        </replacement>
                        <!-- Set Tomcat configuration-dir -->
                        <replacement>
                            <token>jboss.server.config.dir}</token>
                            <value>catalina.home}/conf</value>
                        </replacement>
                    </replacements>
                </configuration>
            </plugin>
            <!-- Repackage filled-Tomcat into tag.gz -->
            <plugin>
                <artifactId>maven-assembly-plugin</artifactId>
                <version>2.4</version>
                <executions>
                    <execution>
                        <id>assemble</id>
                        <phase>package</phase>
                        <goals>
                            <goal>single</goal>
                        </goals>
                        <configuration>
                            <tarLongFileMode>gnu</tarLongFileMode>
                            <descriptors>
                                <descriptor>assembly.xml</descriptor>
                            </descriptors>
                            <outputDirectory>target</outputDirectory>
                            <workDirectory>target/assembly/work</workDirectory>
                            <appendAssemblyId>false</appendAssemblyId>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150727/9bd95f7d/attachment-0001.html 

From mstrukel at redhat.com  Mon Jul 27 11:45:40 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 27 Jul 2015 11:45:40 -0400 (EDT)
Subject: [keycloak-user] keycloack-server.war
In-Reply-To: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>
References: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>
Message-ID: <1115598762.894188.1438011940525.JavaMail.zimbra@redhat.com>

Keycloak server is no longer packaged as a .war. You can read more about it here: http://blog.keycloak.org/2015/05/distribution-changes.html

That means you can not deploy it to just any java web container - only latest Wildfly / EAP is supported for the server. At the moment that is Wildfly 9.0.0.Final, and EAP 6.4.

If for some reason you really want your application to be deployed in the same server instance as keycloak server, you'd have to deploy your application to the app server that comes with keycloak server rather than the other way around.

Easiest way to achieve that would be to use keycloak-demo-1.3.1.Final.zip distribution which you can download here: http://sourceforge.net/projects/keycloak/files/1.3.1.Final

- marko

----- Original Message -----
> Hi
> I have a maven project that is in charge of create the tomcat distribution
> for keycloak.
> Until version 1.2.0-Beta1 we have used keycloak-server.war , but when I try
> to migrate to keycloak 1.3.1-Final , this dependency apparently does not
> exist any more.
> < artifactItem >
> < groupId > org.keycloak </ groupId >
> < artifactId > keycloak-server </ artifactId >
> < version > $1.3.1-Final </ version >
> < type > war </ type >
> < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> </ artifactItem >
> Someone could help me with this issue ?
> where I could find the server war now or what is the new name for this
> dependency?
> Thanks and regards.
> Pablo Gore
> Here is my pom.xml
> < project xmlns= " http://maven.apache.org/POM/4.0.0 " xmlns: xsi = "
> http://www.w3.org/2001/XMLSchema-instance "
> xsi :schemaLocation= " http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/maven-v4_0_0.xsd " >
> < modelVersion > 4.0.0 </ modelVersion >
> < parent >
> < groupId > org.keycloak </ groupId >
> < artifactId > keycloak-parent </ artifactId >
> < version > 1.3.1-Final </ version >
> 
> 
> </ parent >
> 
> < artifactId > keycloak-tomcat-dist </ artifactId >
> < packaging > pom </ packaging >
> < name > Tomcat 8 with Keycloack </ name >
> < version > ${project.parent.version}-1.0.4 </ version >
> < description />
> < properties >
> <!-- Versions -->
> < tomcat.version > 8.0.20 </ tomcat.version >
> < jax.version > 2.3.7.Final </ jax.version >
> < jackson.version > 1.9.9 </ jackson.version >
> < hibernate.version > 4.2.7.SP1 </ hibernate.version >
> <!-- Locations -->
> < outputDirectory > ${project.build.directory}/unpacked </ outputDirectory >
> < outputDirectoryConf >
> ${outputDirectory}/apache-tomcat-${tomcat.version}/conf </
> outputDirectoryConf >
> < outputDirectoryForWar >
> ${outputDirectory}/apache-tomcat-${tomcat.version}/webapps/keycloak
> </ outputDirectoryForWar >
> < outputDirectoryForLibs >
> ${outputDirectory}/apache-tomcat-${tomcat.version}/lib </
> outputDirectoryForLibs >
> < configFile >
> ${outputDirectoryForWar}/WEB-INF/classes/META-INF/keycloak-server.json </
> configFile >
> </ properties >
> < dependencies />
> < build >
> < plugins >
> < plugin >
> < groupId > org.apache.maven.plugins </ groupId >
> < artifactId > maven-deploy-plugin </ artifactId >
> < configuration >
> < skip > true </ skip >
> </ configuration >
> </ plugin >
> < plugin >
> < groupId > org.apache.maven.plugins </ groupId >
> < artifactId > maven-dependency-plugin </ artifactId >
> < executions >
> <!-- Get Tomcat -->
> < execution >
> < id > unpack </ id >
> < phase > prepare-package </ phase >
> < goals >
> < goal > unpack </ goal >
> </ goals >
> < configuration >
> <!--useJvmChmod>false</useJvmChmod-->
> < artifactItems >
> < artifactItem >
> < groupId > org.apache.tomcat </ groupId >
> < artifactId > tomcat </ artifactId >
> < version > ${tomcat.version} </ version >
> < type > tar.gz </ type >
> < outputDirectory > ${outputDirectory} </ outputDirectory >
> </ artifactItem >
> </ artifactItems >
> </ configuration >
> </ execution >
> <!-- Get keycloak -->
> < execution >
> < id > get-keycloak </ id >
> < phase > prepare-package </ phase >
> < goals >
> < goal > unpack </ goal >
> </ goals >
> < configuration >
> < artifactItems >
> < artifactItem >
> < groupId > org.keycloak </ groupId >
> < artifactId > keycloak-server </ artifactId >
> < version > ${project.parent.version} </ version >
> < type > war </ type >
> < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> </ artifactItem >
> </ artifactItems >
> </ configuration >
> </ execution >
> <!-- Get dependencies -->
> < execution >
> < id > mimic-jboss-6.2 </ id >
> < phase > prepare-package </ phase >
> < goals >
> < goal > copy </ goal >
> </ goals >
> < configuration >
> < artifactItems >
> < dependency >
> < groupId > org.apache.httpcomponents </ groupId >
> < artifactId > httpclient </ artifactId >
> < version > 4.2.6 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ dependency >
> < dependency >
> < groupId > org.apache.httpcomponents </ groupId >
> < artifactId > httpcore </ artifactId >
> < version > 4.2.5 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ dependency >
> < dependency >
> < groupId > commons-logging </ groupId >
> < artifactId > commons-logging </ artifactId >
> < version > 1.1.1 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ dependency >
> < dependency >
> < groupId > commons-io </ groupId >
> < artifactId > commons-io </ artifactId >
> < version > 2.1 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ dependency >
> <!-- Mimic JBoss 6.2 -->
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > resteasy-jaxrs </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > async-http-servlet-3.0 </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > jaxrs-api </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > resteasy-jaxb-provider </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > resteasy-jackson-provider </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > resteasy-multipart-provider </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> <!-- This needs Bouncycastle
> <artifactItem>
> <groupId>org.jboss.resteasy</groupId>
> <artifactId>resteasy-crypto</artifactId>
> <version>${jax.version}</version>
> <type>jar</type>
> <outputDirectory>${outputDirectoryForLibs}</outputDirectory>
> </artifactItem>
> -->
> < artifactItem >
> < groupId > org.jboss.resteasy </ groupId >
> < artifactId > tjws </ artifactId >
> < version > ${jax.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.scannotation </ groupId >
> < artifactId > scannotation </ artifactId >
> < version > 1.0.3 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.codehaus.jackson </ groupId >
> < artifactId > jackson-mapper-asl </ artifactId >
> < version > ${jackson.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.codehaus.jackson </ groupId >
> < artifactId > jackson-core-asl </ artifactId >
> < version > ${jackson.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.codehaus.jackson </ groupId >
> < artifactId > jackson-jaxrs </ artifactId >
> < version > ${jackson.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.codehaus.jackson </ groupId >
> < artifactId > jackson-xc </ artifactId >
> < version > ${jackson.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.infinispan </ groupId >
> < artifactId > infinispan-core </ artifactId >
> < version > 5.2.7.Final </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.hibernate </ groupId >
> < artifactId > hibernate-core </ artifactId >
> < version > ${hibernate.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.hibernate </ groupId >
> < artifactId > hibernate-entitymanager </ artifactId >
> < version > ${hibernate.version} </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.hibernate.javax.persistence </ groupId >
> < artifactId > hibernate-jpa-2.0-api </ artifactId >
> < version > 1.0.1.Final </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.logging </ groupId >
> < artifactId > jboss-logging </ artifactId >
> < version > 3.1.2.GA </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.jboss.spec.javax.transaction </ groupId >
> < artifactId > jboss-transaction-api_1.1_spec </ artifactId >
> < version > 1.0.1.Final </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > dom4j </ groupId >
> < artifactId > dom4j </ artifactId >
> < version > 1.6.1 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.hibernate.common </ groupId >
> < artifactId > hibernate-commons-annotations </ artifactId >
> < version > 4.0.1.Final </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.javassist </ groupId >
> < artifactId > javassist </ artifactId >
> < version > 3.18.1-GA </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > antlr </ groupId >
> < artifactId > antlr </ artifactId >
> < version > 2.7.7 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > javax.mail </ groupId >
> < artifactId > mail </ artifactId >
> < version > 1.4.5 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > com.google.zxing </ groupId >
> < artifactId > core </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > com.google.zxing </ groupId >
> < artifactId > javase </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > com.icegreen </ groupId >
> < artifactId > greenmail </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > de.idyl </ groupId >
> < artifactId > winzipaes </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > xml-apis </ groupId >
> < artifactId > xml-apis </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.slf4j </ groupId >
> < artifactId > slf4j-api </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> < artifactItem >
> < groupId > org.slf4j </ groupId >
> < artifactId > slf4j-simple </ artifactId >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> </ artifactItems >
> </ configuration >
> </ execution >
> <!-- Get PostgreSQL driver -->
> < execution >
> < id > get-postgresql-jdbc-driver </ id >
> < phase > prepare-package </ phase >
> < goals >
> < goal > copy </ goal >
> </ goals >
> < configuration >
> < artifactItems >
> mysql:mysql-connector-java
> < artifactItem >
> < groupId > mysql </ groupId >
> < artifactId > mysql-connector-java </ artifactId >
> < version > 5.1.34 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> 
> < artifactItem >
> < groupId > org.postgresql </ groupId >
> < artifactId > postgresql </ artifactId >
> < version > 9.4-1200-jdbc41 </ version >
> < type > jar </ type >
> < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> </ artifactItem >
> 
> </ artifactItems >
> </ configuration >
> </ execution >
> </ executions >
> </ plugin >
> <!-- Setup data-source -->
> < plugin >
> < artifactId > maven-resources-plugin </ artifactId >
> < version > 2.7 </ version >
> < executions >
> < execution >
> < id > setup-data-source </ id >
> < phase > package </ phase >
> < goals >
> < goal > copy-resources </ goal >
> </ goals >
> < configuration >
> < outputDirectory > ${outputDirectoryConf} </ outputDirectory >
> < encoding > UTF-8 </ encoding >
> < resources >
> < resource >
> < directory > . </ directory >
> < includes >
> < include > context.xml </ include >
> </ includes >
> < filtering > false </ filtering >
> </ resource >
> </ resources >
> </ configuration >
> </ execution >
> </ executions >
> </ plugin >
> <!-- Fix keyclock-configuration -->
> < plugin >
> < groupId > com.google.code.maven-replacer-plugin </ groupId >
> < artifactId > replacer </ artifactId >
> < version > 1.5.3 </ version >
> < executions >
> < execution >
> < id > fix-data-source </ id >
> < phase > package </ phase >
> < goals >
> < goal > replace </ goal >
> </ goals >
> </ execution >
> </ executions >
> < configuration >
> < file > ${configFile} </ file >
> < replacements >
> <!-- fix-data-source -->
> < replacement >
> < token > java:jboss/datasources/KeycloakDS </ token >
> < value > java:/comp/env/jdbc/KeycloakDS </ value >
> </ replacement >
> <!-- Set Tomcat configuration-dir -->
> < replacement >
> < token > jboss.server.config.dir} </ token >
> < value > catalina.home}/conf </ value >
> </ replacement >
> </ replacements >
> </ configuration >
> </ plugin >
> <!-- Repackage filled-Tomcat into tag.gz -->
> < plugin >
> < artifactId > maven-assembly-plugin </ artifactId >
> < version > 2.4 </ version >
> < executions >
> < execution >
> < id > assemble </ id >
> < phase > package </ phase >
> < goals >
> < goal > single </ goal >
> </ goals >
> < configuration >
> < tarLongFileMode > gnu </ tarLongFileMode >
> < descriptors >
> < descriptor > assembly.xml </ descriptor >
> </ descriptors >
> < outputDirectory > target </ outputDirectory >
> < workDirectory > target/assembly/work </ workDirectory >
> < appendAssemblyId > false </ appendAssemblyId >
> </ configuration >
> </ execution >
> </ executions >
> </ plugin >
> </ plugins >
> </ build >
> </ project >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pablo.m.gore at gmail.com  Mon Jul 27 12:02:44 2015
From: pablo.m.gore at gmail.com (Pablo Martin Gore)
Date: Mon, 27 Jul 2015 13:02:44 -0300
Subject: [keycloak-user] keycloack-server.war
In-Reply-To: <1115598762.894188.1438011940525.JavaMail.zimbra@redhat.com>
References: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>
	<1115598762.894188.1438011940525.JavaMail.zimbra@redhat.com>
Message-ID: <CANkqDNxrEjDK=7RZzvDcLuoTmUQEf49LCuu94UT6JPZ9_F32_A@mail.gmail.com>

Hi Marko
Thanks for your quickly answer , it's no possible to deploy keycloak today
in a tomcat web server , really we have deployed our platform into
different tomcat 8 and it's a big effort this movement  to Wildfly.
Do you will support other web servers to deploy keycloak in future like
tomcat or jetty?

2015-07-27 12:45 GMT-03:00 Marko Strukelj <mstrukel at redhat.com>:

> Keycloak server is no longer packaged as a .war. You can read more about
> it here: http://blog.keycloak.org/2015/05/distribution-changes.html
>
> That means you can not deploy it to just any java web container - only
> latest Wildfly / EAP is supported for the server. At the moment that is
> Wildfly 9.0.0.Final, and EAP 6.4.
>
> If for some reason you really want your application to be deployed in the
> same server instance as keycloak server, you'd have to deploy your
> application to the app server that comes with keycloak server rather than
> the other way around.
>
> Easiest way to achieve that would be to use keycloak-demo-1.3.1.Final.zip
> distribution which you can download here:
> http://sourceforge.net/projects/keycloak/files/1.3.1.Final
>
> - marko
>
> ----- Original Message -----
> > Hi
> > I have a maven project that is in charge of create the tomcat
> distribution
> > for keycloak.
> > Until version 1.2.0-Beta1 we have used keycloak-server.war , but when I
> try
> > to migrate to keycloak 1.3.1-Final , this dependency apparently does not
> > exist any more.
> > < artifactItem >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-server </ artifactId >
> > < version > $1.3.1-Final </ version >
> > < type > war </ type >
> > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> > </ artifactItem >
> > Someone could help me with this issue ?
> > where I could find the server war now or what is the new name for this
> > dependency?
> > Thanks and regards.
> > Pablo Gore
> > Here is my pom.xml
> > < project xmlns= " http://maven.apache.org/POM/4.0.0 " xmlns: xsi = "
> > http://www.w3.org/2001/XMLSchema-instance "
> > xsi :schemaLocation= " http://maven.apache.org/POM/4.0.0
> > http://maven.apache.org/maven-v4_0_0.xsd " >
> > < modelVersion > 4.0.0 </ modelVersion >
> > < parent >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-parent </ artifactId >
> > < version > 1.3.1-Final </ version >
> >
> >
> > </ parent >
> >
> > < artifactId > keycloak-tomcat-dist </ artifactId >
> > < packaging > pom </ packaging >
> > < name > Tomcat 8 with Keycloack </ name >
> > < version > ${project.parent.version}-1.0.4 </ version >
> > < description />
> > < properties >
> > <!-- Versions -->
> > < tomcat.version > 8.0.20 </ tomcat.version >
> > < jax.version > 2.3.7.Final </ jax.version >
> > < jackson.version > 1.9.9 </ jackson.version >
> > < hibernate.version > 4.2.7.SP1 </ hibernate.version >
> > <!-- Locations -->
> > < outputDirectory > ${project.build.directory}/unpacked </
> outputDirectory >
> > < outputDirectoryConf >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/conf </
> > outputDirectoryConf >
> > < outputDirectoryForWar >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/webapps/keycloak
> > </ outputDirectoryForWar >
> > < outputDirectoryForLibs >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/lib </
> > outputDirectoryForLibs >
> > < configFile >
> > ${outputDirectoryForWar}/WEB-INF/classes/META-INF/keycloak-server.json </
> > configFile >
> > </ properties >
> > < dependencies />
> > < build >
> > < plugins >
> > < plugin >
> > < groupId > org.apache.maven.plugins </ groupId >
> > < artifactId > maven-deploy-plugin </ artifactId >
> > < configuration >
> > < skip > true </ skip >
> > </ configuration >
> > </ plugin >
> > < plugin >
> > < groupId > org.apache.maven.plugins </ groupId >
> > < artifactId > maven-dependency-plugin </ artifactId >
> > < executions >
> > <!-- Get Tomcat -->
> > < execution >
> > < id > unpack </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > unpack </ goal >
> > </ goals >
> > < configuration >
> > <!--useJvmChmod>false</useJvmChmod-->
> > < artifactItems >
> > < artifactItem >
> > < groupId > org.apache.tomcat </ groupId >
> > < artifactId > tomcat </ artifactId >
> > < version > ${tomcat.version} </ version >
> > < type > tar.gz </ type >
> > < outputDirectory > ${outputDirectory} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get keycloak -->
> > < execution >
> > < id > get-keycloak </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > unpack </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > < artifactItem >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-server </ artifactId >
> > < version > ${project.parent.version} </ version >
> > < type > war </ type >
> > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get dependencies -->
> > < execution >
> > < id > mimic-jboss-6.2 </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > copy </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > < dependency >
> > < groupId > org.apache.httpcomponents </ groupId >
> > < artifactId > httpclient </ artifactId >
> > < version > 4.2.6 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > org.apache.httpcomponents </ groupId >
> > < artifactId > httpcore </ artifactId >
> > < version > 4.2.5 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > commons-logging </ groupId >
> > < artifactId > commons-logging </ artifactId >
> > < version > 1.1.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > commons-io </ groupId >
> > < artifactId > commons-io </ artifactId >
> > < version > 2.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > <!-- Mimic JBoss 6.2 -->
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jaxrs </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > async-http-servlet-3.0 </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > jaxrs-api </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jaxb-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jackson-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-multipart-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > <!-- This needs Bouncycastle
> > <artifactItem>
> > <groupId>org.jboss.resteasy</groupId>
> > <artifactId>resteasy-crypto</artifactId>
> > <version>${jax.version}</version>
> > <type>jar</type>
> > <outputDirectory>${outputDirectoryForLibs}</outputDirectory>
> > </artifactItem>
> > -->
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > tjws </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.scannotation </ groupId >
> > < artifactId > scannotation </ artifactId >
> > < version > 1.0.3 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-mapper-asl </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-core-asl </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-jaxrs </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-xc </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.infinispan </ groupId >
> > < artifactId > infinispan-core </ artifactId >
> > < version > 5.2.7.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate </ groupId >
> > < artifactId > hibernate-core </ artifactId >
> > < version > ${hibernate.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate </ groupId >
> > < artifactId > hibernate-entitymanager </ artifactId >
> > < version > ${hibernate.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate.javax.persistence </ groupId >
> > < artifactId > hibernate-jpa-2.0-api </ artifactId >
> > < version > 1.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.logging </ groupId >
> > < artifactId > jboss-logging </ artifactId >
> > < version > 3.1.2.GA </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.spec.javax.transaction </ groupId >
> > < artifactId > jboss-transaction-api_1.1_spec </ artifactId >
> > < version > 1.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > dom4j </ groupId >
> > < artifactId > dom4j </ artifactId >
> > < version > 1.6.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate.common </ groupId >
> > < artifactId > hibernate-commons-annotations </ artifactId >
> > < version > 4.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.javassist </ groupId >
> > < artifactId > javassist </ artifactId >
> > < version > 3.18.1-GA </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > antlr </ groupId >
> > < artifactId > antlr </ artifactId >
> > < version > 2.7.7 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > javax.mail </ groupId >
> > < artifactId > mail </ artifactId >
> > < version > 1.4.5 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.google.zxing </ groupId >
> > < artifactId > core </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.google.zxing </ groupId >
> > < artifactId > javase </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.icegreen </ groupId >
> > < artifactId > greenmail </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > de.idyl </ groupId >
> > < artifactId > winzipaes </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > xml-apis </ groupId >
> > < artifactId > xml-apis </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.slf4j </ groupId >
> > < artifactId > slf4j-api </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.slf4j </ groupId >
> > < artifactId > slf4j-simple </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get PostgreSQL driver -->
> > < execution >
> > < id > get-postgresql-jdbc-driver </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > copy </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > mysql:mysql-connector-java
> > < artifactItem >
> > < groupId > mysql </ groupId >
> > < artifactId > mysql-connector-java </ artifactId >
> > < version > 5.1.34 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> >
> > < artifactItem >
> > < groupId > org.postgresql </ groupId >
> > < artifactId > postgresql </ artifactId >
> > < version > 9.4-1200-jdbc41 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > <!-- Setup data-source -->
> > < plugin >
> > < artifactId > maven-resources-plugin </ artifactId >
> > < version > 2.7 </ version >
> > < executions >
> > < execution >
> > < id > setup-data-source </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > copy-resources </ goal >
> > </ goals >
> > < configuration >
> > < outputDirectory > ${outputDirectoryConf} </ outputDirectory >
> > < encoding > UTF-8 </ encoding >
> > < resources >
> > < resource >
> > < directory > . </ directory >
> > < includes >
> > < include > context.xml </ include >
> > </ includes >
> > < filtering > false </ filtering >
> > </ resource >
> > </ resources >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > <!-- Fix keyclock-configuration -->
> > < plugin >
> > < groupId > com.google.code.maven-replacer-plugin </ groupId >
> > < artifactId > replacer </ artifactId >
> > < version > 1.5.3 </ version >
> > < executions >
> > < execution >
> > < id > fix-data-source </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > replace </ goal >
> > </ goals >
> > </ execution >
> > </ executions >
> > < configuration >
> > < file > ${configFile} </ file >
> > < replacements >
> > <!-- fix-data-source -->
> > < replacement >
> > < token > java:jboss/datasources/KeycloakDS </ token >
> > < value > java:/comp/env/jdbc/KeycloakDS </ value >
> > </ replacement >
> > <!-- Set Tomcat configuration-dir -->
> > < replacement >
> > < token > jboss.server.config.dir} </ token >
> > < value > catalina.home}/conf </ value >
> > </ replacement >
> > </ replacements >
> > </ configuration >
> > </ plugin >
> > <!-- Repackage filled-Tomcat into tag.gz -->
> > < plugin >
> > < artifactId > maven-assembly-plugin </ artifactId >
> > < version > 2.4 </ version >
> > < executions >
> > < execution >
> > < id > assemble </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > single </ goal >
> > </ goals >
> > < configuration >
> > < tarLongFileMode > gnu </ tarLongFileMode >
> > < descriptors >
> > < descriptor > assembly.xml </ descriptor >
> > </ descriptors >
> > < outputDirectory > target </ outputDirectory >
> > < workDirectory > target/assembly/work </ workDirectory >
> > < appendAssemblyId > false </ appendAssemblyId >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > </ plugins >
> > </ build >
> > </ project >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150727/85b56b59/attachment-0001.html 

From bburke at redhat.com  Mon Jul 27 12:06:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 27 Jul 2015 12:06:53 -0400
Subject: [keycloak-user] keycloack-server.war
In-Reply-To: <CANkqDNxrEjDK=7RZzvDcLuoTmUQEf49LCuu94UT6JPZ9_F32_A@mail.gmail.com>
References: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>
	<1115598762.894188.1438011940525.JavaMail.zimbra@redhat.com>
	<CANkqDNxrEjDK=7RZzvDcLuoTmUQEf49LCuu94UT6JPZ9_F32_A@mail.gmail.com>
Message-ID: <55B6571D.3090807@redhat.com>

We will not support running Keycloak server on anything but Wildfly or 
JBoss EAP.  There are a lot of advantages to this.  The main one being, 
it saves us a lot of work.

However, we do support securing Tomcat 6, 7, 8 Jetty 8.x, 9.x 
applications through the corresponding client adapter.

On 7/27/2015 12:02 PM, Pablo Martin Gore wrote:
> Hi Marko
> Thanks for your quickly answer , it's no possible to deploy keycloak
> today in a tomcat web server , really we have deployed our platform into
> different tomcat 8 and it's a big effort this movement  to Wildfly.
> Do you will support other web servers to deploy keycloak in future like
> tomcat or jetty?
>
> 2015-07-27 12:45 GMT-03:00 Marko Strukelj <mstrukel at redhat.com
> <mailto:mstrukel at redhat.com>>:
>
>     Keycloak server is no longer packaged as a .war. You can read more
>     about it here:
>     http://blog.keycloak.org/2015/05/distribution-changes.html
>
>     That means you can not deploy it to just any java web container -
>     only latest Wildfly / EAP is supported for the server. At the moment
>     that is Wildfly 9.0.0.Final, and EAP 6.4.
>
>     If for some reason you really want your application to be deployed
>     in the same server instance as keycloak server, you'd have to deploy
>     your application to the app server that comes with keycloak server
>     rather than the other way around.
>
>     Easiest way to achieve that would be to use
>     keycloak-demo-1.3.1.Final.zip distribution which you can download
>     here: http://sourceforge.net/projects/keycloak/files/1.3.1.Final
>
>     - marko
>
>     ----- Original Message -----
>     > Hi
>     > I have a maven project that is in charge of create the tomcat distribution
>     > for keycloak.
>     > Until version 1.2.0-Beta1 we have used keycloak-server.war , but when I try
>     > to migrate to keycloak 1.3.1-Final , this dependency apparently does not
>     > exist any more.
>     > < artifactItem >
>     > < groupId > org.keycloak </ groupId >
>     > < artifactId > keycloak-server </ artifactId >
>     > < version > $1.3.1-Final </ version >
>     > < type > war </ type >
>     > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
>     > </ artifactItem >
>     > Someone could help me with this issue ?
>     > where I could find the server war now or what is the new name for this
>     > dependency?
>     > Thanks and regards.
>     > Pablo Gore
>     > Here is my pom.xml
>      > < project xmlns= " http://maven.apache.org/POM/4.0.0 " xmlns: xsi = "
>     >http://www.w3.org/2001/XMLSchema-instance "
>     > xsi :schemaLocation= "http://maven.apache.org/POM/4.0.0
>      > http://maven.apache.org/maven-v4_0_0.xsd " >
>      > < modelVersion > 4.0.0 </ modelVersion >
>      > < parent >
>      > < groupId > org.keycloak </ groupId >
>      > < artifactId > keycloak-parent </ artifactId >
>      > < version > 1.3.1-Final </ version >
>      >
>      >
>      > </ parent >
>      >
>      > < artifactId > keycloak-tomcat-dist </ artifactId >
>      > < packaging > pom </ packaging >
>      > < name > Tomcat 8 with Keycloack </ name >
>      > < version > ${project.parent.version}-1.0.4 </ version >
>      > < description />
>      > < properties >
>      > <!-- Versions -->
>      > < tomcat.version > 8.0.20 </ tomcat.version >
>      > < jax.version > 2.3.7.Final </ jax.version >
>      > < jackson.version > 1.9.9 </ jackson.version >
>      > < hibernate.version > 4.2.7.SP1 </ hibernate.version >
>      > <!-- Locations -->
>      > < outputDirectory > ${project.build.directory}/unpacked </
>     outputDirectory >
>      > < outputDirectoryConf >
>      > ${outputDirectory}/apache-tomcat-${tomcat.version}/conf </
>      > outputDirectoryConf >
>      > < outputDirectoryForWar >
>      > ${outputDirectory}/apache-tomcat-${tomcat.version}/webapps/keycloak
>      > </ outputDirectoryForWar >
>      > < outputDirectoryForLibs >
>      > ${outputDirectory}/apache-tomcat-${tomcat.version}/lib </
>      > outputDirectoryForLibs >
>      > < configFile >
>      >
>     ${outputDirectoryForWar}/WEB-INF/classes/META-INF/keycloak-server.json
>     </
>      > configFile >
>      > </ properties >
>      > < dependencies />
>      > < build >
>      > < plugins >
>      > < plugin >
>      > < groupId > org.apache.maven.plugins </ groupId >
>      > < artifactId > maven-deploy-plugin </ artifactId >
>      > < configuration >
>      > < skip > true </ skip >
>      > </ configuration >
>      > </ plugin >
>      > < plugin >
>      > < groupId > org.apache.maven.plugins </ groupId >
>      > < artifactId > maven-dependency-plugin </ artifactId >
>      > < executions >
>      > <!-- Get Tomcat -->
>      > < execution >
>      > < id > unpack </ id >
>      > < phase > prepare-package </ phase >
>      > < goals >
>      > < goal > unpack </ goal >
>      > </ goals >
>      > < configuration >
>      > <!--useJvmChmod>false</useJvmChmod-->
>      > < artifactItems >
>      > < artifactItem >
>      > < groupId > org.apache.tomcat </ groupId >
>      > < artifactId > tomcat </ artifactId >
>      > < version > ${tomcat.version} </ version >
>      > < type > tar.gz </ type >
>      > < outputDirectory > ${outputDirectory} </ outputDirectory >
>      > </ artifactItem >
>      > </ artifactItems >
>      > </ configuration >
>      > </ execution >
>      > <!-- Get keycloak -->
>      > < execution >
>      > < id > get-keycloak </ id >
>      > < phase > prepare-package </ phase >
>      > < goals >
>      > < goal > unpack </ goal >
>      > </ goals >
>      > < configuration >
>      > < artifactItems >
>      > < artifactItem >
>      > < groupId > org.keycloak </ groupId >
>      > < artifactId > keycloak-server </ artifactId >
>      > < version > ${project.parent.version} </ version >
>      > < type > war </ type >
>      > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
>      > </ artifactItem >
>      > </ artifactItems >
>      > </ configuration >
>      > </ execution >
>      > <!-- Get dependencies -->
>      > < execution >
>      > < id > mimic-jboss-6.2 </ id >
>      > < phase > prepare-package </ phase >
>      > < goals >
>      > < goal > copy </ goal >
>      > </ goals >
>      > < configuration >
>      > < artifactItems >
>      > < dependency >
>      > < groupId > org.apache.httpcomponents </ groupId >
>      > < artifactId > httpclient </ artifactId >
>      > < version > 4.2.6 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ dependency >
>      > < dependency >
>      > < groupId > org.apache.httpcomponents </ groupId >
>      > < artifactId > httpcore </ artifactId >
>      > < version > 4.2.5 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ dependency >
>      > < dependency >
>      > < groupId > commons-logging </ groupId >
>      > < artifactId > commons-logging </ artifactId >
>      > < version > 1.1.1 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ dependency >
>      > < dependency >
>      > < groupId > commons-io </ groupId >
>      > < artifactId > commons-io </ artifactId >
>      > < version > 2.1 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ dependency >
>      > <!-- Mimic JBoss 6.2 -->
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > resteasy-jaxrs </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > async-http-servlet-3.0 </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > jaxrs-api </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > resteasy-jaxb-provider </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > resteasy-jackson-provider </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > resteasy-multipart-provider </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > <!-- This needs Bouncycastle
>      > <artifactItem>
>      > <groupId>org.jboss.resteasy</groupId>
>      > <artifactId>resteasy-crypto</artifactId>
>      > <version>${jax.version}</version>
>      > <type>jar</type>
>      > <outputDirectory>${outputDirectoryForLibs}</outputDirectory>
>      > </artifactItem>
>      > -->
>      > < artifactItem >
>      > < groupId > org.jboss.resteasy </ groupId >
>      > < artifactId > tjws </ artifactId >
>      > < version > ${jax.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.scannotation </ groupId >
>      > < artifactId > scannotation </ artifactId >
>      > < version > 1.0.3 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.codehaus.jackson </ groupId >
>      > < artifactId > jackson-mapper-asl </ artifactId >
>      > < version > ${jackson.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.codehaus.jackson </ groupId >
>      > < artifactId > jackson-core-asl </ artifactId >
>      > < version > ${jackson.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.codehaus.jackson </ groupId >
>      > < artifactId > jackson-jaxrs </ artifactId >
>      > < version > ${jackson.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.codehaus.jackson </ groupId >
>      > < artifactId > jackson-xc </ artifactId >
>      > < version > ${jackson.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.infinispan </ groupId >
>      > < artifactId > infinispan-core </ artifactId >
>      > < version > 5.2.7.Final </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.hibernate </ groupId >
>      > < artifactId > hibernate-core </ artifactId >
>      > < version > ${hibernate.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.hibernate </ groupId >
>      > < artifactId > hibernate-entitymanager </ artifactId >
>      > < version > ${hibernate.version} </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.hibernate.javax.persistence </ groupId >
>      > < artifactId > hibernate-jpa-2.0-api </ artifactId >
>      > < version > 1.0.1.Final </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.logging </ groupId >
>      > < artifactId > jboss-logging </ artifactId >
>      > < version > 3.1.2.GA <http://3.1.2.GA> </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.jboss.spec.javax.transaction </ groupId >
>      > < artifactId > jboss-transaction-api_1.1_spec </ artifactId >
>      > < version > 1.0.1.Final </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > dom4j </ groupId >
>      > < artifactId > dom4j </ artifactId >
>      > < version > 1.6.1 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.hibernate.common </ groupId >
>      > < artifactId > hibernate-commons-annotations </ artifactId >
>      > < version > 4.0.1.Final </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.javassist </ groupId >
>      > < artifactId > javassist </ artifactId >
>      > < version > 3.18.1-GA </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > antlr </ groupId >
>      > < artifactId > antlr </ artifactId >
>      > < version > 2.7.7 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > javax.mail </ groupId >
>      > < artifactId > mail </ artifactId >
>      > < version > 1.4.5 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > com.google.zxing </ groupId >
>      > < artifactId > core </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > com.google.zxing </ groupId >
>      > < artifactId > javase </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > com.icegreen </ groupId >
>      > < artifactId > greenmail </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > de.idyl </ groupId >
>      > < artifactId > winzipaes </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > xml-apis </ groupId >
>      > < artifactId > xml-apis </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.slf4j </ groupId >
>      > < artifactId > slf4j-api </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > < artifactItem >
>      > < groupId > org.slf4j </ groupId >
>      > < artifactId > slf4j-simple </ artifactId >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      > </ artifactItems >
>      > </ configuration >
>      > </ execution >
>      > <!-- Get PostgreSQL driver -->
>      > < execution >
>      > < id > get-postgresql-jdbc-driver </ id >
>      > < phase > prepare-package </ phase >
>      > < goals >
>      > < goal > copy </ goal >
>      > </ goals >
>      > < configuration >
>      > < artifactItems >
>      > mysql:mysql-connector-java
>      > < artifactItem >
>      > < groupId > mysql </ groupId >
>      > < artifactId > mysql-connector-java </ artifactId >
>      > < version > 5.1.34 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      >
>      > < artifactItem >
>      > < groupId > org.postgresql </ groupId >
>      > < artifactId > postgresql </ artifactId >
>      > < version > 9.4-1200-jdbc41 </ version >
>      > < type > jar </ type >
>      > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
>      > </ artifactItem >
>      >
>      > </ artifactItems >
>      > </ configuration >
>      > </ execution >
>      > </ executions >
>      > </ plugin >
>      > <!-- Setup data-source -->
>      > < plugin >
>      > < artifactId > maven-resources-plugin </ artifactId >
>      > < version > 2.7 </ version >
>      > < executions >
>      > < execution >
>      > < id > setup-data-source </ id >
>      > < phase > package </ phase >
>      > < goals >
>      > < goal > copy-resources </ goal >
>      > </ goals >
>      > < configuration >
>      > < outputDirectory > ${outputDirectoryConf} </ outputDirectory >
>      > < encoding > UTF-8 </ encoding >
>      > < resources >
>      > < resource >
>      > < directory > . </ directory >
>      > < includes >
>      > < include > context.xml </ include >
>      > </ includes >
>      > < filtering > false </ filtering >
>      > </ resource >
>      > </ resources >
>      > </ configuration >
>      > </ execution >
>      > </ executions >
>      > </ plugin >
>      > <!-- Fix keyclock-configuration -->
>      > < plugin >
>      > < groupId > com.google.code.maven-replacer-plugin </ groupId >
>      > < artifactId > replacer </ artifactId >
>      > < version > 1.5.3 </ version >
>      > < executions >
>      > < execution >
>      > < id > fix-data-source </ id >
>      > < phase > package </ phase >
>      > < goals >
>      > < goal > replace </ goal >
>      > </ goals >
>      > </ execution >
>      > </ executions >
>      > < configuration >
>      > < file > ${configFile} </ file >
>      > < replacements >
>      > <!-- fix-data-source -->
>      > < replacement >
>      > < token > java:jboss/datasources/KeycloakDS </ token >
>      > < value > java:/comp/env/jdbc/KeycloakDS </ value >
>      > </ replacement >
>      > <!-- Set Tomcat configuration-dir -->
>      > < replacement >
>      > < token > jboss.server.config.dir} </ token >
>      > < value > catalina.home}/conf </ value >
>      > </ replacement >
>      > </ replacements >
>      > </ configuration >
>      > </ plugin >
>      > <!-- Repackage filled-Tomcat into tag.gz -->
>      > < plugin >
>      > < artifactId > maven-assembly-plugin </ artifactId >
>      > < version > 2.4 </ version >
>      > < executions >
>      > < execution >
>      > < id > assemble </ id >
>      > < phase > package </ phase >
>      > < goals >
>      > < goal > single </ goal >
>      > </ goals >
>      > < configuration >
>      > < tarLongFileMode > gnu </ tarLongFileMode >
>      > < descriptors >
>      > < descriptor > assembly.xml </ descriptor >
>      > </ descriptors >
>      > < outputDirectory > target </ outputDirectory >
>      > < workDirectory > target/assembly/work </ workDirectory >
>      > < appendAssemblyId > false </ appendAssemblyId >
>      > </ configuration >
>      > </ execution >
>      > </ executions >
>      > </ plugin >
>      > </ plugins >
>      > </ build >
>      > </ project >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rajat.nair at hp.com  Mon Jul 27 13:33:25 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Mon, 27 Jul 2015 17:33:25 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<172557795.659190.1437999857925.JavaMail.zimbra@redhat.com>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
	<1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
	<1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F0414D1@G9W0758.americas.hpqcorp.net>

> Can you send me your standalone-ha.xml and keycloak-server.json?
Files attached. The service is started like - 
/opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml -b=test-server-110 -bmanagement=test-server-110 -u 230.0.0.4 -Djboss.node.name=test-server-110

> Also, any chance you can try it out with master? I've been testing with that as we're about to do 1.4 release soon
Glad to give back to the community. Will build and deploy the master on my nodes. Will send findings tomorrow.

Regarding a scenario I described earlier - 
Case 2
1. Start with 1 Node down. We bring it back up. We wait for some time so that Infinispan can sync.
2. Bring down other node.
3. Try to get user info using existing token.

Is this a valid use-case? 

-- Rajat

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: 27 July 2015 19:16
To: Nair, Rajat
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan

Also, any chance you can try it out with master? I've been testing with that as we're about to do 1.4 release soon

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Rajat Nair" <rajat.nair at hp.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 3:45:46 PM
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> Can you send me your standalone-ha.xml and keycloak-server.json?
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:41:36 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions 
> > using Infinispan
> > 
> > > Do you have both nodes fully up and running before you kill one node?
> > Yes.
> > This is what we tried -
> > Case 1
> > 1. Two node cluster (both running Keycloak engines) - both up and running.
> > Configured load balancing using mod_cluster.
> > 2. Login and get token.
> > 3. Bring down one node.
> > 4. Get user info using existing token. This is when we get NPE.
> > 
> > Case 2
> > 1. Start with 1 Node down. We bring it back up. We wait for some 
> > time so that Infinispan can sync.
> > 2. Bring down other node.
> > 3. Try to get user info using existing token. Again we see NPE.
> > 
> > >It's a bug - if session is expired it should return an error 
> > >message, not a NPE (see 
> > >https://issues.jboss.org/browse/KEYCLOAK-1710)
> > Thanks for tracking this.
> > 
> > -- Rajat
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions 
> > > using Infinispan
> > > 
> > > Thanks for quick reply Stian.
> > > 
> > > > What version?
> > > We are using Keycloak 1.3.1 Final.
> > >  
> > > > Did you remember to change userSessions provider to infinispan 
> > > > in keycloak-server.json?
> > > Yes. We got following in keycloak-server.json -
> > > "userSessions": {
> > > "provider": "infinispan"
> > > }
> > > 
> > > > Firstly owners="2" should work fine as long as only one node 
> > > > dies and the other remains active. Secondly it should return a 
> > > > NPE, but an error if user session is not found.
> > > Could you elaborate on your 2nd point?
> > 
> > Do you have both nodes fully up and running before you kill one node?
> > 
> > It's a bug - if session is expired it should return an error 
> > message, not a NPE (see 
> > https://issues.jboss.org/browse/KEYCLOAK-1710)
> > 
> > > 
> > > -- Rajat
> > > 
> > > -----Original Message-----
> > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > Sent: 27 July 2015 18:07
> > > To: Nair, Rajat
> > > Cc: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > > using Infinispan
> > > 
> > > Did you remember to change userSessions provider to infinispan in 
> > > keycloak-server.json?
> > > 
> > > ----- Original Message -----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > > > using Infinispan
> > > > 
> > > > What version?
> > > > 
> > > > Firstly owners="2" should work fine as long as only one node 
> > > > dies and the other remains active. Secondly it should return a 
> > > > NPE, but an error if user session is not found.
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > Subject: [keycloak-user] Distributed Keycloak user sessions 
> > > > > using Infinispan
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > 
> > > > > 
> > > > > I?m in the process of setting up distributed user sessions 
> > > > > using Infinispan on my Keycloak cluster. This is the 
> > > > > configuration I use ?
> > > > > 
> > > > > <cache-container name="keycloak"
> > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > >  lock-timeout="60000"/>
> > > > > 
> > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > 
> > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > 
> > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > 
> > > > > <distributed-cache name="loginFailures" mode="SYNC" 
> > > > > owners="1"/>
> > > > > 
> > > > > </cache-container>
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > And in server.logs, I can see my servers communicate ?
> > > > > 
> > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t7)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache users, 
> > > > > topology CacheTopology{id=57, rebalanceId=17, 
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t10)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache realms, 
> > > > > topology CacheTopology{id=57, rebalanceId=17, 
> > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > =
> > > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > (2)[test-server-110:
> > > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17, 
> > > > > currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110:
> > > > > 80+0]},
> > > > > pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110:
> > > > > 40+0,
> > > > > test-server-111: 40+0]}, unionCH=null, 
> > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > > sessions, topology CacheTopology{id=56, rebalanceId=17, 
> > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > owners = (1)[test-server-110: 80+0]}, 
> > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, 
> > > > > unionCH=null, actualMembers=[test-server-110, 
> > > > > test-server-111]}
> > > > > 
> > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t9)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > > loginFailures, topology id = 57
> > > > > 
> > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > > sessions, topology id = 56
> > > > > 
> > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t12)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache realms, 
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > (remote-thread--p3-t8)
> > > > > ISPN000336: Finished cluster-wide rebalance for cache users, 
> > > > > topology id =
> > > > > 57
> > > > > 
> > > > > 
> > > > > 
> > > > > I can successfully login, get a token and fetch user details 
> > > > > with this token.
> > > > > 
> > > > > 
> > > > > 
> > > > > Problem is, if one of the nodes on the cluster goes down and 
> > > > > if we try to reuse a token which was already issued (so 
> > > > > workflow is ? user logins in, get token, (a node in the 
> > > > > cluster goes down) and then fetch user details using
> > > > > token) ? we see an internal server exception. From the logs ?
> > > > > 
> > > > > 
> > > > > 
> > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > task-1)
> > > > > UT005023: Exception handling request to
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > java.lang.RuntimeException: request path:
> > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doF
> > > > > ilte
> > > > > r(
> > > > > KeycloakSessionServletFilter.java:54)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > java
> > > > > :6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > ilte
> > > > > r(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(Filte
> > > > > rHan
> > > > > dl
> > > > > er.java:85)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandl
> > > > > er.h
> > > > > an
> > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleR
> > > > > eque
> > > > > st
> > > > > (ServletDispatchingHandler.java:36)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.SecurityContextAssocia
> > > > > tion
> > > > > Ha
> > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > dica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.SSLInformationAssociatio
> > > > > nHan
> > > > > dl
> > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletAuthenticationCal
> > > > > lHan
> > > > > dl
> > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > dica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AbstractConfidentialityHandler.h
> > > > > andl
> > > > > eR
> > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.ServletConfidentialityCo
> > > > > nstr
> > > > > ai
> > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandle
> > > > > r.ja
> > > > > va
> > > > > :64)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.
> > > > > hand
> > > > > le
> > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessi
> > > > > onHa
> > > > > nd
> > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.NotificationReceiverHandler.hand
> > > > > leRe
> > > > > qu
> > > > > est(NotificationReceiverHandler.java:50)
> > > > > 
> > > > > at
> > > > > io.undertow.security.handlers.SecurityInitialHandler.handleReq
> > > > > uest
> > > > > (S
> > > > > ecurityInitialHandler.java:76)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > dica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > > ha
> > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > dica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > dica
> > > > > te
> > > > > Handler.java:43)
> > > > > 
> > > > > at
> > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Metri
> > > > > csHa
> > > > > nd
> > > > > ler.java:62)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Met
> > > > > rics
> > > > > Ch
> > > > > ainHandler.java:59)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirst
> > > > > Requ
> > > > > es
> > > > > t(ServletInitialHandler.java:274)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReq
> > > > > uest
> > > > > (S
> > > > > ervletInitialHandler.java:253)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(
> > > > > Serv
> > > > > le
> > > > > tInitialHandler.java:80)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReq
> > > > > uest
> > > > > (S
> > > > > ervletInitialHandler.java:172)
> > > > > 
> > > > > at
> > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.ja
> > > > > va:1
> > > > > 99
> > > > > )
> > > > > 
> > > > > at
> > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > 774)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > Source)
> > > > > 
> > > > > at java.lang.Thread.run(Unknown Source)
> > > > > 
> > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExce
> > > > > ptio
> > > > > n(
> > > > > ExceptionHandler.java:76)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Excep
> > > > > tion
> > > > > Ha
> > > > > ndler.java:212)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(S
> > > > > ynch
> > > > > ro
> > > > > nousDispatcher.java:149)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > usDi
> > > > > sp
> > > > > atcher.java:372)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > usDi
> > > > > sp
> > > > > atcher.java:179)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDisp
> > > > > atch
> > > > > er
> > > > > .service(ServletContainerDispatcher.java:220)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatche
> > > > > r.se
> > > > > rv
> > > > > ice(HttpServletDispatcher.java:56)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatche
> > > > > r.se
> > > > > rv
> > > > > ice(HttpServletDispatcher.java:51)
> > > > > 
> > > > > at 
> > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Serv
> > > > > letH
> > > > > an
> > > > > dler.java:86)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > ilte
> > > > > r(
> > > > > FilterHandler.java:130)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(
> > > > > Clie
> > > > > nt
> > > > > ConnectionFilter.java:41)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > java
> > > > > :6
> > > > > 0)
> > > > > 
> > > > > at
> > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > ilte
> > > > > r(
> > > > > FilterHandler.java:132)
> > > > > 
> > > > > at
> > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doF
> > > > > ilte
> > > > > r(
> > > > > KeycloakSessionServletFilter.java:40)
> > > > > 
> > > > > ... 31 more
> > > > > 
> > > > > Caused by: java.lang.NullPointerException
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUse
> > > > > rInf
> > > > > o(
> > > > > UserInfoEndpoint.java:128)
> > > > > 
> > > > > at
> > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUse
> > > > > rInf
> > > > > oG
> > > > > et(UserInfoEndpoint.java:101)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > 
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > 
> > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown 
> > > > > Source)
> > > > > 
> > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInject
> > > > > orIm
> > > > > pl
> > > > > .java:137)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(R
> > > > > esou
> > > > > rc
> > > > > eMethodInvoker.java:296)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceM
> > > > > etho
> > > > > dI
> > > > > nvoker.java:250)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetO
> > > > > bjec
> > > > > t(
> > > > > ResourceLocatorInvoker.java:140)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resource
> > > > > Loca
> > > > > to
> > > > > rInvoker.java:109)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetO
> > > > > bjec
> > > > > t(
> > > > > ResourceLocatorInvoker.java:135)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resource
> > > > > Loca
> > > > > to
> > > > > rInvoker.java:103)
> > > > > 
> > > > > at
> > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > usDi
> > > > > sp
> > > > > atcher.java:356)
> > > > > 
> > > > > ... 42 more
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > The user guide says ?
> > > > > 
> > > > > If you need to prevent node failures from requiring users to 
> > > > > log in again, set the owners attribute to 2 or more for the 
> > > > > sessions cache
> > > > > 
> > > > > 
> > > > > 
> > > > > Questions -
> > > > > 
> > > > > 1. Have we configured Infinispan incorrectly? We don?t want 
> > > > > the users to login again if any of the nodes in the cluster go down.
> > > > > 
> > > > > 2. Will changing distributed-cache to replicated-cache help in 
> > > > > this scenario?
> > > > > 
> > > > > 3. Any way we can see the contents of the cache?
> > > > > 
> > > > > 
> > > > > 
> > > > > -- Rajat
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone-ha.xml
Type: text/xml
Size: 25526 bytes
Desc: standalone-ha.xml
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150727/e1effa63/attachment-0001.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-server.json
Type: application/octet-stream
Size: 1341 bytes
Desc: keycloak-server.json
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150727/e1effa63/attachment-0001.obj 

From stian at redhat.com  Tue Jul 28 00:49:00 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jul 2015 00:49:00 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F0414D1@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
	<1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
	<1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0414D1@G9W0758.americas.hpqcorp.net>
Message-ID: <1042060711.1068309.1438058940079.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 7:33:25 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> > Can you send me your standalone-ha.xml and keycloak-server.json?
> Files attached. The service is started like -
> /opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml -b=test-server-110
> -bmanagement=test-server-110 -u 230.0.0.4 -Djboss.node.name=test-server-110
> 
> > Also, any chance you can try it out with master? I've been testing with
> > that as we're about to do 1.4 release soon
> Glad to give back to the community. Will build and deploy the master on my
> nodes. Will send findings tomorrow.
> 
> Regarding a scenario I described earlier -
> Case 2
> 1. Start with 1 Node down. We bring it back up. We wait for some time so that
> Infinispan can sync.
> 2. Bring down other node.
> 3. Try to get user info using existing token.
> 
> Is this a valid use-case?

Yes - I've tried the same use-case and it works fine every time. One caveat is that access token can expire, but in this case you should get a 403 returned, not a NPE exception and 500.

One thing you can try is to make sure user session replication is working properly:

1. Start two nodes
2. Open admin console directly on node 1 - login as admin/admin
3. Open admin console directly on node 2 from another machine/browser or use incognito mode - login as admin/admin
4. On node 1 go to users -> view all -> click on admin -> sessions - you should see two sessions
5. On node 2 do the same and check you can see two sessions there as well

> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 27 July 2015 19:16
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> Infinispan
> 
> Also, any chance you can try it out with master? I've been testing with that
> as we're about to do 1.4 release soon
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Rajat Nair" <rajat.nair at hp.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:45:46 PM
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Can you send me your standalone-ha.xml and keycloak-server.json?
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:41:36 PM
> > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions
> > > using Infinispan
> > > 
> > > > Do you have both nodes fully up and running before you kill one node?
> > > Yes.
> > > This is what we tried -
> > > Case 1
> > > 1. Two node cluster (both running Keycloak engines) - both up and
> > > running.
> > > Configured load balancing using mod_cluster.
> > > 2. Login and get token.
> > > 3. Bring down one node.
> > > 4. Get user info using existing token. This is when we get NPE.
> > > 
> > > Case 2
> > > 1. Start with 1 Node down. We bring it back up. We wait for some
> > > time so that Infinispan can sync.
> > > 2. Bring down other node.
> > > 3. Try to get user info using existing token. Again we see NPE.
> > > 
> > > >It's a bug - if session is expired it should return an error
> > > >message, not a NPE (see
> > > >https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > Thanks for tracking this.
> > > 
> > > -- Rajat
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions
> > > > using Infinispan
> > > > 
> > > > Thanks for quick reply Stian.
> > > > 
> > > > > What version?
> > > > We are using Keycloak 1.3.1 Final.
> > > >  
> > > > > Did you remember to change userSessions provider to infinispan
> > > > > in keycloak-server.json?
> > > > Yes. We got following in keycloak-server.json -
> > > > "userSessions": {
> > > > "provider": "infinispan"
> > > > }
> > > > 
> > > > > Firstly owners="2" should work fine as long as only one node
> > > > > dies and the other remains active. Secondly it should return a
> > > > > NPE, but an error if user session is not found.
> > > > Could you elaborate on your 2nd point?
> > > 
> > > Do you have both nodes fully up and running before you kill one node?
> > > 
> > > It's a bug - if session is expired it should return an error
> > > message, not a NPE (see
> > > https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > 
> > > > 
> > > > -- Rajat
> > > > 
> > > > -----Original Message-----
> > > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > > Sent: 27 July 2015 18:07
> > > > To: Nair, Rajat
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > > using Infinispan
> > > > 
> > > > Did you remember to change userSessions provider to infinispan in
> > > > keycloak-server.json?
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > > > using Infinispan
> > > > > 
> > > > > What version?
> > > > > 
> > > > > Firstly owners="2" should work fine as long as only one node
> > > > > dies and the other remains active. Secondly it should return a
> > > > > NPE, but an error if user session is not found.
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > > Subject: [keycloak-user] Distributed Keycloak user sessions
> > > > > > using Infinispan
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > I?m in the process of setting up distributed user sessions
> > > > > > using Infinispan on my Keycloak cluster. This is the
> > > > > > configuration I use ?
> > > > > > 
> > > > > > <cache-container name="keycloak"
> > > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > > >  lock-timeout="60000"/>
> > > > > > 
> > > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > > 
> > > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > > 
> > > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > > 
> > > > > > <distributed-cache name="loginFailures" mode="SYNC"
> > > > > > owners="1"/>
> > > > > > 
> > > > > > </cache-container>
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > And in server.logs, I can see my servers communicate ?
> > > > > > 
> > > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t7)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > =
> > > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > (2)[test-server-110:
> > > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t10)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache realms,
> > > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > =
> > > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > (2)[test-server-110:
> > > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t8)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17,
> > > > > > currentCH=DefaultConsistentHash{ns=80, owners =
> > > > > > (1)[test-server-110:
> > > > > > 80+0]},
> > > > > > pendingCH=DefaultConsistentHash{ns=80, owners =
> > > > > > (2)[test-server-110:
> > > > > > 40+0,
> > > > > > test-server-111: 40+0]}, unionCH=null,
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t9)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > > sessions, topology CacheTopology{id=56, rebalanceId=17,
> > > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > > owners = (1)[test-server-110: 80+0]},
> > > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > > > unionCH=null, actualMembers=[test-server-110,
> > > > > > test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t9)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > > loginFailures, topology id = 57
> > > > > > 
> > > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t12)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > > sessions, topology id = 56
> > > > > > 
> > > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t12)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache realms,
> > > > > > topology id =
> > > > > > 57
> > > > > > 
> > > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t8)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > > > topology id =
> > > > > > 57
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > I can successfully login, get a token and fetch user details
> > > > > > with this token.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Problem is, if one of the nodes on the cluster goes down and
> > > > > > if we try to reuse a token which was already issued (so
> > > > > > workflow is ? user logins in, get token, (a node in the
> > > > > > cluster goes down) and then fetch user details using
> > > > > > token) ? we see an internal server exception. From the logs ?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > > task-1)
> > > > > > UT005023: Exception handling request to
> > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > > java.lang.RuntimeException: request path:
> > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doF
> > > > > > ilte
> > > > > > r(
> > > > > > KeycloakSessionServletFilter.java:54)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > java
> > > > > > :6
> > > > > > 0)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:132)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(Filte
> > > > > > rHan
> > > > > > dl
> > > > > > er.java:85)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandl
> > > > > > er.h
> > > > > > an
> > > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleR
> > > > > > eque
> > > > > > st
> > > > > > (ServletDispatchingHandler.java:36)
> > > > > > 
> > > > > > at
> > > > > > org.wildfly.extension.undertow.security.SecurityContextAssocia
> > > > > > tion
> > > > > > Ha
> > > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.SSLInformationAssociatio
> > > > > > nHan
> > > > > > dl
> > > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletAuthenticationCal
> > > > > > lHan
> > > > > > dl
> > > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.AbstractConfidentialityHandler.h
> > > > > > andl
> > > > > > eR
> > > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletConfidentialityCo
> > > > > > nstr
> > > > > > ai
> > > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHandle
> > > > > > r.ja
> > > > > > va
> > > > > > :64)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.
> > > > > > hand
> > > > > > le
> > > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessi
> > > > > > onHa
> > > > > > nd
> > > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.NotificationReceiverHandler.hand
> > > > > > leRe
> > > > > > qu
> > > > > > est(NotificationReceiverHandler.java:50)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.SecurityInitialHandler.handleReq
> > > > > > uest
> > > > > > (S
> > > > > > ecurityInitialHandler.java:76)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > > > ha
> > > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pre
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Metri
> > > > > > csHa
> > > > > > nd
> > > > > > ler.java:62)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(Met
> > > > > > rics
> > > > > > Ch
> > > > > > ainHandler.java:59)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirst
> > > > > > Requ
> > > > > > es
> > > > > > t(ServletInitialHandler.java:274)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReq
> > > > > > uest
> > > > > > (S
> > > > > > ervletInitialHandler.java:253)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(
> > > > > > Serv
> > > > > > le
> > > > > > tInitialHandler.java:80)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReq
> > > > > > uest
> > > > > > (S
> > > > > > ervletInitialHandler.java:172)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.ja
> > > > > > va:1
> > > > > > 99
> > > > > > )
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > > 774)
> > > > > > 
> > > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at java.lang.Thread.run(Unknown Source)
> > > > > > 
> > > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > > java.lang.NullPointerException
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationExce
> > > > > > ptio
> > > > > > n(
> > > > > > ExceptionHandler.java:76)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Excep
> > > > > > tion
> > > > > > Ha
> > > > > > ndler.java:212)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(S
> > > > > > ynch
> > > > > > ro
> > > > > > nousDispatcher.java:149)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:372)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:179)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDisp
> > > > > > atch
> > > > > > er
> > > > > > .service(ServletContainerDispatcher.java:220)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatche
> > > > > > r.se
> > > > > > rv
> > > > > > ice(HttpServletDispatcher.java:56)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatche
> > > > > > r.se
> > > > > > rv
> > > > > > ice(HttpServletDispatcher.java:51)
> > > > > > 
> > > > > > at
> > > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Serv
> > > > > > letH
> > > > > > an
> > > > > > dler.java:86)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:130)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilter(
> > > > > > Clie
> > > > > > nt
> > > > > > ConnectionFilter.java:41)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > java
> > > > > > :6
> > > > > > 0)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:132)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doF
> > > > > > ilte
> > > > > > r(
> > > > > > KeycloakSessionServletFilter.java:40)
> > > > > > 
> > > > > > ... 31 more
> > > > > > 
> > > > > > Caused by: java.lang.NullPointerException
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUse
> > > > > > rInf
> > > > > > o(
> > > > > > UserInfoEndpoint.java:128)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUse
> > > > > > rInf
> > > > > > oG
> > > > > > et(UserInfoEndpoint.java:101)
> > > > > > 
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > > 
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > > 
> > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInject
> > > > > > orIm
> > > > > > pl
> > > > > > .java:137)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(R
> > > > > > esou
> > > > > > rc
> > > > > > eMethodInvoker.java:296)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceM
> > > > > > etho
> > > > > > dI
> > > > > > nvoker.java:250)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetO
> > > > > > bjec
> > > > > > t(
> > > > > > ResourceLocatorInvoker.java:140)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resource
> > > > > > Loca
> > > > > > to
> > > > > > rInvoker.java:109)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetO
> > > > > > bjec
> > > > > > t(
> > > > > > ResourceLocatorInvoker.java:135)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resource
> > > > > > Loca
> > > > > > to
> > > > > > rInvoker.java:103)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchrono
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:356)
> > > > > > 
> > > > > > ... 42 more
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > The user guide says ?
> > > > > > 
> > > > > > If you need to prevent node failures from requiring users to
> > > > > > log in again, set the owners attribute to 2 or more for the
> > > > > > sessions cache
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Questions -
> > > > > > 
> > > > > > 1. Have we configured Infinispan incorrectly? We don?t want
> > > > > > the users to login again if any of the nodes in the cluster go
> > > > > > down.
> > > > > > 
> > > > > > 2. Will changing distributed-cache to replicated-cache help in
> > > > > > this scenario?
> > > > > > 
> > > > > > 3. Any way we can see the contents of the cache?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > -- Rajat
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > 
> > 
> 


From stian at redhat.com  Tue Jul 28 00:55:53 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jul 2015 00:55:53 -0400 (EDT)
Subject: [keycloak-user] keycloack-server.war
In-Reply-To: <CANkqDNxrEjDK=7RZzvDcLuoTmUQEf49LCuu94UT6JPZ9_F32_A@mail.gmail.com>
References: <CANkqDNw-kUhf2_b=HOmU1wPzf1d2yiXmGbmAY0b0mwQJZUTLmQ@mail.gmail.com>
	<1115598762.894188.1438011940525.JavaMail.zimbra@redhat.com>
	<CANkqDNxrEjDK=7RZzvDcLuoTmUQEf49LCuu94UT6JPZ9_F32_A@mail.gmail.com>
Message-ID: <1647805916.1069247.1438059353329.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Pablo Martin Gore" <pablo.m.gore at gmail.com>
> To: "Marko Strukelj" <mstrukel at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 6:02:44 PM
> Subject: Re: [keycloak-user] keycloack-server.war
> 
> Hi Marko
> Thanks for your quickly answer , it's no possible to deploy keycloak today in
> a tomcat web server , really we have deployed our platform into different
> tomcat 8 and it's a big effort this movement to Wildfly.
> Do you will support other web servers to deploy keycloak in future like
> tomcat or jetty?

You do not need to port your applications to Tomcat. You should use a standalone Keycloak server and continue using Tomcat with the Keycloak Tomcat adapter for your applications.

This is in fact the setup we recommend in production for those using WildFly as well. A standalone Keycloak server and a separate WildFly server for applications.

> 
> 2015-07-27 12:45 GMT-03:00 Marko Strukelj < mstrukel at redhat.com > :
> 
> 
> Keycloak server is no longer packaged as a .war. You can read more about it
> here: http://blog.keycloak.org/2015/05/distribution-changes.html
> 
> That means you can not deploy it to just any java web container - only latest
> Wildfly / EAP is supported for the server. At the moment that is Wildfly
> 9.0.0.Final, and EAP 6.4.
> 
> If for some reason you really want your application to be deployed in the
> same server instance as keycloak server, you'd have to deploy your
> application to the app server that comes with keycloak server rather than
> the other way around.
> 
> Easiest way to achieve that would be to use keycloak-demo-1.3.1.Final.zip
> distribution which you can download here:
> http://sourceforge.net/projects/keycloak/files/1.3.1.Final
> 
> - marko
> 
> ----- Original Message -----
> > Hi
> > I have a maven project that is in charge of create the tomcat distribution
> > for keycloak.
> > Until version 1.2.0-Beta1 we have used keycloak-server.war , but when I try
> > to migrate to keycloak 1.3.1-Final , this dependency apparently does not
> > exist any more.
> > < artifactItem >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-server </ artifactId >
> > < version > $1.3.1-Final </ version >
> > < type > war </ type >
> > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> > </ artifactItem >
> > Someone could help me with this issue ?
> > where I could find the server war now or what is the new name for this
> > dependency?
> > Thanks and regards.
> > Pablo Gore
> > Here is my pom.xml
> > < project xmlns= " http://maven.apache.org/POM/4.0.0 " xmlns: xsi = "
> > http://www.w3.org/2001/XMLSchema-instance "
> > xsi :schemaLocation= " http://maven.apache.org/POM/4.0.0
> > http://maven.apache.org/maven-v4_0_0.xsd " >
> > < modelVersion > 4.0.0 </ modelVersion >
> > < parent >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-parent </ artifactId >
> > < version > 1.3.1-Final </ version >
> > 
> > 
> > </ parent >
> > 
> > < artifactId > keycloak-tomcat-dist </ artifactId >
> > < packaging > pom </ packaging >
> > < name > Tomcat 8 with Keycloack </ name >
> > < version > ${project.parent.version}-1.0.4 </ version >
> > < description />
> > < properties >
> > <!-- Versions -->
> > < tomcat.version > 8.0.20 </ tomcat.version >
> > < jax.version > 2.3.7.Final </ jax.version >
> > < jackson.version > 1.9.9 </ jackson.version >
> > < hibernate.version > 4.2.7.SP1 </ hibernate.version >
> > <!-- Locations -->
> > < outputDirectory > ${project.build.directory}/unpacked </ outputDirectory
> > >
> > < outputDirectoryConf >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/conf </
> > outputDirectoryConf >
> > < outputDirectoryForWar >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/webapps/keycloak
> > </ outputDirectoryForWar >
> > < outputDirectoryForLibs >
> > ${outputDirectory}/apache-tomcat-${tomcat.version}/lib </
> > outputDirectoryForLibs >
> > < configFile >
> > ${outputDirectoryForWar}/WEB-INF/classes/META-INF/keycloak-server.json </
> > configFile >
> > </ properties >
> > < dependencies />
> > < build >
> > < plugins >
> > < plugin >
> > < groupId > org.apache.maven.plugins </ groupId >
> > < artifactId > maven-deploy-plugin </ artifactId >
> > < configuration >
> > < skip > true </ skip >
> > </ configuration >
> > </ plugin >
> > < plugin >
> > < groupId > org.apache.maven.plugins </ groupId >
> > < artifactId > maven-dependency-plugin </ artifactId >
> > < executions >
> > <!-- Get Tomcat -->
> > < execution >
> > < id > unpack </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > unpack </ goal >
> > </ goals >
> > < configuration >
> > <!--useJvmChmod>false</useJvmChmod-->
> > < artifactItems >
> > < artifactItem >
> > < groupId > org.apache.tomcat </ groupId >
> > < artifactId > tomcat </ artifactId >
> > < version > ${tomcat.version} </ version >
> > < type > tar.gz </ type >
> > < outputDirectory > ${outputDirectory} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get keycloak -->
> > < execution >
> > < id > get-keycloak </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > unpack </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > < artifactItem >
> > < groupId > org.keycloak </ groupId >
> > < artifactId > keycloak-server </ artifactId >
> > < version > ${project.parent.version} </ version >
> > < type > war </ type >
> > < outputDirectory > ${outputDirectoryForWar} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get dependencies -->
> > < execution >
> > < id > mimic-jboss-6.2 </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > copy </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > < dependency >
> > < groupId > org.apache.httpcomponents </ groupId >
> > < artifactId > httpclient </ artifactId >
> > < version > 4.2.6 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > org.apache.httpcomponents </ groupId >
> > < artifactId > httpcore </ artifactId >
> > < version > 4.2.5 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > commons-logging </ groupId >
> > < artifactId > commons-logging </ artifactId >
> > < version > 1.1.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > < dependency >
> > < groupId > commons-io </ groupId >
> > < artifactId > commons-io </ artifactId >
> > < version > 2.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ dependency >
> > <!-- Mimic JBoss 6.2 -->
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jaxrs </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > async-http-servlet-3.0 </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > jaxrs-api </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jaxb-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-jackson-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > resteasy-multipart-provider </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > <!-- This needs Bouncycastle
> > <artifactItem>
> > <groupId>org.jboss.resteasy</groupId>
> > <artifactId>resteasy-crypto</artifactId>
> > <version>${jax.version}</version>
> > <type>jar</type>
> > <outputDirectory>${outputDirectoryForLibs}</outputDirectory>
> > </artifactItem>
> > -->
> > < artifactItem >
> > < groupId > org.jboss.resteasy </ groupId >
> > < artifactId > tjws </ artifactId >
> > < version > ${jax.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.scannotation </ groupId >
> > < artifactId > scannotation </ artifactId >
> > < version > 1.0.3 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-mapper-asl </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-core-asl </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-jaxrs </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.codehaus.jackson </ groupId >
> > < artifactId > jackson-xc </ artifactId >
> > < version > ${jackson.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.infinispan </ groupId >
> > < artifactId > infinispan-core </ artifactId >
> > < version > 5.2.7.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate </ groupId >
> > < artifactId > hibernate-core </ artifactId >
> > < version > ${hibernate.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate </ groupId >
> > < artifactId > hibernate-entitymanager </ artifactId >
> > < version > ${hibernate.version} </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate.javax.persistence </ groupId >
> > < artifactId > hibernate-jpa-2.0-api </ artifactId >
> > < version > 1.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.logging </ groupId >
> > < artifactId > jboss-logging </ artifactId >
> > < version > 3.1.2.GA </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.jboss.spec.javax.transaction </ groupId >
> > < artifactId > jboss-transaction-api_1.1_spec </ artifactId >
> > < version > 1.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > dom4j </ groupId >
> > < artifactId > dom4j </ artifactId >
> > < version > 1.6.1 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.hibernate.common </ groupId >
> > < artifactId > hibernate-commons-annotations </ artifactId >
> > < version > 4.0.1.Final </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.javassist </ groupId >
> > < artifactId > javassist </ artifactId >
> > < version > 3.18.1-GA </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > antlr </ groupId >
> > < artifactId > antlr </ artifactId >
> > < version > 2.7.7 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > javax.mail </ groupId >
> > < artifactId > mail </ artifactId >
> > < version > 1.4.5 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.google.zxing </ groupId >
> > < artifactId > core </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.google.zxing </ groupId >
> > < artifactId > javase </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > com.icegreen </ groupId >
> > < artifactId > greenmail </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > de.idyl </ groupId >
> > < artifactId > winzipaes </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > xml-apis </ groupId >
> > < artifactId > xml-apis </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.slf4j </ groupId >
> > < artifactId > slf4j-api </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > < artifactItem >
> > < groupId > org.slf4j </ groupId >
> > < artifactId > slf4j-simple </ artifactId >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > <!-- Get PostgreSQL driver -->
> > < execution >
> > < id > get-postgresql-jdbc-driver </ id >
> > < phase > prepare-package </ phase >
> > < goals >
> > < goal > copy </ goal >
> > </ goals >
> > < configuration >
> > < artifactItems >
> > mysql:mysql-connector-java
> > < artifactItem >
> > < groupId > mysql </ groupId >
> > < artifactId > mysql-connector-java </ artifactId >
> > < version > 5.1.34 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > 
> > < artifactItem >
> > < groupId > org.postgresql </ groupId >
> > < artifactId > postgresql </ artifactId >
> > < version > 9.4-1200-jdbc41 </ version >
> > < type > jar </ type >
> > < outputDirectory > ${outputDirectoryForLibs} </ outputDirectory >
> > </ artifactItem >
> > 
> > </ artifactItems >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > <!-- Setup data-source -->
> > < plugin >
> > < artifactId > maven-resources-plugin </ artifactId >
> > < version > 2.7 </ version >
> > < executions >
> > < execution >
> > < id > setup-data-source </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > copy-resources </ goal >
> > </ goals >
> > < configuration >
> > < outputDirectory > ${outputDirectoryConf} </ outputDirectory >
> > < encoding > UTF-8 </ encoding >
> > < resources >
> > < resource >
> > < directory > . </ directory >
> > < includes >
> > < include > context.xml </ include >
> > </ includes >
> > < filtering > false </ filtering >
> > </ resource >
> > </ resources >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > <!-- Fix keyclock-configuration -->
> > < plugin >
> > < groupId > com.google.code.maven-replacer-plugin </ groupId >
> > < artifactId > replacer </ artifactId >
> > < version > 1.5.3 </ version >
> > < executions >
> > < execution >
> > < id > fix-data-source </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > replace </ goal >
> > </ goals >
> > </ execution >
> > </ executions >
> > < configuration >
> > < file > ${configFile} </ file >
> > < replacements >
> > <!-- fix-data-source -->
> > < replacement >
> > < token > java:jboss/datasources/KeycloakDS </ token >
> > < value > java:/comp/env/jdbc/KeycloakDS </ value >
> > </ replacement >
> > <!-- Set Tomcat configuration-dir -->
> > < replacement >
> > < token > jboss.server.config.dir} </ token >
> > < value > catalina.home}/conf </ value >
> > </ replacement >
> > </ replacements >
> > </ configuration >
> > </ plugin >
> > <!-- Repackage filled-Tomcat into tag.gz -->
> > < plugin >
> > < artifactId > maven-assembly-plugin </ artifactId >
> > < version > 2.4 </ version >
> > < executions >
> > < execution >
> > < id > assemble </ id >
> > < phase > package </ phase >
> > < goals >
> > < goal > single </ goal >
> > </ goals >
> > < configuration >
> > < tarLongFileMode > gnu </ tarLongFileMode >
> > < descriptors >
> > < descriptor > assembly.xml </ descriptor >
> > </ descriptors >
> > < outputDirectory > target </ outputDirectory >
> > < workDirectory > target/assembly/work </ workDirectory >
> > < appendAssemblyId > false </ appendAssemblyId >
> > </ configuration >
> > </ execution >
> > </ executions >
> > </ plugin >
> > </ plugins >
> > </ build >
> > </ project >
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gerbermichi at me.com  Tue Jul 28 02:03:37 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Tue, 28 Jul 2015 06:03:37 +0000 (GMT)
Subject: [keycloak-user] =?utf-8?q?_Re=3A__LDAP_with_Kerberos=2C_login_wit?=
 =?utf-8?q?h_different_user?=
Message-ID: <02df0f9e-faae-4124-a5f7-c31cbc2dde13@me.com>

Should I create a Jira issue for that task?
Or will you anyway implement something in this direction?

Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian at redhat.com>:



----- Original Message -----
From: "Marek Posolda" <mposolda at redhat.com>
To: "Raghu Prabhala" <prabhalar at yahoo.com>, "Bill Burke" <bburke at redhat.com>
Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
Sent: Friday, 24 July, 2015 9:49:45 AM
Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user

Support for prompt=select_account will be cool. Another suggestion for
adding query parameter for skip some mechanisms (like
skipAuthMechanism=cookie,kerberos ) might be good too.

That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.


Not sure if we need to support both, but IMO it will be good to have
solution not tightly coupled to Kerberos. I can imagine similar
situation with other login mechanisms as well. For example with
authenticating users by certificate, admin may also want to skip
automatic login with the certificate from his browser and instead login
with username/password form.

Marek

On 23.7.2015 17:43, Raghu Prabhala wrote:
> The select account prompt wouldn't work for us as some of our applications
> require that the user login only by entering userid/pw but your other
> suggestion might work as long as we do the Kerberos authentication using
> Id/ow
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>> All this interaction is defined by the SAML and OIDC specifications.
>> Logout redirects you back to the application and its up to the
>> application what to do next. We could add a query param that if it is
>> set, to not do kerberos. This could be in addition to the "login
>> automatically" flag.
>>
>>
>>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>> Why can't we have two separate authentication mechanisms - one IWA, in
>>> which case the user is logged in automatically and on logout he is taken
>>> to a login page where a diff userid can be entered and two, a login page
>>> that allows userid/password? That would address our use case.
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda at redhat.com> wrote:
>>>>
>>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>>> "login automatically" . If it's off, another confirmation screen for the
>>>> user will be displayed?
>>>>
>>>> Marek
>>>>
>>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>>> "Is this you?"
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
>>>>>> user
>>>>>>
>>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>>> want to login as that user or another.
>>>>>>
>>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>>> Do you want that for normal users or just for admin users? Just
>>>>>>> trying
>>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
>>>>>>> that
>>>>>>> you login into the desktop and then you're automatically logged into
>>>>>>> integrated web applications without need to deal with any login
>>>>>>> screens
>>>>>>> and username/password. When user has just one keycloak account
>>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>>> different user?
>>>>>>>
>>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>>> different user for testing purpose etc. For this, isn't it possible
>>>>>>> in
>>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>>> kerberos?
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>>> Isn't it possible to create a cookie or add an url parameter after
>>>>>>>> the
>>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>>
>>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>>
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
>>>>>>>>> <mposolda at redhat.com>:
>>>>>>>>>
>>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>>
>>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>>> screen and login as different user.
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>>> with a different user (no kerberos login, just keycloak username
>>>>>>>>>> and
>>>>>>>>>> password dialog).
>>>>>>>>>> Is that possible?
>>>>>>>>>>
>>>>>>>>>> cheers
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150728/1d7270b8/attachment-0001.html 

From lars.frauenrath at traveltainment.de  Tue Jul 28 05:17:56 2015
From: lars.frauenrath at traveltainment.de (Lars Frauenrath)
Date: Tue, 28 Jul 2015 09:17:56 +0000
Subject: [keycloak-user] JavaScript error: No Access-Control-Allow-Origin
 header is present...
Message-ID: <24A96690C67C15499D588133A8985E2109FF658E@EX-TT-AC-01.traveltainment.int>

Hi,

as the subject said I got an error while sending a request to my keycloak server.
I configured the following things:

1.       External Keycloak server (runs on localhost:8180)

a.       Add realm

b.      Add client/application

c.       Add roles

d.      Add user + roles for this user

e.      Add Url to Web Origins (http://localhost:8080)

2.       Wildfly 8 Server (runs on localhost:8080)

a.       Add keycloak adapter for wilrdfly 8

b.      Add Security domain

c.       Add subsystem for keycloak (generated from keycloak admin console)

3.       My Application

a.       Keycloak.json (generated from Keycloak admin console | "enable-cors" is set to true)

b.      Downloaded keycloak.js and added it to jsp/html pages

c.       Defined security-constraints and security-roles in web.xml

I got the problem while trying to login to my application. Keycloak accepts my username and password and forwards me to the first site of my application.
There I am using the keycloak.js to "login" and handle the different roles but within this workflow I got the following errors:


1.       "XMLHttpRequest cannot load 'http://localhost:8180/auth/realms/TOMAMappingConfigurationService/tokens/access/codes'. No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400. "

2.       "XMLHttpRequest cannot load 'http://localhost:8180/auth/realms/TOMAMappingConfigurationService/account'. No 'Access-Control-Allow-Origin' header is present on the requested resource.

Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 403. "

I hope you can help me.
Kind regards,
Lars


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150728/62b70827/attachment.html 

From lars.frauenrath at traveltainment.de  Tue Jul 28 05:30:12 2015
From: lars.frauenrath at traveltainment.de (Lars Frauenrath)
Date: Tue, 28 Jul 2015 09:30:12 +0000
Subject: [keycloak-user] JavaScript error: No
 Access-Control-Allow-Origin header is present...
In-Reply-To: <24A96690C67C15499D588133A8985E2109FF658E@EX-TT-AC-01.traveltainment.int>
References: <24A96690C67C15499D588133A8985E2109FF658E@EX-TT-AC-01.traveltainment.int>
Message-ID: <24A96690C67C15499D588133A8985E2109FF65AB@EX-TT-AC-01.traveltainment.int>

Hi,

I could resolve my problem. The error occurred because I used a local copy of the keycloak.js file.
Since I am using the file from the server (src =http://localhost:8180/auth/js/keycloak.js) it works fine.

Best regards,
Lars

Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Lars Frauenrath
Gesendet: Dienstag, 28. Juli 2015 11:18
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] JavaScript error: No Access-Control-Allow-Origin header is present...

Hi,

as the subject said I got an error while sending a request to my keycloak server.
I configured the following things:

1.       External Keycloak server (runs on localhost:8180)

a.       Add realm

b.      Add client/application

c.       Add roles

d.      Add user + roles for this user

e.      Add Url to Web Origins (http://localhost:8080)

2.       Wildfly 8 Server (runs on localhost:8080)

a.       Add keycloak adapter for wilrdfly 8

b.      Add Security domain

c.       Add subsystem for keycloak (generated from keycloak admin console)

3.       My Application

a.       Keycloak.json (generated from Keycloak admin console | "enable-cors" is set to true)

b.      Downloaded keycloak.js and added it to jsp/html pages

c.       Defined security-constraints and security-roles in web.xml

I got the problem while trying to login to my application. Keycloak accepts my username and password and forwards me to the first site of my application.
There I am using the keycloak.js to "login" and handle the different roles but within this workflow I got the following errors:


1.       "XMLHttpRequest cannot load 'http://localhost:8180/auth/realms/TOMAMappingConfigurationService/tokens/access/codes'. No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400. "

2.       "XMLHttpRequest cannot load 'http://localhost:8180/auth/realms/TOMAMappingConfigurationService/account'. No 'Access-Control-Allow-Origin' header is present on the requested resource.

Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 403. "

I hope you can help me.

Kind regards,
Lars


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150728/44a5bfff/attachment-0001.html 

From subhrajyotim at gmail.com  Tue Jul 28 05:39:25 2015
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Tue, 28 Jul 2015 15:09:25 +0530
Subject: [keycloak-user] JS Adapter- Get user realm-roles and client
	specific roles.
Message-ID: <CAB6P+-FigW6H--CO4KZ_XA5d3cJHg9LgNC4Fv+PhmWap48svjw@mail.gmail.com>

Hello Friends,
We are preparing a keycloak SSO based auth/IDM for our internal
applications.

For protecting JS-UI we are using the JS adapter. We are able to get basic
user information, using loadUserProfile() api.

Q) How do I get the roles that the user has been assigned at the realm
level as well as the client specific roles?

Pl guide me how i can accomplish this. Even a server side solution would
work, need not be just JS based.

Thanks a lot in advance.

Subhro.
PS: Using KC 1.3.1 Final with MySQL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150728/47586dc2/attachment.html 

From stian at redhat.com  Tue Jul 28 05:51:27 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jul 2015 05:51:27 -0400 (EDT)
Subject: [keycloak-user] JS Adapter- Get user realm-roles and
	client	specific roles.
In-Reply-To: <CAB6P+-FigW6H--CO4KZ_XA5d3cJHg9LgNC4Fv+PhmWap48svjw@mail.gmail.com>
References: <CAB6P+-FigW6H--CO4KZ_XA5d3cJHg9LgNC4Fv+PhmWap48svjw@mail.gmail.com>
Message-ID: <1744096076.1254027.1438077087309.JavaMail.zimbra@redhat.com>

tokenParsed contains all details in the token, including the roles

----- Original Message -----
> From: "Subhrajyoti Moitra" <subhrajyotim at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 28 July, 2015 11:39:25 AM
> Subject: [keycloak-user] JS Adapter- Get user realm-roles and client	specific roles.
> 
> Hello Friends,
> We are preparing a keycloak SSO based auth/IDM for our internal applications.
> 
> For protecting JS-UI we are using the JS adapter. We are able to get basic
> user information, using loadUserProfile() api.
> 
> Q) How do I get the roles that the user has been assigned at the realm level
> as well as the client specific roles?
> 
> Pl guide me how i can accomplish this. Even a server side solution would
> work, need not be just JS based.
> 
> Thanks a lot in advance.
> 
> Subhro.
> PS: Using KC 1.3.1 Final with MySQL
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From subhrajyotim at gmail.com  Tue Jul 28 06:22:21 2015
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Tue, 28 Jul 2015 15:52:21 +0530
Subject: [keycloak-user] JS Adapter- Get user realm-roles and client
 specific roles.
In-Reply-To: <1744096076.1254027.1438077087309.JavaMail.zimbra@redhat.com>
References: <CAB6P+-FigW6H--CO4KZ_XA5d3cJHg9LgNC4Fv+PhmWap48svjw@mail.gmail.com>
	<1744096076.1254027.1438077087309.JavaMail.zimbra@redhat.com>
Message-ID: <CAB6P+-FRYtOzM9nrzR-JB0GKnNPQ0s1Bb=68H8Rx-wpXNNFrDg@mail.gmail.com>

Thanks a lot Stian for the very quick reply. Should have checked this out
earlier.
Got it working!!

Thanks again,
Subhro.

On Tue, Jul 28, 2015 at 3:21 PM, Stian Thorgersen <stian at redhat.com> wrote:

> tokenParsed contains all details in the token, including the roles
>
> ----- Original Message -----
> > From: "Subhrajyoti Moitra" <subhrajyotim at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 28 July, 2015 11:39:25 AM
> > Subject: [keycloak-user] JS Adapter- Get user realm-roles and client
> specific roles.
> >
> > Hello Friends,
> > We are preparing a keycloak SSO based auth/IDM for our internal
> applications.
> >
> > For protecting JS-UI we are using the JS adapter. We are able to get
> basic
> > user information, using loadUserProfile() api.
> >
> > Q) How do I get the roles that the user has been assigned at the realm
> level
> > as well as the client specific roles?
> >
> > Pl guide me how i can accomplish this. Even a server side solution would
> > work, need not be just JS based.
> >
> > Thanks a lot in advance.
> >
> > Subhro.
> > PS: Using KC 1.3.1 Final with MySQL
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150728/f952e0c3/attachment.html 

From rajat.nair at hp.com  Wed Jul 29 05:10:09 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 29 Jul 2015 09:10:09 +0000
Subject: [keycloak-user] Error during LDAP syncing on Keycloak 1.4.0
Message-ID: <E8E85ED231DB984CA315C4439410229A1F042A5A@G9W0758.americas.hpqcorp.net>

Hi,

As part of testing another issue (Distributed Keycloak user sessions using Infinispan), I upgraded my nodes to Keycloak 1.4.0 (grabbed release from here - http://central.maven.org/maven2/org/keycloak/keycloak-server-dist/1.4.0.Final/keycloak-server-dist-1.4.0.Final.tar.gz). I wiped out our Keycloak database and recreated it. After configuring our LDAP server (similar configuration which worked against Keycloak 1.3.1 Final), when we try to sync users we get following exception -
2015-07-29 09:00:42,062 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync: java.lang.RuntimeException: request path: /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
        ... 29 more
Caused by: java.lang.NullPointerException
        at org.keycloak.models.cache.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:149)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory$2.run(LDAPFederationProviderFactory.java:294)
        at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:242)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
        at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
        at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:143)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        ... 37 more


Could this be a regression?

-- Rajat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/97b4811d/attachment-0001.html 

From stian at redhat.com  Wed Jul 29 07:27:16 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jul 2015 07:27:16 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.4.0.Final released
Message-ID: <310051531.255339.1438169236698.JavaMail.zimbra@redhat.com>

http://blog.keycloak.org/2015/07/keycloak-140final-released.html

From fmrage at hotmail.com  Wed Jul 29 08:39:58 2015
From: fmrage at hotmail.com (Fabio Monteiro)
Date: Wed, 29 Jul 2015 14:39:58 +0200
Subject: [keycloak-user] Angular app, login on click and not on load.
Message-ID: <DUB131-W828F0D718D2801786BBCEBD58C0@phx.gbl>

Hi , 
I'm looking for a simple way to login to keycloak with an AngularJS app. If i use the example (angular-produt-app) one can find with the keyCloak appliance, the js adapter redirects the user to the Keycloak login pase "onload " (keycloakVar.init({onLoad: 'login-required'})...) 
But i want to login only when I specifically click on some button. From what I can gather the method keycloakVar.login() from the docs & JS reference is the way to go.. but replacing the .init() method with the .login() method doesn't seem to work...
Also, in the "normal" case,  the init() regular example itself lets me, after logging-in succesfully, with still empty Javasript objects once I am successfully redirected to my app page. (the auth global variable)

The official angular + js-adapter : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular-product-app/src/main/webapp/js/app.js

Could you help me ? I must be missing something.

Thanks a lot
Fabio M 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/dff6708c/attachment.html 

From rajat.nair at hp.com  Wed Jul 29 08:56:07 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Wed, 29 Jul 2015 12:56:07 +0000
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <1042060711.1068309.1438058940079.JavaMail.zimbra@redhat.com>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<1204411095.666223.1438000619434.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F041397@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
	<1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
	<1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0414D1@G9W0758.americas.hpqcorp.net>
	<1042060711.1068309.1438058940079.JavaMail.zimbra@redhat.com>
Message-ID: <E8E85ED231DB984CA315C4439410229A1F042F95@G9W0758.americas.hpqcorp.net>

Follow up to our discussion - 

I upgrade my nodes to Keycloak 1.4 Final. Dropped and re-created database Postgres database (shared between both the nodes) and tested distributed user session using following commands - 
- Fetch access token using following curl from one server
	curl --write-out " %{http_code}" -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "username=user1 at email.com&password=testpassword@&client_id=admin-client&grant_type=password" "http://test-server-110:8080/auth/realms/test/protocol/openid-connect/token"

- Validated the token on different server using 
	curl --write-out " %{http_code}" -s --request GET --header "Content-Type: application/json" --header "Authorization: Bearer [ACCESS_TOKEN_FROM_PREVIOUS_CALL]" "http://test-server-111:8081/auth/realms/test/protocol/openid-connect/userinfo"

And we get this - {"error":"invalid_grant","error_description":"Token invalid"}
No more NPE and internal server error. 

If we use the same token and try to fetch user details on server which issued the token - we get the correct data. (Note - I have confirmed that the token has not expired)

> One thing you can try is to make sure user session replication is working properly:
> 1. Start two nodes
> 2. Open admin console directly on node 1 - login as admin/admin 3. Open admin console directly on node 2 from another machine/browser or use incognito mode - login as admin/admin 4. On node 1 go to users -> view all -> click on admin -> sessions - > > you should see two sessions 5. On node 2 do the same and check you can see two sessions there as well
Now this is where things get strange. I followed the steps described - used 2 different browsers - and I can see 2 sessions listed! 

Are the process we use to validate the token incorrect? Or is master console on the web doing something different (like get the data from Postgres database used by both the nodes). 

-- Rajat

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: 28 July 2015 10:19
To: Nair, Rajat
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Distributed Keycloak user sessions using Infinispan



----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 27 July, 2015 7:33:25 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> > Can you send me your standalone-ha.xml and keycloak-server.json?
> Files attached. The service is started like - 
> /opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml 
> -b=test-server-110
> -bmanagement=test-server-110 -u 230.0.0.4 
> -Djboss.node.name=test-server-110
> 
> > Also, any chance you can try it out with master? I've been testing 
> > with that as we're about to do 1.4 release soon
> Glad to give back to the community. Will build and deploy the master 
> on my nodes. Will send findings tomorrow.
> 
> Regarding a scenario I described earlier - Case 2 1. Start with 1 Node 
> down. We bring it back up. We wait for some time so that Infinispan 
> can sync.
> 2. Bring down other node.
> 3. Try to get user info using existing token.
> 
> Is this a valid use-case?

Yes - I've tried the same use-case and it works fine every time. One caveat is that access token can expire, but in this case you should get a 403 returned, not a NPE exception and 500.

One thing you can try is to make sure user session replication is working properly:

1. Start two nodes
2. Open admin console directly on node 1 - login as admin/admin 3. Open admin console directly on node 2 from another machine/browser or use incognito mode - login as admin/admin 4. On node 1 go to users -> view all -> click on admin -> sessions - you should see two sessions 5. On node 2 do the same and check you can see two sessions there as well

> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 27 July 2015 19:16
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using 
> Infinispan
> 
> Also, any chance you can try it out with master? I've been testing 
> with that as we're about to do 1.4 release soon
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Rajat Nair" <rajat.nair at hp.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 3:45:46 PM
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > using Infinispan
> > 
> > Can you send me your standalone-ha.xml and keycloak-server.json?
> > 
> > ----- Original Message -----
> > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:41:36 PM
> > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions 
> > > using Infinispan
> > > 
> > > > Do you have both nodes fully up and running before you kill one node?
> > > Yes.
> > > This is what we tried -
> > > Case 1
> > > 1. Two node cluster (both running Keycloak engines) - both up and 
> > > running.
> > > Configured load balancing using mod_cluster.
> > > 2. Login and get token.
> > > 3. Bring down one node.
> > > 4. Get user info using existing token. This is when we get NPE.
> > > 
> > > Case 2
> > > 1. Start with 1 Node down. We bring it back up. We wait for some 
> > > time so that Infinispan can sync.
> > > 2. Bring down other node.
> > > 3. Try to get user info using existing token. Again we see NPE.
> > > 
> > > >It's a bug - if session is expired it should return an error 
> > > >message, not a NPE (see
> > > >https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > Thanks for tracking this.
> > > 
> > > -- Rajat
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions 
> > > > using Infinispan
> > > > 
> > > > Thanks for quick reply Stian.
> > > > 
> > > > > What version?
> > > > We are using Keycloak 1.3.1 Final.
> > > >  
> > > > > Did you remember to change userSessions provider to infinispan 
> > > > > in keycloak-server.json?
> > > > Yes. We got following in keycloak-server.json -
> > > > "userSessions": {
> > > > "provider": "infinispan"
> > > > }
> > > > 
> > > > > Firstly owners="2" should work fine as long as only one node 
> > > > > dies and the other remains active. Secondly it should return a 
> > > > > NPE, but an error if user session is not found.
> > > > Could you elaborate on your 2nd point?
> > > 
> > > Do you have both nodes fully up and running before you kill one node?
> > > 
> > > It's a bug - if session is expired it should return an error 
> > > message, not a NPE (see
> > > https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > 
> > > > 
> > > > -- Rajat
> > > > 
> > > > -----Original Message-----
> > > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > > Sent: 27 July 2015 18:07
> > > > To: Nair, Rajat
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions 
> > > > using Infinispan
> > > > 
> > > > Did you remember to change userSessions provider to infinispan 
> > > > in keycloak-server.json?
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > > Subject: Re: [keycloak-user] Distributed Keycloak user 
> > > > > sessions using Infinispan
> > > > > 
> > > > > What version?
> > > > > 
> > > > > Firstly owners="2" should work fine as long as only one node 
> > > > > dies and the other remains active. Secondly it should return a 
> > > > > NPE, but an error if user session is not found.
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > > Subject: [keycloak-user] Distributed Keycloak user sessions 
> > > > > > using Infinispan
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > I?m in the process of setting up distributed user sessions 
> > > > > > using Infinispan on my Keycloak cluster. This is the 
> > > > > > configuration I use ?
> > > > > > 
> > > > > > <cache-container name="keycloak"
> > > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > > >  lock-timeout="60000"/>
> > > > > > 
> > > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > > 
> > > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > > 
> > > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > > 
> > > > > > <distributed-cache name="loginFailures" mode="SYNC"
> > > > > > owners="1"/>
> > > > > > 
> > > > > > </cache-container>
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > And in server.logs, I can see my servers communicate ?
> > > > > > 
> > > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t7)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache users, 
> > > > > > topology CacheTopology{id=57, rebalanceId=17, 
> > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > =
> > > > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > (2)[test-server-110:
> > > > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t10)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > > > realms, topology CacheTopology{id=57, rebalanceId=17, 
> > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > =
> > > > > > 60, owners = (1)[test-server-110: 60]}, 
> > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > (2)[test-server-110:
> > > > > > 30, test-server-111: 30]}, unionCH=null, 
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t8)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17, 
> > > > > > currentCH=DefaultConsistentHash{ns=80, owners =
> > > > > > (1)[test-server-110:
> > > > > > 80+0]},
> > > > > > pendingCH=DefaultConsistentHash{ns=80, owners =
> > > > > > (2)[test-server-110:
> > > > > > 40+0,
> > > > > > test-server-111: 40+0]}, unionCH=null, 
> > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t9)
> > > > > > ISPN000310: Starting cluster-wide rebalance for cache 
> > > > > > sessions, topology CacheTopology{id=56, rebalanceId=17, 
> > > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > > owners = (1)[test-server-110: 80+0]}, 
> > > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, 
> > > > > > unionCH=null, actualMembers=[test-server-110, 
> > > > > > test-server-111]}
> > > > > > 
> > > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t9)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > > > loginFailures, topology id = 57
> > > > > > 
> > > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t12)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > > > sessions, topology id = 56
> > > > > > 
> > > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t12)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache 
> > > > > > realms, topology id =
> > > > > > 57
> > > > > > 
> > > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > > (remote-thread--p3-t8)
> > > > > > ISPN000336: Finished cluster-wide rebalance for cache users, 
> > > > > > topology id =
> > > > > > 57
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > I can successfully login, get a token and fetch user details 
> > > > > > with this token.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Problem is, if one of the nodes on the cluster goes down and 
> > > > > > if we try to reuse a token which was already issued (so 
> > > > > > workflow is ? user logins in, get token, (a node in the 
> > > > > > cluster goes down) and then fetch user details using
> > > > > > token) ? we see an internal server exception. From the logs 
> > > > > > ?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > > task-1)
> > > > > > UT005023: Exception handling request to
> > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > > java.lang.RuntimeException: request path:
> > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.d
> > > > > > oF
> > > > > > ilte
> > > > > > r(
> > > > > > KeycloakSessionServletFilter.java:54)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > java
> > > > > > :6
> > > > > > 0)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > oF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:132)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> > > > > > te
> > > > > > rHan
> > > > > > dl
> > > > > > er.java:85)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> > > > > > dl
> > > > > > er.h
> > > > > > an
> > > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> > > > > > eR
> > > > > > eque
> > > > > > st
> > > > > > (ServletDispatchingHandler.java:36)
> > > > > > 
> > > > > > at
> > > > > > org.wildfly.extension.undertow.security.SecurityContextAssoc
> > > > > > ia
> > > > > > tion
> > > > > > Ha
> > > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:7
> > > > > > 8)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > re
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.SSLInformationAssociat
> > > > > > io
> > > > > > nHan
> > > > > > dl
> > > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletAuthenticationC
> > > > > > al
> > > > > > lHan
> > > > > > dl
> > > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > re
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.AbstractConfidentialityHandler
> > > > > > .h
> > > > > > andl
> > > > > > eR
> > > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.ServletConfidentiality
> > > > > > Co
> > > > > > nstr
> > > > > > ai
> > > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHand
> > > > > > le
> > > > > > r.ja
> > > > > > va
> > > > > > :64)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.
> > > > > > hand
> > > > > > le
> > > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> > > > > > si
> > > > > > onHa
> > > > > > nd
> > > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.NotificationReceiverHandler.ha
> > > > > > nd
> > > > > > leRe
> > > > > > qu
> > > > > > est(NotificationReceiverHandler.java:50)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.security.handlers.SecurityInitialHandler.handleR
> > > > > > eq
> > > > > > uest
> > > > > > (S
> > > > > > ecurityInitialHandler.java:76)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > re
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > > > ha
> > > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > re
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > re
> > > > > > dica
> > > > > > te
> > > > > > Handler.java:43)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Met
> > > > > > ri
> > > > > > csHa
> > > > > > nd
> > > > > > ler.java:62)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(M
> > > > > > et
> > > > > > rics
> > > > > > Ch
> > > > > > ainHandler.java:59)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> > > > > > st
> > > > > > Requ
> > > > > > es
> > > > > > t(ServletInitialHandler.java:274)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> > > > > > eq
> > > > > > uest
> > > > > > (S
> > > > > > ervletInitialHandler.java:253)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$00
> > > > > > 0(
> > > > > > Serv
> > > > > > le
> > > > > > tInitialHandler.java:80)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> > > > > > eq
> > > > > > uest
> > > > > > (S
> > > > > > ervletInitialHandler.java:172)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.
> > > > > > ja
> > > > > > va:1
> > > > > > 99
> > > > > > )
> > > > > > 
> > > > > > at
> > > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > > 774)
> > > > > > 
> > > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at 
> > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at java.lang.Thread.run(Unknown Source)
> > > > > > 
> > > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > > java.lang.NullPointerException
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
> > > > > > ce
> > > > > > ptio
> > > > > > n(
> > > > > > ExceptionHandler.java:76)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
> > > > > > ep
> > > > > > tion
> > > > > > Ha
> > > > > > ndler.java:212)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException
> > > > > > (S
> > > > > > ynch
> > > > > > ro
> > > > > > nousDispatcher.java:149)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > no
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:372)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > no
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:179)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> > > > > > sp
> > > > > > atch
> > > > > > er
> > > > > > .service(ServletContainerDispatcher.java:220)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> > > > > > he
> > > > > > r.se
> > > > > > rv
> > > > > > ice(HttpServletDispatcher.java:56)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> > > > > > he
> > > > > > r.se
> > > > > > rv
> > > > > > ice(HttpServletDispatcher.java:51)
> > > > > > 
> > > > > > at
> > > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> > > > > > rv
> > > > > > letH
> > > > > > an
> > > > > > dler.java:86)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > oF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:130)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilte
> > > > > > r(
> > > > > > Clie
> > > > > > nt
> > > > > > ConnectionFilter.java:41)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > java
> > > > > > :6
> > > > > > 0)
> > > > > > 
> > > > > > at
> > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > oF
> > > > > > ilte
> > > > > > r(
> > > > > > FilterHandler.java:132)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.d
> > > > > > oF
> > > > > > ilte
> > > > > > r(
> > > > > > KeycloakSessionServletFilter.java:40)
> > > > > > 
> > > > > > ... 31 more
> > > > > > 
> > > > > > Caused by: java.lang.NullPointerException
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueU
> > > > > > se
> > > > > > rInf
> > > > > > o(
> > > > > > UserInfoEndpoint.java:128)
> > > > > > 
> > > > > > at
> > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueU
> > > > > > se
> > > > > > rInf
> > > > > > oG
> > > > > > et(UserInfoEndpoint.java:101)
> > > > > > 
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
> > > > > > Method)
> > > > > > 
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown 
> > > > > > Source)
> > > > > > 
> > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > > Source)
> > > > > > 
> > > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> > > > > > ct
> > > > > > orIm
> > > > > > pl
> > > > > > .java:137)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> > > > > > (R
> > > > > > esou
> > > > > > rc
> > > > > > eMethodInvoker.java:296)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> > > > > > eM
> > > > > > etho
> > > > > > dI
> > > > > > nvoker.java:250)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> > > > > > tO
> > > > > > bjec
> > > > > > t(
> > > > > > ResourceLocatorInvoker.java:140)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> > > > > > ce
> > > > > > Loca
> > > > > > to
> > > > > > rInvoker.java:109)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> > > > > > tO
> > > > > > bjec
> > > > > > t(
> > > > > > ResourceLocatorInvoker.java:135)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> > > > > > ce
> > > > > > Loca
> > > > > > to
> > > > > > rInvoker.java:103)
> > > > > > 
> > > > > > at
> > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > no
> > > > > > usDi
> > > > > > sp
> > > > > > atcher.java:356)
> > > > > > 
> > > > > > ... 42 more
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > The user guide says ?
> > > > > > 
> > > > > > If you need to prevent node failures from requiring users to 
> > > > > > log in again, set the owners attribute to 2 or more for the 
> > > > > > sessions cache
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Questions -
> > > > > > 
> > > > > > 1. Have we configured Infinispan incorrectly? We don?t want 
> > > > > > the users to login again if any of the nodes in the cluster 
> > > > > > go down.
> > > > > > 
> > > > > > 2. Will changing distributed-cache to replicated-cache help 
> > > > > > in this scenario?
> > > > > > 
> > > > > > 3. Any way we can see the contents of the cache?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > -- Rajat
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org 
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > 
> > 
> 


From bburke at redhat.com  Wed Jul 29 08:37:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 29 Jul 2015 08:37:30 -0400
Subject: [keycloak-user] Downloads moved!!!
Message-ID: <55B8C90A.1050705@redhat.com>

If you can't find 1.4.0 on sf.net/projects/keycloak that is because 
downloads have been moved to:

keycloak.org/downloads


Sourceforge has had massive outages and it is not possible to upload 
files for weeks now, so all downloads will be from 
keycloak.org/downloads now.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From harshmahey at msn.com  Wed Jul 29 09:54:34 2015
From: harshmahey at msn.com (H Mahey)
Date: Wed, 29 Jul 2015 07:54:34 -0600
Subject: [keycloak-user] Create User using REST API- 401 Error
Message-ID: <BLU180-W15633E0FCD6CE0AC0D1989DD8C0@phx.gbl>

I am trying to create a user via REST call and i am getting 401 Unauthorized error.So this what i am trying to do1. Start the Keycloak server 2. Create a realm- test-realm and assigned manag-user role to it3. Create user "test-realm-user01" and assigned all the roles i could to him.4. In my java code, i get a token and then i am trying to create a user using that token and it throws 401Attached is the code of what i am doing.Please let me know if i am doing anything wrong here.(I understand that we should UI from doing all the stuff..but here i am that i want to try this out) 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/8861060b/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: KeyCloakAdminAdapter.java
Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/8861060b/attachment.asc 

From bburke at redhat.com  Wed Jul 29 12:04:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 29 Jul 2015 12:04:21 -0400
Subject: [keycloak-user] Error during LDAP syncing on Keycloak 1.4.0
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F042A5A@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F042A5A@G9W0758.americas.hpqcorp.net>
Message-ID: <55B8F985.9080901@redhat.com>

Marek is on holiday.  I know jack about LDAP, sorry.  We'll have to wait 
until monday to get an answer on this.

On 7/29/2015 5:10 AM, Nair, Rajat wrote:
> Hi,
>
> As part of testing another issue (Distributed Keycloak user sessions
> using Infinispan), I upgraded my nodes to Keycloak 1.4.0 (grabbed
> release from here -
> http://central.maven.org/maven2/org/keycloak/keycloak-server-dist/1.4.0.Final/keycloak-server-dist-1.4.0.Final.tar.gz).
> I wiped out our Keycloak database and recreated it. After configuring
> our LDAP server (similar configuration which worked against Keycloak
> 1.3.1 Final), when we try to sync users we get following exception ?
>
> 2015-07-29 09:00:42,062 ERROR [io.undertow.request] (default task-25)
> UT005023: Exception handling request to
> /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync:
> java.lang.RuntimeException: request path:
> /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync
>
>          at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
>
>          at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
>          at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>
>          at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>
>          at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>          at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>          at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>
>          at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>          at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
>          at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>
>          at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>
>          at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>          at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>
>          at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>
>          at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>
>          at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>
>          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>
>          at java.lang.Thread.run(Unknown Source)
>
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NullPointerException
>
>          at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
>          at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>
>          at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
>          at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>
>          at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>
>          at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
>
>          ... 29 more
>
> Caused by: java.lang.NullPointerException
>
>          at
> org.keycloak.models.cache.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:149)
>
>          at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory$2.run(LDAPFederationProviderFactory.java:294)
>
>          at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:242)
>
>          at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
>
>          at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
>
>          at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
>
>          at
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>
>          at
> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:143)
>
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>
>          at java.lang.reflect.Method.invoke(Unknown Source)
>
>          at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>
>          at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>
>          at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>
>          ... 37 more
>
> Could this be a regression?
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Jul 29 12:05:42 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 29 Jul 2015 12:05:42 -0400
Subject: [keycloak-user] Create User using REST API- 401 Error
In-Reply-To: <BLU180-W15633E0FCD6CE0AC0D1989DD8C0@phx.gbl>
References: <BLU180-W15633E0FCD6CE0AC0D1989DD8C0@phx.gbl>
Message-ID: <55B8F9D6.1050509@redhat.com>

Does your client have the necessary scope? If it does not, then the 
token won't have the relevant permissions.

On 7/29/2015 9:54 AM, H Mahey wrote:
> I am trying to create a user via REST call and i am getting 401
> Unauthorized error.
> So this what i am trying to do
> 1. Start the Keycloak server
> 2. Create a realm- test-realm and assigned manag-user role to it
> 3. Create user "test-realm-user01" and assigned all the roles i could to
> him.
> 4. In my java code, i get a token and then i am trying to create a user
> using that token and it throws 401
>
> Attached is the code of what i am doing.
>
> Please let me know if i am doing anything wrong here.
>
> (I understand that we should UI from doing all the stuff..but here i am
> that i want to try this out)
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mike.hills at sematree.com  Wed Jul 29 13:20:16 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Wed, 29 Jul 2015 13:20:16 -0400
Subject: [keycloak-user] Keycloak Release 1.4.0 for OPENSHIFT ONLINE
Message-ID: <CAFfNJaVf1ToUg3DDG1phTy7=QJYvbe7pQ5CjWb-8HwAwBQ=+kg@mail.gmail.com>

Are there instructions for upgrading from 1.3 to 1.4 for OPENSHIFT ONLINE?

-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/c6ce3442/attachment.html 

From stian at redhat.com  Wed Jul 29 13:20:43 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jul 2015 13:20:43 -0400 (EDT)
Subject: [keycloak-user] Distributed Keycloak user sessions using
 Infinispan
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F042F95@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F041361@G9W0758.americas.hpqcorp.net>
	<59651412.706872.1438003614393.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0413C2@G9W0758.americas.hpqcorp.net>
	<1045151906.720245.1438004746473.JavaMail.zimbra@redhat.com>
	<1732913135.720424.1438004774275.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F0414D1@G9W0758.americas.hpqcorp.net>
	<1042060711.1068309.1438058940079.JavaMail.zimbra@redhat.com>
	<E8E85ED231DB984CA315C4439410229A1F042F95@G9W0758.americas.hpqcorp.net>
Message-ID: <966246176.551354.1438190443054.JavaMail.zimbra@redhat.com>

I'm away on holiday, Marek can you take a look at this?

----- Original Message -----
> From: "Rajat Nair" <rajat.nair at hp.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 29 July, 2015 2:56:07 PM
> Subject: RE: [keycloak-user] Distributed Keycloak user sessions using Infinispan
> 
> Follow up to our discussion -
> 
> I upgrade my nodes to Keycloak 1.4 Final. Dropped and re-created database
> Postgres database (shared between both the nodes) and tested distributed
> user session using following commands -
> - Fetch access token using following curl from one server
> 	curl --write-out " %{http_code}" -s --request POST --header "Content-Type:
> 	application/x-www-form-urlencoded; charset=UTF-8" --data
> 	"username=user1 at email.com&password=testpassword@&client_id=admin-client&grant_type=password"
> 	"http://test-server-110:8080/auth/realms/test/protocol/openid-connect/token"
> 
> - Validated the token on different server using
> 	curl --write-out " %{http_code}" -s --request GET --header "Content-Type:
> 	application/json" --header "Authorization: Bearer
> 	[ACCESS_TOKEN_FROM_PREVIOUS_CALL]"
> 	"http://test-server-111:8081/auth/realms/test/protocol/openid-connect/userinfo"
> 
> And we get this - {"error":"invalid_grant","error_description":"Token
> invalid"}
> No more NPE and internal server error.
> 
> If we use the same token and try to fetch user details on server which issued
> the token - we get the correct data. (Note - I have confirmed that the token
> has not expired)
> 
> > One thing you can try is to make sure user session replication is working
> > properly:
> > 1. Start two nodes
> > 2. Open admin console directly on node 1 - login as admin/admin 3. Open
> > admin console directly on node 2 from another machine/browser or use
> > incognito mode - login as admin/admin 4. On node 1 go to users -> view all
> > -> click on admin -> sessions - > > you should see two sessions 5. On node
> > 2 do the same and check you can see two sessions there as well
> Now this is where things get strange. I followed the steps described - used 2
> different browsers - and I can see 2 sessions listed!
> 
> Are the process we use to validate the token incorrect? Or is master console
> on the web doing something different (like get the data from Postgres
> database used by both the nodes).
> 
> -- Rajat
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: 28 July 2015 10:19
> To: Nair, Rajat
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> Infinispan
> 
> 
> 
> ----- Original Message -----
> > From: "Rajat Nair" <rajat.nair at hp.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 27 July, 2015 7:33:25 PM
> > Subject: RE: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > > Can you send me your standalone-ha.xml and keycloak-server.json?
> > Files attached. The service is started like -
> > /opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml
> > -b=test-server-110
> > -bmanagement=test-server-110 -u 230.0.0.4
> > -Djboss.node.name=test-server-110
> > 
> > > Also, any chance you can try it out with master? I've been testing
> > > with that as we're about to do 1.4 release soon
> > Glad to give back to the community. Will build and deploy the master
> > on my nodes. Will send findings tomorrow.
> > 
> > Regarding a scenario I described earlier - Case 2 1. Start with 1 Node
> > down. We bring it back up. We wait for some time so that Infinispan
> > can sync.
> > 2. Bring down other node.
> > 3. Try to get user info using existing token.
> > 
> > Is this a valid use-case?
> 
> Yes - I've tried the same use-case and it works fine every time. One caveat
> is that access token can expire, but in this case you should get a 403
> returned, not a NPE exception and 500.
> 
> One thing you can try is to make sure user session replication is working
> properly:
> 
> 1. Start two nodes
> 2. Open admin console directly on node 1 - login as admin/admin 3. Open admin
> console directly on node 2 from another machine/browser or use incognito
> mode - login as admin/admin 4. On node 1 go to users -> view all -> click on
> admin -> sessions - you should see two sessions 5. On node 2 do the same and
> check you can see two sessions there as well
> 
> > 
> > -- Rajat
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: 27 July 2015 19:16
> > To: Nair, Rajat
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Distributed Keycloak user sessions using
> > Infinispan
> > 
> > Also, any chance you can try it out with master? I've been testing
> > with that as we're about to do 1.4 release soon
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 27 July, 2015 3:45:46 PM
> > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > using Infinispan
> > > 
> > > Can you send me your standalone-ha.xml and keycloak-server.json?
> > > 
> > > ----- Original Message -----
> > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 27 July, 2015 3:41:36 PM
> > > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions
> > > > using Infinispan
> > > > 
> > > > > Do you have both nodes fully up and running before you kill one node?
> > > > Yes.
> > > > This is what we tried -
> > > > Case 1
> > > > 1. Two node cluster (both running Keycloak engines) - both up and
> > > > running.
> > > > Configured load balancing using mod_cluster.
> > > > 2. Login and get token.
> > > > 3. Bring down one node.
> > > > 4. Get user info using existing token. This is when we get NPE.
> > > > 
> > > > Case 2
> > > > 1. Start with 1 Node down. We bring it back up. We wait for some
> > > > time so that Infinispan can sync.
> > > > 2. Bring down other node.
> > > > 3. Try to get user info using existing token. Again we see NPE.
> > > > 
> > > > >It's a bug - if session is expired it should return an error
> > > > >message, not a NPE (see
> > > > >https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > > Thanks for tracking this.
> > > > 
> > > > -- Rajat
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Monday, 27 July, 2015 3:20:27 PM
> > > > > Subject: RE: [keycloak-user] Distributed Keycloak user sessions
> > > > > using Infinispan
> > > > > 
> > > > > Thanks for quick reply Stian.
> > > > > 
> > > > > > What version?
> > > > > We are using Keycloak 1.3.1 Final.
> > > > >  
> > > > > > Did you remember to change userSessions provider to infinispan
> > > > > > in keycloak-server.json?
> > > > > Yes. We got following in keycloak-server.json -
> > > > > "userSessions": {
> > > > > "provider": "infinispan"
> > > > > }
> > > > > 
> > > > > > Firstly owners="2" should work fine as long as only one node
> > > > > > dies and the other remains active. Secondly it should return a
> > > > > > NPE, but an error if user session is not found.
> > > > > Could you elaborate on your 2nd point?
> > > > 
> > > > Do you have both nodes fully up and running before you kill one node?
> > > > 
> > > > It's a bug - if session is expired it should return an error
> > > > message, not a NPE (see
> > > > https://issues.jboss.org/browse/KEYCLOAK-1710)
> > > > 
> > > > > 
> > > > > -- Rajat
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > > > Sent: 27 July 2015 18:07
> > > > > To: Nair, Rajat
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Distributed Keycloak user sessions
> > > > > using Infinispan
> > > > > 
> > > > > Did you remember to change userSessions provider to infinispan
> > > > > in keycloak-server.json?
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > > > To: "Rajat Nair" <rajat.nair at hp.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Monday, 27 July, 2015 2:24:17 PM
> > > > > > Subject: Re: [keycloak-user] Distributed Keycloak user
> > > > > > sessions using Infinispan
> > > > > > 
> > > > > > What version?
> > > > > > 
> > > > > > Firstly owners="2" should work fine as long as only one node
> > > > > > dies and the other remains active. Secondly it should return a
> > > > > > NPE, but an error if user session is not found.
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > > > From: "Rajat Nair" <rajat.nair at hp.com>
> > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > Sent: Monday, 27 July, 2015 2:03:47 PM
> > > > > > > Subject: [keycloak-user] Distributed Keycloak user sessions
> > > > > > > using Infinispan
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Hi,
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > I?m in the process of setting up distributed user sessions
> > > > > > > using Infinispan on my Keycloak cluster. This is the
> > > > > > > configuration I use ?
> > > > > > > 
> > > > > > > <cache-container name="keycloak"
> > > > > > > jndi-name="java:jboss/infinispan/Keycloak">
> > > > > > >  lock-timeout="60000"/>
> > > > > > > 
> > > > > > > <invalidation-cache name="realms" mode="SYNC"/>
> > > > > > > 
> > > > > > > <invalidation-cache name="users" mode="SYNC"/>
> > > > > > > 
> > > > > > > <distributed-cache name="sessions" mode="SYNC" owners="2"/>
> > > > > > > 
> > > > > > > <distributed-cache name="loginFailures" mode="SYNC"
> > > > > > > owners="1"/>
> > > > > > > 
> > > > > > > </cache-container>
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > And in server.logs, I can see my servers communicate ?
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t7)
> > > > > > > ISPN000310: Starting cluster-wide rebalance for cache users,
> > > > > > > topology CacheTopology{id=57, rebalanceId=17,
> > > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > > =
> > > > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > > (2)[test-server-110:
> > > > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t10)
> > > > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > > > realms, topology CacheTopology{id=57, rebalanceId=17,
> > > > > > > currentCH=ReplicatedConsistentHash{ns
> > > > > > > =
> > > > > > > 60, owners = (1)[test-server-110: 60]},
> > > > > > > pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> > > > > > > (2)[test-server-110:
> > > > > > > 30, test-server-111: 30]}, unionCH=null,
> > > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t8)
> > > > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > > > loginFailures, topology CacheTopology{id=57, rebalanceId=17,
> > > > > > > currentCH=DefaultConsistentHash{ns=80, owners =
> > > > > > > (1)[test-server-110:
> > > > > > > 80+0]},
> > > > > > > pendingCH=DefaultConsistentHash{ns=80, owners =
> > > > > > > (2)[test-server-110:
> > > > > > > 40+0,
> > > > > > > test-server-111: 40+0]}, unionCH=null,
> > > > > > > actualMembers=[test-server-110, test-server-111]}
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t9)
> > > > > > > ISPN000310: Starting cluster-wide rebalance for cache
> > > > > > > sessions, topology CacheTopology{id=56, rebalanceId=17,
> > > > > > > currentCH=DefaultConsistentHash{ns=80,
> > > > > > > owners = (1)[test-server-110: 80+0]},
> > > > > > > pendingCH=DefaultConsistentHash{ns=80,
> > > > > > > owners = (2)[test-server-110: 40+0, test-server-111: 40+0]},
> > > > > > > unionCH=null, actualMembers=[test-server-110,
> > > > > > > test-server-111]}
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t9)
> > > > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > > > loginFailures, topology id = 57
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t12)
> > > > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > > > sessions, topology id = 56
> > > > > > > 
> > > > > > > 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t12)
> > > > > > > ISPN000336: Finished cluster-wide rebalance for cache
> > > > > > > realms, topology id =
> > > > > > > 57
> > > > > > > 
> > > > > > > 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER]
> > > > > > > (remote-thread--p3-t8)
> > > > > > > ISPN000336: Finished cluster-wide rebalance for cache users,
> > > > > > > topology id =
> > > > > > > 57
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > I can successfully login, get a token and fetch user details
> > > > > > > with this token.
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Problem is, if one of the nodes on the cluster goes down and
> > > > > > > if we try to reuse a token which was already issued (so
> > > > > > > workflow is ? user logins in, get token, (a node in the
> > > > > > > cluster goes down) and then fetch user details using
> > > > > > > token) ? we see an internal server exception. From the logs
> > > > > > > ?
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default
> > > > > > > task-1)
> > > > > > > UT005023: Exception handling request to
> > > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo:
> > > > > > > java.lang.RuntimeException: request path:
> > > > > > > /auth/realms/scaletest/protocol/openid-connect/userinfo
> > > > > > > 
> > > > > > > at
> > > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.d
> > > > > > > oF
> > > > > > > ilte
> > > > > > > r(
> > > > > > > KeycloakSessionServletFilter.java:54)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > > java
> > > > > > > :6
> > > > > > > 0)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > > oF
> > > > > > > ilte
> > > > > > > r(
> > > > > > > FilterHandler.java:132)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> > > > > > > te
> > > > > > > rHan
> > > > > > > dl
> > > > > > > er.java:85)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> > > > > > > dl
> > > > > > > er.h
> > > > > > > an
> > > > > > > dleRequest(ServletSecurityRoleHandler.java:62)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> > > > > > > eR
> > > > > > > eque
> > > > > > > st
> > > > > > > (ServletDispatchingHandler.java:36)
> > > > > > > 
> > > > > > > at
> > > > > > > org.wildfly.extension.undertow.security.SecurityContextAssoc
> > > > > > > ia
> > > > > > > tion
> > > > > > > Ha
> > > > > > > ndler.handleRequest(SecurityContextAssociationHandler.java:7
> > > > > > > 8)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > > re
> > > > > > > dica
> > > > > > > te
> > > > > > > Handler.java:43)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.security.SSLInformationAssociat
> > > > > > > io
> > > > > > > nHan
> > > > > > > dl
> > > > > > > er.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.security.ServletAuthenticationC
> > > > > > > al
> > > > > > > lHan
> > > > > > > dl
> > > > > > > er.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > > re
> > > > > > > dica
> > > > > > > te
> > > > > > > Handler.java:43)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.security.handlers.AbstractConfidentialityHandler
> > > > > > > .h
> > > > > > > andl
> > > > > > > eR
> > > > > > > equest(AbstractConfidentialityHandler.java:46)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.security.ServletConfidentiality
> > > > > > > Co
> > > > > > > nstr
> > > > > > > ai
> > > > > > > ntHandler.handleRequest(ServletConfidentialityConstraintHand
> > > > > > > le
> > > > > > > r.ja
> > > > > > > va
> > > > > > > :64)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.
> > > > > > > hand
> > > > > > > le
> > > > > > > Request(AuthenticationMechanismsHandler.java:58)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> > > > > > > si
> > > > > > > onHa
> > > > > > > nd
> > > > > > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.security.handlers.NotificationReceiverHandler.ha
> > > > > > > nd
> > > > > > > leRe
> > > > > > > qu
> > > > > > > est(NotificationReceiverHandler.java:50)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.security.handlers.SecurityInitialHandler.handleR
> > > > > > > eq
> > > > > > > uest
> > > > > > > (S
> > > > > > > ecurityInitialHandler.java:76)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > > re
> > > > > > > dica
> > > > > > > te
> > > > > > > Handler.java:43)
> > > > > > > 
> > > > > > > at
> > > > > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> > > > > > > ha
> > > > > > > ndleRequest(JACCContextIdHandler.java:61)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > > re
> > > > > > > dica
> > > > > > > te
> > > > > > > Handler.java:43)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.PredicateHandler.handleRequest(P
> > > > > > > re
> > > > > > > dica
> > > > > > > te
> > > > > > > Handler.java:43)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.handlers.MetricsHandler.handleRequest(Met
> > > > > > > ri
> > > > > > > csHa
> > > > > > > nd
> > > > > > > ler.java:62)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.core.MetricsChainHandler.handleRequest(M
> > > > > > > et
> > > > > > > rics
> > > > > > > Ch
> > > > > > > ainHandler.java:59)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> > > > > > > st
> > > > > > > Requ
> > > > > > > es
> > > > > > > t(ServletInitialHandler.java:274)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> > > > > > > eq
> > > > > > > uest
> > > > > > > (S
> > > > > > > ervletInitialHandler.java:253)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletInitialHandler.access$00
> > > > > > > 0(
> > > > > > > Serv
> > > > > > > le
> > > > > > > tInitialHandler.java:80)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> > > > > > > eq
> > > > > > > uest
> > > > > > > (S
> > > > > > > ervletInitialHandler.java:172)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.Connectors.executeRootHandler(Connectors.
> > > > > > > ja
> > > > > > > va:1
> > > > > > > 99
> > > > > > > )
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:
> > > > > > > 774)
> > > > > > > 
> > > > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> > > > > > > Source)
> > > > > > > 
> > > > > > > at
> > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> > > > > > > Source)
> > > > > > > 
> > > > > > > at java.lang.Thread.run(Unknown Source)
> > > > > > > 
> > > > > > > Caused by: org.jboss.resteasy.spi.UnhandledException:
> > > > > > > java.lang.NullPointerException
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
> > > > > > > ce
> > > > > > > ptio
> > > > > > > n(
> > > > > > > ExceptionHandler.java:76)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
> > > > > > > ep
> > > > > > > tion
> > > > > > > Ha
> > > > > > > ndler.java:212)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException
> > > > > > > (S
> > > > > > > ynch
> > > > > > > ro
> > > > > > > nousDispatcher.java:149)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > > no
> > > > > > > usDi
> > > > > > > sp
> > > > > > > atcher.java:372)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > > no
> > > > > > > usDi
> > > > > > > sp
> > > > > > > atcher.java:179)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> > > > > > > sp
> > > > > > > atch
> > > > > > > er
> > > > > > > .service(ServletContainerDispatcher.java:220)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> > > > > > > he
> > > > > > > r.se
> > > > > > > rv
> > > > > > > ice(HttpServletDispatcher.java:56)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> > > > > > > he
> > > > > > > r.se
> > > > > > > rv
> > > > > > > ice(HttpServletDispatcher.java:51)
> > > > > > > 
> > > > > > > at
> > > > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> > > > > > > rv
> > > > > > > letH
> > > > > > > an
> > > > > > > dler.java:86)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > > oF
> > > > > > > ilte
> > > > > > > r(
> > > > > > > FilterHandler.java:130)
> > > > > > > 
> > > > > > > at
> > > > > > > org.keycloak.services.filters.ClientConnectionFilter.doFilte
> > > > > > > r(
> > > > > > > Clie
> > > > > > > nt
> > > > > > > ConnectionFilter.java:41)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.
> > > > > > > java
> > > > > > > :6
> > > > > > > 0)
> > > > > > > 
> > > > > > > at
> > > > > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> > > > > > > oF
> > > > > > > ilte
> > > > > > > r(
> > > > > > > FilterHandler.java:132)
> > > > > > > 
> > > > > > > at
> > > > > > > org.keycloak.services.filters.KeycloakSessionServletFilter.d
> > > > > > > oF
> > > > > > > ilte
> > > > > > > r(
> > > > > > > KeycloakSessionServletFilter.java:40)
> > > > > > > 
> > > > > > > ... 31 more
> > > > > > > 
> > > > > > > Caused by: java.lang.NullPointerException
> > > > > > > 
> > > > > > > at
> > > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueU
> > > > > > > se
> > > > > > > rInf
> > > > > > > o(
> > > > > > > UserInfoEndpoint.java:128)
> > > > > > > 
> > > > > > > at
> > > > > > > org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueU
> > > > > > > se
> > > > > > > rInf
> > > > > > > oG
> > > > > > > et(UserInfoEndpoint.java:101)
> > > > > > > 
> > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > > > > > > Method)
> > > > > > > 
> > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown
> > > > > > > Source)
> > > > > > > 
> > > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > > > Source)
> > > > > > > 
> > > > > > > at java.lang.reflect.Method.invoke(Unknown Source)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> > > > > > > ct
> > > > > > > orIm
> > > > > > > pl
> > > > > > > .java:137)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> > > > > > > (R
> > > > > > > esou
> > > > > > > rc
> > > > > > > eMethodInvoker.java:296)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> > > > > > > eM
> > > > > > > etho
> > > > > > > dI
> > > > > > > nvoker.java:250)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> > > > > > > tO
> > > > > > > bjec
> > > > > > > t(
> > > > > > > ResourceLocatorInvoker.java:140)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> > > > > > > ce
> > > > > > > Loca
> > > > > > > to
> > > > > > > rInvoker.java:109)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> > > > > > > tO
> > > > > > > bjec
> > > > > > > t(
> > > > > > > ResourceLocatorInvoker.java:135)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> > > > > > > ce
> > > > > > > Loca
> > > > > > > to
> > > > > > > rInvoker.java:103)
> > > > > > > 
> > > > > > > at
> > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> > > > > > > no
> > > > > > > usDi
> > > > > > > sp
> > > > > > > atcher.java:356)
> > > > > > > 
> > > > > > > ... 42 more
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > The user guide says ?
> > > > > > > 
> > > > > > > If you need to prevent node failures from requiring users to
> > > > > > > log in again, set the owners attribute to 2 or more for the
> > > > > > > sessions cache
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Questions -
> > > > > > > 
> > > > > > > 1. Have we configured Infinispan incorrectly? We don?t want
> > > > > > > the users to login again if any of the nodes in the cluster
> > > > > > > go down.
> > > > > > > 
> > > > > > > 2. Will changing distributed-cache to replicated-cache help
> > > > > > > in this scenario?
> > > > > > > 
> > > > > > > 3. Any way we can see the contents of the cache?
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > -- Rajat
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > 
> > > 
> > 
> 


From mike.hills at sematree.com  Wed Jul 29 13:34:33 2015
From: mike.hills at sematree.com (Mike Hills)
Date: Wed, 29 Jul 2015 13:34:33 -0400
Subject: [keycloak-user] Customer Properties in Registration Page
Message-ID: <CAFfNJaVvO1=9TpGkBN_9vaHdkU1ZigxpF9mvvjgU4TetVuHH6A@mail.gmail.com>

Is there way to validate a "custom" property? My use case is that I am
registering a customer for a portal application. I want to validate the
entered customer # (custom property) against a table that maps the email
address with a customer. This validation must pass in order to allow a user
to be registered.

Thank you

-- 
Michael J. Hills
Sr. CRM Architect

Mobile: 603.475.5093
Email  : mike.hills at sematree.com
Skype : mhills_sematree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150729/092beb21/attachment.html 

From bburke at redhat.com  Thu Jul 30 08:29:52 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 30 Jul 2015 08:29:52 -0400
Subject: [keycloak-user] Customer Properties in Registration Page
In-Reply-To: <CAFfNJaVvO1=9TpGkBN_9vaHdkU1ZigxpF9mvvjgU4TetVuHH6A@mail.gmail.com>
References: <CAFfNJaVvO1=9TpGkBN_9vaHdkU1ZigxpF9mvvjgU4TetVuHH6A@mail.gmail.com>
Message-ID: <55BA18C0.7060007@redhat.com>

The SPI is there to do it, but we have not published it yet.  You'll 
have to dig down into the code.  Relevant classes are 
DefaultAuthenticationFlows, and everything in the 
org.keycloak.authentication.forms package.

We want to make sure the SPI actually works and to improve it a little 
before making it public in 1.5.

On 7/29/2015 1:34 PM, Mike Hills wrote:
> Is there way to validate a "custom" property? My use case is that I am
> registering a customer for a portal application. I want to validate the
> entered customer # (custom property) against a table that maps the email
> address with a customer. This validation must pass in order to allow a
> user to be registered.
>
> Thank you
>
> --
> Michael J. Hills
> Sr. CRM Architect
>
> Mobile: 603.475.5093
> Email  : mike.hills at sematree.com <mailto:mike.hills at sematree.com>
> Skype : mhills_sematree
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kevin.thorpe at p-i.net  Fri Jul 31 05:23:26 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 31 Jul 2015 10:23:26 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <CAFMa6BZrowaOhyNJjPdBVxpMPEctNBH0_-UBd7kzcXcrhCNpWw@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
	<55842599.8000301@redhat.com>
	<CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>
	<5588118F.6090307@redhat.com>
	<CAFMa6BZrowaOhyNJjPdBVxpMPEctNBH0_-UBd7kzcXcrhCNpWw@mail.gmail.com>
Message-ID: <CAFMa6BaZhT+qTt=zvdxwiNC_MVSdM3J5KkggjDYhZTcgNoSi8Q@mail.gmail.com>

Sorry to bother you but where has the user federation mapper option gone in
1.4.0.final?

IIRC there was a page user federation > my_ldap > mapper to map LDAP
attributes to
keycloak user attributes. I can't find it now at all.


*Kevin Thorpe*
CTO

<https://www.p-i.net/>    <https://twitter.com/@PI_150>

www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 22 June 2015 at 14:49, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:

> Brilliant, I'm waiting for it so yes I'd like to try as soon as available.
>
>
>
> *Kevin Thorpe*
> CTO
>
> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 22 June 2015 at 14:45, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Thanks for the info Kevin. I've also created
>> https://issues.jboss.org/browse/KEYCLOAK-1490 for the sync issue. Will
>> try to address both issues for the next release. Will let you know once
>> it's fixed in master if you want to try it before the next release is out.
>>
>> Marek
>>
>> Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):
>>
>> I agree with you on the delimiter option. That wouldn't require any
>> database changes. For the small
>> attribute applications I could wrap into a delimited string but we have
>> some others for fine grained
>> permissions/roles that can be dozens of already delimited strings. Roles
>> in particular are:
>>     application|role|path/that/role/represents
>> I know it's very common to have multi-attributes in LDAP anyway so this
>> will affect others.
>>
>> JIRA: https://issues.jboss.org/browse/KEYCLOAK-1487
>>
>>
>>
>> *Kevin Thorpe *
>> CTO
>>
>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 19 June 2015 at 15:22, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> Ouch, this is a bug :-(
>>>
>>> Feel free to create JIRA.
>>>
>>> The UserModel in Keycloak DB has each attribute modelled as one string
>>> value. But I think I can address it with the usage of some delimiter and
>>> then for access token has the protocol mapper, which will handle it.
>>>
>>> So for example if your LDAP user has 3 values of attribute
>>> "applications" with values "finance", "sales", "development", the attribute
>>> on the Keycloak UserModel will have value like
>>> "finance###sales###development" (The sequence ### will be used as
>>> delimiter), but for the access token it will be divided again. So in your
>>> application, you will have possibility to have something like:
>>>
>>> Set<String> applications =
>>> accessToken.getOtherClaims().getAttribute("applications");
>>>
>>> which will return set with 3 values "finance", "sales", "development".
>>>
>>> Marek
>>>
>>>
>>> On 19.6.2015 15:22, Kevin Thorpe wrote:
>>>
>>> Ok, I think I understand. I tried 'sync all users' and got an error. Is
>>> this because applications is a multiple
>>> attribute? Obviously I will probably have access to more than one
>>> application. In the meantime I'll try a brand
>>> new user and see if that works.
>>>
>>> Log shows:
>>>
>>> 2015-06-19 14:19:26,361 INFO
>>>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
>>> task-2) Sync all users from LDAP to local store: realm: master, federation
>>> provider: PI  ordinary users
>>> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
>>> UT005023: Exception handling request to
>>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
>>> java.lang.RuntimeException: request path:
>>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>>>         at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>>>         at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>         at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>>         at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>>         at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>         at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>         at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>         at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>         at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>         at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>         at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>         at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>>         at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>>>         at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>         at
>>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>>         at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>         at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>>>         at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>>>         at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>>         at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>>         at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>>>         at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>         at java.lang.Thread.run(Thread.java:745)
>>> Caused by: org.jboss.resteasy.spi.UnhandledException:
>>> java.lang.ClassCastException: java.util.TreeSet cannot be cast to
>>> java.lang.String
>>>         at
>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>         at
>>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>         at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>>>         at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>>>         at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>>         at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>>         at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>         at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>         at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>>>         at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>>         at
>>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>>         at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>         at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>>         at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>>         ... 29 more
>>> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be
>>> cast to java.lang.String
>>>         at
>>> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>>>         at
>>> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>>>         at
>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>>>         at
>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>>>         at
>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>>>         at
>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>>>         at
>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>>>         at
>>> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>>>         at
>>> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>         at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>         at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>         at java.lang.reflect.Method.invoke(Method.java:497)
>>>         at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>>         at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>>         at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>         at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>>         at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>>         ... 40 more
>>>
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO
>>>
>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>
>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>
>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>
>>> _____________________________
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>> Thanks for the info. Now I think I know what's going on.
>>>>
>>>> The issue is that currently when we import users from LDAP (federation
>>>> in general), we sync the configured attributes to the Keycloak DB. But
>>>> during searching, we don't sync the attributes from LDAP to Keycloak DB
>>>> anymore. So I guess you did the steps like this:
>>>> - You first authenticate as LDAP user "joe" (or search this user from
>>>> admin console), which imported this user into Keycloak DB
>>>> - Then you created mapper for the 'applications' attribute. But user
>>>> 'joe' was already imported into Keycloak DB from the previous step, right?
>>>>
>>>> I believe that when you import some other user from LDAP, which is not
>>>> yet exist in Keycloak DB, the 'applications' attribute will be there. For
>>>> the existing user, the only possibility right now is to use "Synchronize
>>>> all users" or "Synchronize changed users" on LDAP federation screen. This
>>>> will update existing users into Keycloak DB as well, so 'joe' will be
>>>> updated.
>>>>
>>>> Please let me know if it helps.  Looks that it's something we should
>>>> address better in Keycloak.
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 19.6.2015 11:56, Kevin Thorpe wrote:
>>>>
>>>> I had a hunch so I added a record in USER_ATTRIBUTE for applications
>>>> and it is getting passed
>>>> in the JWT claims now. That squarely points at the ldap federation part.
>>>>
>>>>
>>>> *Kevin Thorpe *
>>>> CTO
>>>>
>>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>
>>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>
>>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>
>>>>
>>>> _____________________________
>>>>
>>>> This email and any files transmitted with it are confidential and
>>>> intended solely for the use of the individual or entity to whom they are
>>>> addressed. If you have received this email in error please notify the
>>>> system manager. This message contains confidential information and is
>>>> intended only for the individual named. If you are not the named addressee
>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>> the sender immediately by e-mail if you have received this e-mail by
>>>> mistake and delete this e-mail from your system. If you are not the
>>>> intended recipient you are notified that disclosing, copying, distributing
>>>> or taking any action in reliance on the contents of this information is
>>>> strictly prohibited.
>>>>
>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>
>>>> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>>>>
>>>>> Hi Marek, thanks for the quick reply.
>>>>>
>>>>> 1. I am definitely sure that the attributes I need are in the LDAP
>>>>> record.
>>>>>
>>>>> 2. adding trace to federation.ldap shows my mapped attributes being
>>>>> read
>>>>>
>>>>> 3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>>>> USER_ATTRIBUTE but it doesn't have my attributes.
>>>>>    it does have a reference to my LDAP_ID so i8t looks like it should
>>>>> be here
>>>>>
>>>>> MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>>>
>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>> | NAME    | VALUE                               | USER_ID
>>>>>                  |
>>>>>
>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>>>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>>>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>>>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>>>
>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>>
>>>>> thanks for your time on this
>>>>>
>>>>>
>>>>> *Kevin Thorpe *
>>>>> CTO
>>>>>
>>>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>>
>>>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>>
>>>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730
>>>>> 2635
>>>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>>
>>>>>
>>>>> _____________________________
>>>>>
>>>>> This email and any files transmitted with it are confidential and
>>>>> intended solely for the use of the individual or entity to whom they are
>>>>> addressed. If you have received this email in error please notify the
>>>>> system manager. This message contains confidential information and is
>>>>> intended only for the individual named. If you are not the named addressee
>>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>>> the sender immediately by e-mail if you have received this e-mail by
>>>>> mistake and delete this e-mail from your system. If you are not the
>>>>> intended recipient you are notified that disclosing, copying, distributing
>>>>> or taking any action in reliance on the contents of this information is
>>>>> strictly prohibited.
>>>>>
>>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>>
>>>>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>>>>
>>>>>> There are few steps here and the result will work only if all steps
>>>>>> success. So it might help to try which step could be wrong here:
>>>>>>
>>>>>> 1) You can doublecheck if your user really has 'applications'
>>>>>> attribute in LDAP
>>>>>>
>>>>>> 2) If (1) is ok, you can enable TRACE logging for
>>>>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>>>>> should see some trace messages with the names and values of all LDAP
>>>>>> attributes, which are loaded in user record. You should see the
>>>>>> 'applications' attribute loaded
>>>>>>
>>>>>> 3) If (2) is ok, you can browse keycloak database and check if
>>>>>> attribute 'applications' is really here. The user attributes are saved in
>>>>>> table USER_ATTRIBUTES. Currently it's not possible to browse user
>>>>>> attributes generically in admin console (unless you do custom theme) so
>>>>>> browse DB seems to be the only possibility.
>>>>>>
>>>>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in
>>>>>> protocol mapper configuration. Make sure you use correct protocol mapper
>>>>>> (In your case it should be "User attributes" mapper, not "User property"
>>>>>> mapper). Also if your application is Java based, the value of
>>>>>> 'applications' claim is saved in accessToken in 'otherClaims' map and can
>>>>>> be retrieved with something like:
>>>>>> accessToken.getOtherClaims().get("applications");
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>>>
>>>>>> Thanks to the team for 1.3.1. We were eagerly waiting for that to add
>>>>>> LDAP attribute mappings which I see has now been done. Unfortunately I
>>>>>> can't seem to get it to work.
>>>>>>
>>>>>> I have added a user attribute mapper to my ldap federation. This maps
>>>>>> the LDAP atribute 'applications' which exists on my LDAP user record to
>>>>>> 'applications' in Keycloak.
>>>>>>
>>>>>> I have also added a user attribute token mapper to my Keycloak client
>>>>>> definition to map user attribute 'applications' to token claim
>>>>>> 'applications'. I've also asked to add to both id and access token.
>>>>>>
>>>>>> However this attribute is not present in either the ID or access
>>>>>> token when testing. Is there something I've missed?
>>>>>>
>>>>>> Something that may be an issue though is that I'm using a home
>>>>>> written openid-connect Lua client based on your javascript one. This uses
>>>>>> the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that
>>>>>> the openid-connect endpoint doesn't support these attributes yet?
>>>>>>
>>>>>>
>>>>>> *Kevin Thorpe *
>>>>>> CTO, PI ltd
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0008.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0003.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0009.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0010.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/ac637264/attachment-0011.jpe 

From rajat.nair at hp.com  Fri Jul 31 05:32:31 2015
From: rajat.nair at hp.com (Nair, Rajat)
Date: Fri, 31 Jul 2015 09:32:31 +0000
Subject: [keycloak-user] Having trouble with LDAP attribute
Message-ID: <E8E85ED231DB984CA315C4439410229A1F044560@G9W0758.americas.hpqcorp.net>

> Sorry to bother you but where has the user federation mapper option gone in

> 1.4.0.final?



> IIRC there was a page user federation > my_ldap > mapper to map LDAP

> attributes to

> keycloak user attributes. I can't find it now at all.

We are using Keycloak 1.4 and we can see Mapper tab, under our LDAP settings, inside User Federation section.

Note - Mapper tab is displayed only after LDAP settings are saved.

Hope this helps.

-- Rajat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/8d1ee8d5/attachment.html 

From kevin.thorpe at p-i.net  Fri Jul 31 05:35:45 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 31 Jul 2015 10:35:45 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute
In-Reply-To: <E8E85ED231DB984CA315C4439410229A1F044560@G9W0758.americas.hpqcorp.net>
References: <E8E85ED231DB984CA315C4439410229A1F044560@G9W0758.americas.hpqcorp.net>
Message-ID: <CAFMa6BZB3xy+-gPKTq8s8neNTx0EZ8QAFBAsXr0LwSkpq2mSBg@mail.gmail.com>

Ah, no my bad. Was still running the old 1.2.0 version on the server. I
didn't know
about JBOSS_HOME in /etc/sysconfig


*Kevin Thorpe*
CTO

<https://www.p-i.net/>    <https://twitter.com/@PI_150>

www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 31 July 2015 at 10:32, Nair, Rajat <rajat.nair at hp.com> wrote:

> > Sorry to bother you but where has the user federation mapper option gone
> in
>
> > 1.4.0.final?
>
>
>
> > IIRC there was a page user federation > my_ldap > mapper to map LDAP
>
> > attributes to
>
> > keycloak user attributes. I can't find it now at all.
>
>
>
> We are using Keycloak 1.4 and we can see Mapper tab, under our LDAP
> settings, inside User Federation section.
>
>
>
> Note ? Mapper tab is displayed only after LDAP settings are saved.
>
>
>
> Hope this helps.
>
>
>
> -- Rajat
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/1c5de2e9/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/1c5de2e9/attachment.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/1c5de2e9/attachment-0001.jpg 

From kevin.thorpe at p-i.net  Fri Jul 31 06:46:43 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 31 Jul 2015 11:46:43 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <CAFMa6BaZhT+qTt=zvdxwiNC_MVSdM3J5KkggjDYhZTcgNoSi8Q@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
	<55842599.8000301@redhat.com>
	<CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>
	<5588118F.6090307@redhat.com>
	<CAFMa6BZrowaOhyNJjPdBVxpMPEctNBH0_-UBd7kzcXcrhCNpWw@mail.gmail.com>
	<CAFMa6BaZhT+qTt=zvdxwiNC_MVSdM3J5KkggjDYhZTcgNoSi8Q@mail.gmail.com>
Message-ID: <CAFMa6BYiZKSKfhA=OcmL2px4untUkxRQ6wRMBhAg5V0-iWxVNg@mail.gmail.com>

Hi Marek, thank you and your colleagues very much for working on the LDAP
mapping for us.
Works like a charm. This was holding us up so we're very grateful that it
was accomplished
so quickly.


*Kevin Thorpe*
CTO

<https://www.p-i.net/>    <https://twitter.com/@PI_150>

www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 31 July 2015 at 10:23, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:

> Sorry to bother you but where has the user federation mapper option gone
> in 1.4.0.final?
>
> IIRC there was a page user federation > my_ldap > mapper to map LDAP
> attributes to
> keycloak user attributes. I can't find it now at all.
>
>
> *Kevin Thorpe*
> CTO
>
> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 22 June 2015 at 14:49, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>
>> Brilliant, I'm waiting for it so yes I'd like to try as soon as available.
>>
>>
>>
>> *Kevin Thorpe*
>> CTO
>>
>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 22 June 2015 at 14:45, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> Thanks for the info Kevin. I've also created
>>> https://issues.jboss.org/browse/KEYCLOAK-1490 for the sync issue. Will
>>> try to address both issues for the next release. Will let you know once
>>> it's fixed in master if you want to try it before the next release is out.
>>>
>>> Marek
>>>
>>> Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):
>>>
>>> I agree with you on the delimiter option. That wouldn't require any
>>> database changes. For the small
>>> attribute applications I could wrap into a delimited string but we have
>>> some others for fine grained
>>> permissions/roles that can be dozens of already delimited strings. Roles
>>> in particular are:
>>>     application|role|path/that/role/represents
>>> I know it's very common to have multi-attributes in LDAP anyway so this
>>> will affect others.
>>>
>>> JIRA: https://issues.jboss.org/browse/KEYCLOAK-1487
>>>
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO
>>>
>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>
>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>
>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>
>>> _____________________________
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>> On 19 June 2015 at 15:22, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>> Ouch, this is a bug :-(
>>>>
>>>> Feel free to create JIRA.
>>>>
>>>> The UserModel in Keycloak DB has each attribute modelled as one string
>>>> value. But I think I can address it with the usage of some delimiter and
>>>> then for access token has the protocol mapper, which will handle it.
>>>>
>>>> So for example if your LDAP user has 3 values of attribute
>>>> "applications" with values "finance", "sales", "development", the attribute
>>>> on the Keycloak UserModel will have value like
>>>> "finance###sales###development" (The sequence ### will be used as
>>>> delimiter), but for the access token it will be divided again. So in your
>>>> application, you will have possibility to have something like:
>>>>
>>>> Set<String> applications =
>>>> accessToken.getOtherClaims().getAttribute("applications");
>>>>
>>>> which will return set with 3 values "finance", "sales", "development".
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 19.6.2015 15:22, Kevin Thorpe wrote:
>>>>
>>>> Ok, I think I understand. I tried 'sync all users' and got an error. Is
>>>> this because applications is a multiple
>>>> attribute? Obviously I will probably have access to more than one
>>>> application. In the meantime I'll try a brand
>>>> new user and see if that works.
>>>>
>>>> Log shows:
>>>>
>>>> 2015-06-19 14:19:26,361 INFO
>>>>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
>>>> task-2) Sync all users from LDAP to local store: realm: master, federation
>>>> provider: PI  ordinary users
>>>> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
>>>> UT005023: Exception handling request to
>>>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
>>>> java.lang.RuntimeException: request path:
>>>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>>>>         at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>>>>         at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>         at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>>>         at
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>>>         at
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>         at
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>         at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>         at
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>         at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>         at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>         at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>         at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>         at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>>>         at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>>>>         at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>         at
>>>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>>>         at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>         at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>         at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>         at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>>>         at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>>>>         at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>         at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: org.jboss.resteasy.spi.UnhandledException:
>>>> java.lang.ClassCastException: java.util.TreeSet cannot be cast to
>>>> java.lang.String
>>>>         at
>>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>>         at
>>>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>>         at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>>>>         at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>>>>         at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>>>         at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>>>         at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>         at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>         at
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>>>>         at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>>>         at
>>>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>>>         at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>         at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>>>         at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>>>         ... 29 more
>>>> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be
>>>> cast to java.lang.String
>>>>         at
>>>> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>>>>         at
>>>> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>>>>         at
>>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>>>>         at
>>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>>>>         at
>>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>>>>         at
>>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>>>>         at
>>>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>>>>         at
>>>> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>>>>         at
>>>> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>         at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>         at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>         at java.lang.reflect.Method.invoke(Method.java:497)
>>>>         at
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>>>         at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>>>         at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>>>         ... 40 more
>>>>
>>>>
>>>>
>>>> *Kevin Thorpe *
>>>> CTO
>>>>
>>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>
>>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>
>>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>
>>>>
>>>> _____________________________
>>>>
>>>> This email and any files transmitted with it are confidential and
>>>> intended solely for the use of the individual or entity to whom they are
>>>> addressed. If you have received this email in error please notify the
>>>> system manager. This message contains confidential information and is
>>>> intended only for the individual named. If you are not the named addressee
>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>> the sender immediately by e-mail if you have received this e-mail by
>>>> mistake and delete this e-mail from your system. If you are not the
>>>> intended recipient you are notified that disclosing, copying, distributing
>>>> or taking any action in reliance on the contents of this information is
>>>> strictly prohibited.
>>>>
>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>
>>>> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
>>>>
>>>>> Thanks for the info. Now I think I know what's going on.
>>>>>
>>>>> The issue is that currently when we import users from LDAP (federation
>>>>> in general), we sync the configured attributes to the Keycloak DB. But
>>>>> during searching, we don't sync the attributes from LDAP to Keycloak DB
>>>>> anymore. So I guess you did the steps like this:
>>>>> - You first authenticate as LDAP user "joe" (or search this user from
>>>>> admin console), which imported this user into Keycloak DB
>>>>> - Then you created mapper for the 'applications' attribute. But user
>>>>> 'joe' was already imported into Keycloak DB from the previous step, right?
>>>>>
>>>>> I believe that when you import some other user from LDAP, which is not
>>>>> yet exist in Keycloak DB, the 'applications' attribute will be there. For
>>>>> the existing user, the only possibility right now is to use "Synchronize
>>>>> all users" or "Synchronize changed users" on LDAP federation screen. This
>>>>> will update existing users into Keycloak DB as well, so 'joe' will be
>>>>> updated.
>>>>>
>>>>> Please let me know if it helps.  Looks that it's something we should
>>>>> address better in Keycloak.
>>>>>
>>>>> Marek
>>>>>
>>>>>
>>>>> On 19.6.2015 11:56, Kevin Thorpe wrote:
>>>>>
>>>>> I had a hunch so I added a record in USER_ATTRIBUTE for applications
>>>>> and it is getting passed
>>>>> in the JWT claims now. That squarely points at the ldap federation
>>>>> part.
>>>>>
>>>>>
>>>>> *Kevin Thorpe *
>>>>> CTO
>>>>>
>>>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>>
>>>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>>
>>>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730
>>>>> 2635
>>>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>>
>>>>>
>>>>> _____________________________
>>>>>
>>>>> This email and any files transmitted with it are confidential and
>>>>> intended solely for the use of the individual or entity to whom they are
>>>>> addressed. If you have received this email in error please notify the
>>>>> system manager. This message contains confidential information and is
>>>>> intended only for the individual named. If you are not the named addressee
>>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>>> the sender immediately by e-mail if you have received this e-mail by
>>>>> mistake and delete this e-mail from your system. If you are not the
>>>>> intended recipient you are notified that disclosing, copying, distributing
>>>>> or taking any action in reliance on the contents of this information is
>>>>> strictly prohibited.
>>>>>
>>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>>
>>>>> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>>>>>
>>>>>> Hi Marek, thanks for the quick reply.
>>>>>>
>>>>>> 1. I am definitely sure that the attributes I need are in the LDAP
>>>>>> record.
>>>>>>
>>>>>> 2. adding trace to federation.ldap shows my mapped attributes being
>>>>>> read
>>>>>>
>>>>>> 3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>>>>> USER_ATTRIBUTE but it doesn't have my attributes.
>>>>>>    it does have a reference to my LDAP_ID so i8t looks like it should
>>>>>> be here
>>>>>>
>>>>>> MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>>>>
>>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>>> | NAME    | VALUE                               | USER_ID
>>>>>>                  |
>>>>>>
>>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>>>>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>>>>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>>>>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>>>>
>>>>>> +---------+-------------------------------------+--------------------------------------+
>>>>>>
>>>>>> thanks for your time on this
>>>>>>
>>>>>>
>>>>>> *Kevin Thorpe *
>>>>>> CTO
>>>>>>
>>>>>> <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>>>
>>>>>> www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>>>
>>>>>> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730
>>>>>> 2635
>>>>>> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>>>
>>>>>>
>>>>>> _____________________________
>>>>>>
>>>>>> This email and any files transmitted with it are confidential and
>>>>>> intended solely for the use of the individual or entity to whom they are
>>>>>> addressed. If you have received this email in error please notify the
>>>>>> system manager. This message contains confidential information and is
>>>>>> intended only for the individual named. If you are not the named addressee
>>>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>>>> the sender immediately by e-mail if you have received this e-mail by
>>>>>> mistake and delete this e-mail from your system. If you are not the
>>>>>> intended recipient you are notified that disclosing, copying, distributing
>>>>>> or taking any action in reliance on the contents of this information is
>>>>>> strictly prohibited.
>>>>>>
>>>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>>>
>>>>>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>>>>>
>>>>>>> There are few steps here and the result will work only if all steps
>>>>>>> success. So it might help to try which step could be wrong here:
>>>>>>>
>>>>>>> 1) You can doublecheck if your user really has 'applications'
>>>>>>> attribute in LDAP
>>>>>>>
>>>>>>> 2) If (1) is ok, you can enable TRACE logging for
>>>>>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>>>>>> should see some trace messages with the names and values of all LDAP
>>>>>>> attributes, which are loaded in user record. You should see the
>>>>>>> 'applications' attribute loaded
>>>>>>>
>>>>>>> 3) If (2) is ok, you can browse keycloak database and check if
>>>>>>> attribute 'applications' is really here. The user attributes are saved in
>>>>>>> table USER_ATTRIBUTES. Currently it's not possible to browse user
>>>>>>> attributes generically in admin console (unless you do custom theme) so
>>>>>>> browse DB seems to be the only possibility.
>>>>>>>
>>>>>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in
>>>>>>> protocol mapper configuration. Make sure you use correct protocol mapper
>>>>>>> (In your case it should be "User attributes" mapper, not "User property"
>>>>>>> mapper). Also if your application is Java based, the value of
>>>>>>> 'applications' claim is saved in accessToken in 'otherClaims' map and can
>>>>>>> be retrieved with something like:
>>>>>>> accessToken.getOtherClaims().get("applications");
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>>>>
>>>>>>> Thanks to the team for 1.3.1. We were eagerly waiting for that to
>>>>>>> add LDAP attribute mappings which I see has now been done. Unfortunately I
>>>>>>> can't seem to get it to work.
>>>>>>>
>>>>>>> I have added a user attribute mapper to my ldap federation. This
>>>>>>> maps the LDAP atribute 'applications' which exists on my LDAP user record
>>>>>>> to 'applications' in Keycloak.
>>>>>>>
>>>>>>> I have also added a user attribute token mapper to my Keycloak
>>>>>>> client definition to map user attribute 'applications' to token claim
>>>>>>> 'applications'. I've also asked to add to both id and access token.
>>>>>>>
>>>>>>> However this attribute is not present in either the ID or access
>>>>>>> token when testing. Is there something I've missed?
>>>>>>>
>>>>>>> Something that may be an issue though is that I'm using a home
>>>>>>> written openid-connect Lua client based on your javascript one. This uses
>>>>>>> the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that
>>>>>>> the openid-connect endpoint doesn't support these attributes yet?
>>>>>>>
>>>>>>>
>>>>>>> *Kevin Thorpe *
>>>>>>> CTO, PI ltd
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0008.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0009.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0010.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0011.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150731/439f5e3d/attachment-0003.jpg 

From tdudgeon.ml at gmail.com  Fri Jul 31 06:55:52 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Fri, 31 Jul 2015 11:55:52 +0100
Subject: [keycloak-user] problems getting started with tomcat
Message-ID: <55BB5438.107@gmail.com>

a couple of weeks back I posted about having problems getting started 
with tomcat, but not had any response.
The post is here, along with an example:
http://lists.jboss.org/pipermail/keycloak-user/2015-July/002652.html

I'm still struggling with this, and think I have followed the 
instructions here correctly:
http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter

Basically I think I'm having problems with the valve not doing anything.
I have copied the appropriate keycloak jars to $TOMCAT_HOME/lib and a 
web app with META-INF/context.xml containing this:

<?xml version="1.0" encoding="UTF-8"?>
<Context path="/sampleapp">
     <Valve 
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>

and a WEB-INF/web.xml pretty well as described in the docs, but I'm not 
getting any authentication challenge.

Any ideas what's wrong?

Thanks
Tim


From bburke at redhat.com  Fri Jul 31 07:13:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 31 Jul 2015 07:13:30 -0400
Subject: [keycloak-user] problems getting started with tomcat
In-Reply-To: <55BB5438.107@gmail.com>
References: <55BB5438.107@gmail.com>
Message-ID: <55BB585A.7030600@redhat.com>

Sorry, haven't had a chance to look at this.  Can you log a JIRA?

On 7/31/2015 6:55 AM, Tim Dudgeon wrote:
> a couple of weeks back I posted about having problems getting started
> with tomcat, but not had any response.
> The post is here, along with an example:
> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002652.html
>
> I'm still struggling with this, and think I have followed the
> instructions here correctly:
> http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter
>
> Basically I think I'm having problems with the valve not doing anything.
> I have copied the appropriate keycloak jars to $TOMCAT_HOME/lib and a
> web app with META-INF/context.xml containing this:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context path="/sampleapp">
>       <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
> </Context>
>
> and a WEB-INF/web.xml pretty well as described in the docs, but I'm not
> getting any authentication challenge.
>
> Any ideas what's wrong?
>
> Thanks
> Tim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com