From mposolda at redhat.com  Mon Mar  2 14:38:44 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 02 Mar 2015 20:38:44 +0100
Subject: [keycloak-user] Token validation in keycloak in oauth with
 direct access.
In-Reply-To: <CAGf0ewBSv0zJMjGU8rhcf0HCP+fjU=gkYCUtTKQKDJTo7eO_Ew@mail.gmail.com>
References: <CAGf0ewBSv0zJMjGU8rhcf0HCP+fjU=gkYCUtTKQKDJTo7eO_Ew@mail.gmail.com>
Message-ID: <54F4BC44.9050708@redhat.com>

Hi,

when you send directAccess grant request it returns you accessToken and 
refreshToken. Access token is valid for short period of time (like 5 
minutes as you mentioned) and you can then refresh it with refreshToken 
for new tokens.

When you're sending request from "client webservice" to "other 
webservice", you can attach token into the request in HTTP header like 
"Authorization: Bearer you-access-token-is-here" . Then "other 
webservice" can be protected directly by our adapter and specified as 
"bearer only" client, or you can use RSATokenVerifier if you want to 
validate token manually in your application (in case you use adapters, 
it will do it for you).

See our demo example application for more details.

Marek

On 27.2.2015 21:47, Emil Posmyk wrote:
> Hello all
>
> I'm trying to validate downloaded earlier token (downloaded via oauth 
> application with direct access) and I found RSATokenVerifier. It's 
> working but this is only json validation and it is not checking same 
> token from user session which exist in memmory.
>
> It is possible to use same token and check it with existing in user 
> session (without clustering) ? I want to use the same token several 
> times (for example same token for 5 minutes). Token is sent from 
> client webservice to other webservice and last ws have to check token 
> wchich is sent from first webservice (must make sure that token is 
> correct - the same).
>
> I have doubt becouse I saw that always when I try to authenticate with 
> direct access token is new but not over 5 minutes.
>
>
> /
> regards/
> /--/
> /Emil Posmyk
> /
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/5eced728/attachment.html 

From mposolda at redhat.com  Mon Mar  2 14:46:23 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 02 Mar 2015 20:46:23 +0100
Subject: [keycloak-user] cluster configuration
In-Reply-To: <C99103E898479F4E9919CBC1420E23E70DD597D4@NP1EXMB029.corp.halliburton.com>
References: <C99103E898479F4E9919CBC1420E23E70DD59446@NP1EXMB029.corp.halliburton.com>	<633939535.16929093.1425016442374.JavaMail.zimbra@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD597D4@NP1EXMB029.corp.halliburton.com>
Message-ID: <54F4BE0F.4020504@redhat.com>

Hi,

I am not sure if pointing H2 to same file is enough. For shared database 
in cluster, I would rather try to use "Server mode" with URL like 
jdbc:h2:tcp://<server>[:<port>]/[<path>]<databaseName> as described here 
http://www.h2database.com/html/features.html . Another alternative is to 
use some "real" database like MySQL or PostgreSQL.

Marek

On 27.2.2015 20:37, Kevin Chen wrote:
> Stian:
> Thanks, I did follow the documentation. One thing I am not sure is the "Shared DB", does it refer to keycloak.h2.db? if so, I did point both cluster to the same  file.
>
> BTW, I am running both nodes on the same machine with port offset.
>
> Thanks
> Kevin
>
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Thursday, February 26, 2015 11:54 PM
> To: Kevin Chen
> Cc: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] cluster configuration
>
> Have you followed the docs (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html)? You need:
>
> * Keycloak 1.1.0.Final
> * Shared DB
> * Properly configured Infinispan caches
> * Infinispan user session provider and Infinispan realm+user cache providers
>
> ----- Original Message -----
>> From: "Kevin Chen" <Peng.Chen at halliburton.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, February 26, 2015 9:25:42 PM
>> Subject: [keycloak-user] cluster configuration
>>
>> I am using keycloak 1.1, and tried to configure the cluster with 2
>> nodes. I am using apache httpd-2.2 as front end for both nodes. The
>> log shows both node.
>>
>> I deployed KeyCloakWebTest.war on both node and without problem to access it.
>>
>> But when I try to access /auth/admin, it did not work:
>> 1. if both nodes are running, after input correct username/password,
>> the same login page will show up again.
>> 2. I stopped one node, login with the same user, it is successful and
>> able to manage my Realms.
>> 3. Then I started the other node, and click on any actions in my
>> already logged in session,  the browser will show the login page again
>> and in the newly started node, the following exception show up:
>> 	14:22:42,033 WARN  [org.jboss.resteasy.core.SynchronousDispatcher]
>> 	(ajp-/127.0.0.1:8009-2) Failed executing GET /admin/serverinfo:
>> 	org.jboss.resteasy.
>> spi.UnauthorizedException: Bearer
>>          at
>>          org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
>>          [keycloak-services-1.2.0.Beta1-SNAPSHOT.j
>> ar:1.2.0.Beta1-SNAPSHOT]
>>
>> How can I fix this?
>>
>> Thanks
>> Kevin
>>
>> ----------------------------------------------------------------------
>> This e-mail, including any attached files, may contain confidential
>> and privileged information for the sole use of the intended recipient.
>> Any review, use, distribution, or disclosure by others is strictly prohibited.
>> If you are not the intended recipient (or authorized to receive
>> information for the intended recipient), please contact the sender by
>> reply e-mail and delete all copies of this message.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Randall_Theobald at dell.com  Mon Mar  2 15:53:47 2015
From: Randall_Theobald at dell.com (Randall_Theobald at dell.com)
Date: Mon, 2 Mar 2015 14:53:47 -0600
Subject: [keycloak-user] WS-Federation capability for SSO
Message-ID: <9A20E07E433AEB4D8D4025EEBE12E414069EB09E64@AUSX7MCPC107.AMER.DELL.COM>

Dell Customer Communication
Hi,

We're looking to use Keycloak capabilities to enable SSO between some systems. Does Keycloak have a timeline to support the following?

 *   WS-Federation (passive) protocol
 *   WS-Federation wrapped JSON Web Tokens (JWT)
 *   WS-Trust + JWT
Thanks,

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/3afe62c3/attachment-0001.html 

From Peng.Chen at halliburton.com  Mon Mar  2 17:09:46 2015
From: Peng.Chen at halliburton.com (Kevin Chen)
Date: Mon, 2 Mar 2015 22:09:46 +0000
Subject: [keycloak-user] [EXTERNAL] Re: Token validation in keycloak in
 oauth with direct access.
In-Reply-To: <54F4BC44.9050708@redhat.com>
References: <CAGf0ewBSv0zJMjGU8rhcf0HCP+fjU=gkYCUtTKQKDJTo7eO_Ew@mail.gmail.com>
	<54F4BC44.9050708@redhat.com>
Message-ID: <C99103E898479F4E9919CBC1420E23E70DD5A212@NP1EXMB029.corp.halliburton.com>

I had another question about the refresh token, when I forward it, it did not contain all the claims the access token has.

For example, my application is configured to provide all the claims and it will user perfered_username. If I use refresh token, the username is not preferred username, it is the GUID. But when I forward the same access token, then it is ok. When I decode the refresh toke, all the claims fields are null.

Thanks
Kevin

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Monday, March 02, 2015 1:39 PM
To: Emil Posmyk; keycloak-user at lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] Token validation in keycloak in oauth with direct access.

Hi,

when you send directAccess grant request it returns you accessToken and refreshToken. Access token is valid for short period of time (like 5 minutes as you mentioned) and you can then refresh it with refreshToken for new tokens.

When you're sending request from "client webservice" to "other webservice", you can attach token into the request in HTTP header like "Authorization: Bearer you-access-token-is-here" . Then "other webservice" can be protected directly by our adapter and specified as "bearer only" client, or you can use RSATokenVerifier if you want to validate token manually in your application (in case you use adapters, it will do it for you).

See our demo example application for more details.

Marek

On 27.2.2015 21:47, Emil Posmyk wrote:
Hello all
I'm trying to validate downloaded earlier token (downloaded via oauth application with direct access) and I found RSATokenVerifier. It's working but this is only json validation and it is not checking same token from user session which exist in memmory.
It is possible to use same token and check it with existing in user session (without clustering) ? I want to use the same token several times (for example same token for 5 minutes). Token is sent from client webservice to other webservice and last ws have to check token wchich is sent from first webservice (must make sure that token is correct - the same).
I have doubt becouse I saw that always when I try to authenticate with direct access token is new but not over 5 minutes.



regards
--
Emil Posmyk




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/641fb729/attachment.html 

From guydavis.ca at gmail.com  Mon Mar  2 17:22:03 2015
From: guydavis.ca at gmail.com (Guy Davis)
Date: Mon, 2 Mar 2015 15:22:03 -0700
Subject: [keycloak-user] XML tag name for "enable-basic-auth" in
	keycloak.json
Message-ID: <CAAgmn1qKwNGxgOvtKk9u3Q1C07qsq7h2hHJh4oong9XMA0agdw@mail.gmail.com>

Good day,

I've been able to enable basic authentication when using a keycloak.json
file placed into WEB-INF of my test war file.

However, in other testing, I have a preference to use the standalone.xml
tag configuration for the realm and each secured war.  I get errors trying
to place <enable-basic-auth>true</enable-basic-auth> tag within a
<secure-deployment>  tag.

I'm testing against master built locally within the past few days.  Looking
at org.keycloak.subsystem.extension.SecureDeploymentDefinition it seems
like this syntax is correct.  This configuration file syntax is failing to
start JBoss EAP 6.1.0alpha with:

Caused by: javax.xml.stream.XMLStreamException: Unknown secure-deployment
tag enable-basic-auth
at
org.keycloak.subsystem.extension.KeycloakSubsystemParser.readDeployment(KeycloakSubsystemParser.java:108)


Thanks in advance,
Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/fce1dfef/attachment.html 

From guydavis.ca at gmail.com  Mon Mar  2 17:38:43 2015
From: guydavis.ca at gmail.com (Guy Davis)
Date: Mon, 2 Mar 2015 15:38:43 -0700
Subject: [keycloak-user] Client options for authenticating against
	Keycloak-secured services
Message-ID: <CAAgmn1ouOVw-AL+1fX+-WPtAS=39z0snePJQA7PhB4YG0d0pEA@mail.gmail.com>

Good day,

I'm hoping to summarize the methods for a client Java program to
authenticate against a Keycloak-secured service endpoint.  Please correct
any misunderstandings I have in the summary below:

   1. Client program can issue a KC REST API call to get a token and then
   use it as "Authorization" header of type "Bearer" as per example
   2. Client program (such as Apache HttpClient lib) can use Basic
   Authorization if KC secured-deployment has been configured to allow.
   3. Client program can negotiate a SAML v2.0 SP-initiated SSO session
   directly against KC if the service is so configured.
   4. Client program can negotiate a OpenID Connect SSO session directly
   against KC if the service is so configured.

I have working Java examples now for #1 and #2, but was wondering if there
were any Java examples of #3 and #4.  Is my understanding of the
authentication options for clients correct?

By the way, I am greatly impressed by the progress being made on the master
branch around Kerberos/SPNEGO and Identity Brokering.  Kudos to the team.

Thanks in advance,
Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/0e673070/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2015-03-02_153310.png
Type: image/png
Size: 27963 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150302/0e673070/attachment-0001.png 

From chenkeong.yap at izeno.com  Mon Mar  2 22:22:43 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 3 Mar 2015 11:22:43 +0800
Subject: [keycloak-user] Keycloak sp filter
Message-ID: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>

Hi,

Please share some lights for implementing Keycloak sp filter which is
similar to picketlink sp filter.

org.picketlink.identity.federation.web.filters.SPFilter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150303/3862ef69/attachment.html 

From stian at redhat.com  Mon Mar  2 22:34:01 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 2 Mar 2015 22:34:01 -0500 (EST)
Subject: [keycloak-user] cluster configuration
In-Reply-To: <54F4BE0F.4020504@redhat.com>
References: <C99103E898479F4E9919CBC1420E23E70DD59446@NP1EXMB029.corp.halliburton.com>
	<633939535.16929093.1425016442374.JavaMail.zimbra@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD597D4@NP1EXMB029.corp.halliburton.com>
	<54F4BE0F.4020504@redhat.com>
Message-ID: <1068009884.18841828.1425353641921.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Kevin Chen" <Peng.Chen at halliburton.com>, "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 8:46:23 PM
> Subject: Re: [keycloak-user] cluster configuration
> 
> Hi,
> 
> I am not sure if pointing H2 to same file is enough. For shared database
> in cluster, I would rather try to use "Server mode" with URL like
> jdbc:h2:tcp://<server>[:<port>]/[<path>]<databaseName> as described here
> http://www.h2database.com/html/features.html . Another alternative is to
> use some "real" database like MySQL or PostgreSQL.

+1 I would not recommend H2 in production and especially not if you're wanting to cluster

> 
> Marek
> 
> On 27.2.2015 20:37, Kevin Chen wrote:
> > Stian:
> > Thanks, I did follow the documentation. One thing I am not sure is the
> > "Shared DB", does it refer to keycloak.h2.db? if so, I did point both
> > cluster to the same  file.
> >
> > BTW, I am running both nodes on the same machine with port offset.
> >
> > Thanks
> > Kevin
> >
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: Thursday, February 26, 2015 11:54 PM
> > To: Kevin Chen
> > Cc: keycloak-user at lists.jboss.org
> > Subject: [EXTERNAL] Re: [keycloak-user] cluster configuration
> >
> > Have you followed the docs
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html)?
> > You need:
> >
> > * Keycloak 1.1.0.Final
> > * Shared DB
> > * Properly configured Infinispan caches
> > * Infinispan user session provider and Infinispan realm+user cache
> > providers
> >
> > ----- Original Message -----
> >> From: "Kevin Chen" <Peng.Chen at halliburton.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Thursday, February 26, 2015 9:25:42 PM
> >> Subject: [keycloak-user] cluster configuration
> >>
> >> I am using keycloak 1.1, and tried to configure the cluster with 2
> >> nodes. I am using apache httpd-2.2 as front end for both nodes. The
> >> log shows both node.
> >>
> >> I deployed KeyCloakWebTest.war on both node and without problem to access
> >> it.
> >>
> >> But when I try to access /auth/admin, it did not work:
> >> 1. if both nodes are running, after input correct username/password,
> >> the same login page will show up again.
> >> 2. I stopped one node, login with the same user, it is successful and
> >> able to manage my Realms.
> >> 3. Then I started the other node, and click on any actions in my
> >> already logged in session,  the browser will show the login page again
> >> and in the newly started node, the following exception show up:
> >> 	14:22:42,033 WARN  [org.jboss.resteasy.core.SynchronousDispatcher]
> >> 	(ajp-/127.0.0.1:8009-2) Failed executing GET /admin/serverinfo:
> >> 	org.jboss.resteasy.
> >> spi.UnauthorizedException: Bearer
> >>          at
> >>          org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152)
> >>          [keycloak-services-1.2.0.Beta1-SNAPSHOT.j
> >> ar:1.2.0.Beta1-SNAPSHOT]
> >>
> >> How can I fix this?
> >>
> >> Thanks
> >> Kevin
> >>
> >> ----------------------------------------------------------------------
> >> This e-mail, including any attached files, may contain confidential
> >> and privileged information for the sole use of the intended recipient.
> >> Any review, use, distribution, or disclosure by others is strictly
> >> prohibited.
> >> If you are not the intended recipient (or authorized to receive
> >> information for the intended recipient), please contact the sender by
> >> reply e-mail and delete all copies of this message.
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From stian at redhat.com  Mon Mar  2 22:42:39 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 2 Mar 2015 22:42:39 -0500 (EST)
Subject: [keycloak-user] [EXTERNAL] Re: Token validation in keycloak in
 oauth with direct access.
In-Reply-To: <C99103E898479F4E9919CBC1420E23E70DD5A212@NP1EXMB029.corp.halliburton.com>
References: <CAGf0ewBSv0zJMjGU8rhcf0HCP+fjU=gkYCUtTKQKDJTo7eO_Ew@mail.gmail.com>
	<54F4BC44.9050708@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD5A212@NP1EXMB029.corp.halliburton.com>
Message-ID: <631265274.18842776.1425354159057.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Kevin Chen" <Peng.Chen at halliburton.com>
> To: "Marek Posolda" <mposolda at redhat.com>, "Emil Posmyk" <emil.posmyk at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 11:09:46 PM
> Subject: Re: [keycloak-user] [EXTERNAL] Re: Token validation in keycloak in oauth with direct access.
> 
> 
> 
> I had another question about the refresh token, when I forward it, it did not
> contain all the claims the access token has.

The refresh token should only be used to refresh the access token and so there's no need to have those claims there

> 
> 
> 
> For example, my application is configured to provide all the claims and it
> will user perfered_username. If I use refresh token, the username is not
> preferred username, it is the GUID. But when I forward the same access
> token, then it is ok. When I decode the refresh toke, all the claims fields
> are null.
> 
> 
> 
> Thanks
> 
> Kevin
> 
> 
> 
> 
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
> Sent: Monday, March 02, 2015 1:39 PM
> To: Emil Posmyk; keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] Token validation in keycloak in oauth
> with direct access.
> 
> 
> 
> 
> 
> Hi,
> 
> when you send directAccess grant request it returns you accessToken and
> refreshToken. Access token is valid for short period of time (like 5 minutes
> as you mentioned) and you can then refresh it with refreshToken for new
> tokens.
> 
> When you're sending request from "client webservice" to "other webservice",
> you can attach token into the request in HTTP header like "Authorization:
> Bearer you-access-token-is-here" . Then "other webservice" can be protected
> directly by our adapter and specified as "bearer only" client, or you can
> use RSATokenVerifier if you want to validate token manually in your
> application (in case you use adapters, it will do it for you).
> 
> See our demo example application for more details.
> 
> Marek
> 
> On 27.2.2015 21:47, Emil Posmyk wrote:
> 
> 
> 
> 
> 
> Hello all
> 
> 
> I'm trying to validate downloaded earlier token (downloaded via oauth
> application with direct access) and I found RSATokenVerifier. It's working
> but this is only json validation and it is not checking same token from user
> session which exist in memmory.
> 
> 
> It is possible to use same token and check it with existing in user session
> (without clustering) ? I want to use the same token several times (for
> example same token for 5 minutes). Token is sent from client webservice to
> other webservice and last ws have to check token wchich is sent from first
> webservice (must make sure that token is correct - the same).
> 
> 
> I have doubt becouse I saw that always when I try to authenticate with direct
> access token is new but not over 5 minutes.
> 
> 
> 
> 
> 
> regards
> 
> 
> --
> 
> 
> Emil Posmyk
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> This e-mail, including any attached files, may contain confidential and
> privileged information for the sole use of the intended recipient. Any
> review, use, distribution, or disclosure by others is strictly prohibited.
> If you are not the intended recipient (or authorized to receive information
> for the intended recipient), please contact the sender by reply e-mail and
> delete all copies of this message.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Mar  2 22:43:46 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 2 Mar 2015 22:43:46 -0500 (EST)
Subject: [keycloak-user] XML tag name for "enable-basic-auth"
	in	keycloak.json
In-Reply-To: <CAAgmn1qKwNGxgOvtKk9u3Q1C07qsq7h2hHJh4oong9XMA0agdw@mail.gmail.com>
References: <CAAgmn1qKwNGxgOvtKk9u3Q1C07qsq7h2hHJh4oong9XMA0agdw@mail.gmail.com>
Message-ID: <1549483681.18842929.1425354226468.JavaMail.zimbra@redhat.com>

Looks like that property hasn't been added to the sub-system, please create a jira

----- Original Message -----
> From: "Guy Davis" <guydavis.ca at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 11:22:03 PM
> Subject: [keycloak-user] XML tag name for "enable-basic-auth" in	keycloak.json
> 
> Good day,
> 
> I've been able to enable basic authentication when using a keycloak.json file
> placed into WEB-INF of my test war file.
> 
> However, in other testing, I have a preference to use the standalone.xml tag
> configuration for the realm and each secured war. I get errors trying to
> place <enable-basic-auth>true</enable-basic-auth> tag within a
> <secure-deployment> tag.
> 
> I'm testing against master built locally within the past few days. Looking at
> org.keycloak.subsystem.extension.SecureDeploymentDefinition it seems like
> this syntax is correct. This configuration file syntax is failing to start
> JBoss EAP 6.1.0alpha with:
> 
> 
> 
> 
> Caused by: javax.xml.stream.XMLStreamException: Unknown secure-deployment tag
> enable-basic-auth
> at
> org.keycloak.subsystem.extension.KeycloakSubsystemParser.readDeployment(KeycloakSubsystemParser.java:108)
> 
> Thanks in advance,
> Guy
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gcollis at iinet.net.au  Tue Mar  3 00:00:26 2015
From: gcollis at iinet.net.au (Graeme Collis)
Date: Tue, 3 Mar 2015 16:00:26 +1100
Subject: [keycloak-user] Extra Registration Information
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C57CD80145@SWANS20.fitzroy01.local>

I want to add 1 required field of user information to the Keycloak registration.

>From what I've read this is not currently possible.

Does this mean I basically have to

1.       duplicate the Keycloak Registration application in another application

2.       use the admin api's to update Keycloak

3.       Using the Keycloak user id store it with the extra data information.

4.       Have this available to all the different apps that need it.

Regards, Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150303/7343c6ca/attachment.html 

From chenkeong.yap at izeno.com  Tue Mar  3 05:24:02 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 3 Mar 2015 18:24:02 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
Message-ID: <CAC2UnuXzBLyNHatCVf8Y769uRokoA=G8rMqHpK5Dtih_EzU_kg@mail.gmail.com>

Hi,

I can login to the sample app integrated with picketlink spfilter but
keycloak console cannot view the picketlink session.

Can someone advise how to interpret keycloak session using  picketlink
spfilter?

On Tue, Mar 3, 2015 at 11:22 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> Hi,
>
> Please share some lights for implementing Keycloak sp filter which is
> similar to picketlink sp filter.
>
> org.picketlink.identity.federation.web.filters.SPFilter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150303/d8074feb/attachment-0001.html 

From bburke at redhat.com  Tue Mar  3 10:45:19 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 03 Mar 2015 10:45:19 -0500
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
Message-ID: <54F5D70F.2030309@redhat.com>

There is no Keycloak SP filter.  We have various adapters for different 
platforms that hook into servlet security to make integration seamless:

Tomcat 6, 7, 8
Jetty 8, 9
EAP 6.x
Wildfly
Node.js
Browser Javascript adapter.

On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
> Hi,
>
> Please share some lights for implementing Keycloak sp filter which is
> similar to picketlink sp filter.
>
> org.picketlink.identity.federation.web.filters.SPFilter
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From hernan.metaute at ceiba.com.co  Tue Mar  3 17:36:21 2015
From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento)
Date: Tue, 3 Mar 2015 17:36:21 -0500
Subject: [keycloak-user] applications-by-id
Message-ID: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>

Hi, I've been using keycloak for some time now and I'm having this weird
error all of a sudden
I have a fresh wildfly install with keycloak from the appliance
distribution.
I also configured a fresh database (mongodb), configured the connection on
keycloak-server.json and fired up the server.
I log in the first time to the admin console, change the password, etc.
Then I create a realm called, let's say, myApp. Everything goes well and
then I use that realm (change it on the drop down) and click on
applications.
I get an error on screen saying "Not Found" and when going to the console I
get

17:30:23,885 INFO  [stdout] (default task-33) 2015-03-03 17:30:23 WARN
ExceptionHandler:135 - failed to execute
17:30:23,886 INFO  [stdout] (default task-33)
javax.ws.rs.NotFoundException: *Could not find resource for full path:
http://localhost:8080/auth/admin/realms/myApp/applications-by-id
<http://localhost:8080/auth/admin/realms/myApp/applications-by-id>*
17:30:23,886 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
17:30:23,887 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
17:30:23,887 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
17:30:23,888 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
17:30:23,888 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
17:30:23,888 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
17:30:23,888 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
17:30:23,889 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
17:30:23,889 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
17:30:23,889 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
17:30:23,890 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
17:30:23,890 INFO  [stdout] (default task-33)     at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
17:30:23,891 INFO  [stdout] (default task-33)     at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
17:30:23,891 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
17:30:23,891 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
17:30:23,892 INFO  [stdout] (default task-33)     at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
17:30:23,892 INFO  [stdout] (default task-33)     at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
17:30:23,892 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
17:30:23,893 INFO  [stdout] (default task-33)     at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
17:30:23,893 INFO  [stdout] (default task-33)     at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
17:30:23,893 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
17:30:23,894 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
17:30:23,894 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
17:30:23,894 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
17:30:23,895 INFO  [stdout] (default task-33)     at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
17:30:23,895 INFO  [stdout] (default task-33)     at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
17:30:23,895 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
17:30:23,896 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
17:30:23,896 INFO  [stdout] (default task-33)     at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
17:30:23,896 INFO  [stdout] (default task-33)     at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
17:30:23,897 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
17:30:23,899 INFO  [stdout] (default task-33)     at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
17:30:23,899 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
17:30:23,900 INFO  [stdout] (default task-33)     at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
17:30:23,900 INFO  [stdout] (default task-33)     at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
17:30:23,902 INFO  [stdout] (default task-33)     at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
17:30:23,902 INFO  [stdout] (default task-33)     at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
17:30:23,902 INFO  [stdout] (default task-33)     at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
17:30:23,903 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
17:30:23,903 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
17:30:23,903 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
17:30:23,904 INFO  [stdout] (default task-33)     at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
17:30:23,910 INFO  [stdout] (default task-33)     at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
17:30:23,912 INFO  [stdout] (default task-33)     at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
17:30:23,912 INFO  [stdout] (default task-33)     at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
17:30:23,913 INFO  [stdout] (default task-33)     at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
17:30:23,913 INFO  [stdout] (default task-33)     at
java.lang.Thread.run(Thread.java:745)


Can anyone give me a hint as to where to look or what to look for?
I previously had a realm configured and started getting this error so I
started fresh and am still getting it.
Thanks in advance
-- 

*Hern?n Metaute*
Arquitecto

*Ceiba Software *(57 4) 444 5 111 Ext 110
Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
________________________________________
BEste mensaje, incluido su adjunto, es confidencial y puede ser
privilegiado. Si usted no es su destinatario, por favor notifique al
emisor, luego destruya la comunicacion y todas las copias. Usted no debe
copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
autorizaci?n del emisor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150303/a96643e7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8377 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150303/a96643e7/attachment-0001.png 

From chenkeong.yap at izeno.com  Tue Mar  3 23:36:13 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Mar 2015 12:36:13 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54F5D70F.2030309@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
Message-ID: <CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>

Hi bill,

the existing adapters cannot support jboss eap 5.0.2 and websphere 8.5 and
we are not allowed to use keycloak proxy.

can you suggest any other alternative similar to picketlink sp filter?

On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke <bburke at redhat.com> wrote:

> There is no Keycloak SP filter.  We have various adapters for different
> platforms that hook into servlet security to make integration seamless:
>
> Tomcat 6, 7, 8
> Jetty 8, 9
> EAP 6.x
> Wildfly
> Node.js
> Browser Javascript adapter.
>
> On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
> > Hi,
> >
> > Please share some lights for implementing Keycloak sp filter which is
> > similar to picketlink sp filter.
> >
> > org.picketlink.identity.federation.web.filters.SPFilter
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/38e84e18/attachment.html 

From stian at redhat.com  Wed Mar  4 01:14:51 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 4 Mar 2015 01:14:51 -0500 (EST)
Subject: [keycloak-user] applications-by-id
In-Reply-To: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
Message-ID: <2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>

Have you tried to clear you browsers cache? It maybe be caused by cached resources from a previous release. 

----- Original Message -----
> From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 3, 2015 11:36:21 PM
> Subject: [keycloak-user] applications-by-id
> 
> Hi, I've been using keycloak for some time now and I'm having this weird
> error all of a sudden
> I have a fresh wildfly install with keycloak from the appliance distribution.
> I also configured a fresh database (mongodb), configured the connection on
> keycloak-server.json and fired up the server.
> I log in the first time to the admin console, change the password, etc.
> Then I create a realm called, let's say, myApp. Everything goes well and then
> I use that realm (change it on the drop down) and click on applications.
> I get an error on screen saying "Not Found" and when going to the console I
> get
> 
> 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23 WARN
> ExceptionHandler:135 - failed to execute
> 17:30:23,886 INFO [stdout] (default task-33) javax.ws.rs.NotFoundException:
> Could not find resource for full path:
> http://localhost:8080/auth/admin/realms/myApp/applications-by-id
> 17:30:23,886 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
> 17:30:23,887 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> 17:30:23,887 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
> 17:30:23,888 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
> 17:30:23,888 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> 17:30:23,888 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> 17:30:23,888 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> 17:30:23,889 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> 17:30:23,889 INFO [stdout] (default task-33) at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> 17:30:23,889 INFO [stdout] (default task-33) at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> 17:30:23,890 INFO [stdout] (default task-33) at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> 17:30:23,890 INFO [stdout] (default task-33) at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> 17:30:23,891 INFO [stdout] (default task-33) at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> 17:30:23,891 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> 17:30:23,891 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> 17:30:23,892 INFO [stdout] (default task-33) at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> 17:30:23,892 INFO [stdout] (default task-33) at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 17:30:23,892 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 17:30:23,893 INFO [stdout] (default task-33) at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> 17:30:23,893 INFO [stdout] (default task-33) at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 17:30:23,893 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 17:30:23,894 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> 17:30:23,894 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> 17:30:23,894 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 17:30:23,895 INFO [stdout] (default task-33) at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 17:30:23,895 INFO [stdout] (default task-33) at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 17:30:23,895 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> 17:30:23,896 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> 17:30:23,896 INFO [stdout] (default task-33) at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 17:30:23,896 INFO [stdout] (default task-33) at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> 17:30:23,897 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> 17:30:23,899 INFO [stdout] (default task-33) at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> 17:30:23,899 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> 17:30:23,900 INFO [stdout] (default task-33) at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> 17:30:23,900 INFO [stdout] (default task-33) at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 17:30:23,902 INFO [stdout] (default task-33) at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 17:30:23,902 INFO [stdout] (default task-33) at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 17:30:23,902 INFO [stdout] (default task-33) at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 17:30:23,903 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> 17:30:23,903 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> 17:30:23,903 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> 17:30:23,904 INFO [stdout] (default task-33) at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> 17:30:23,910 INFO [stdout] (default task-33) at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> 17:30:23,912 INFO [stdout] (default task-33) at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> 17:30:23,912 INFO [stdout] (default task-33) at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 17:30:23,913 INFO [stdout] (default task-33) at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 17:30:23,913 INFO [stdout] (default task-33) at
> java.lang.Thread.run(Thread.java:745)
> 
> 
> Can anyone give me a hint as to where to look or what to look for?
> I previously had a realm configured and started getting this error so I
> started fresh and am still getting it.
> Thanks in advance
> --
> 
> 
> 
> Hern?n Metaute
> Arquitecto
> Ceiba Software
> (57 4) 444 5 111 Ext 110
> Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
> Visite nuestro sitio www.ceiba.co ________________________________________
> BEste mensaje, incluido su adjunto, es confidencial y puede ser privilegiado.
> Si usted no es su destinatario, por favor notifique al emisor, luego
> destruya la comunicacion y todas las copias. Usted no debe copiar,
> distribuir y/o revelar esta comunicacion parcial o totalmente sin
> autorizaci?n del emisor.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From hernan.metaute at ceiba.com.co  Wed Mar  4 07:44:55 2015
From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento)
Date: Wed, 4 Mar 2015 07:44:55 -0500
Subject: [keycloak-user] applications-by-id
In-Reply-To: <2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
	<2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
Message-ID: <CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>

Hi, Stian. Thanks for taking the time of answering:
Yes I have in fact cleared the browser's cache. Also I have replaced the
contents of $WILDFLY_HOME/standalone/deployments with a fresh install of
keycloak from the war distribution. As I said before, I am starting from
the appliance distribution.
The stacktrace I sent you comes from the server's logs so I doubt it might
be cache issues.
I understand that in the default configuration (which I'm not using since
I'm using a mongo database) keycloak uses a h2 database for storing
configuration data (what I can see in
$WILDFLY_HOME/standalone/deployments/keycloak-ds.xml). However, deleting
this file didn't make much difference

2015-03-04 1:14 GMT-05:00 Stian Thorgersen <stian at redhat.com>:

> Have you tried to clear you browsers cache? It maybe be caused by cached
> resources from a previous release.
>
> ----- Original Message -----
> > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 3, 2015 11:36:21 PM
> > Subject: [keycloak-user] applications-by-id
> >
> > Hi, I've been using keycloak for some time now and I'm having this weird
> > error all of a sudden
> > I have a fresh wildfly install with keycloak from the appliance
> distribution.
> > I also configured a fresh database (mongodb), configured the connection
> on
> > keycloak-server.json and fired up the server.
> > I log in the first time to the admin console, change the password, etc.
> > Then I create a realm called, let's say, myApp. Everything goes well and
> then
> > I use that realm (change it on the drop down) and click on applications.
> > I get an error on screen saying "Not Found" and when going to the
> console I
> > get
> >
> > 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23 WARN
> > ExceptionHandler:135 - failed to execute
> > 17:30:23,886 INFO [stdout] (default task-33)
> javax.ws.rs.NotFoundException:
> > Could not find resource for full path:
> > http://localhost:8080/auth/admin/realms/myApp/applications-by-id
> > 17:30:23,886 INFO [stdout] (default task-33) at
> > org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
> > 17:30:23,887 INFO [stdout] (default task-33) at
> > org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> > 17:30:23,887 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
> > 17:30:23,888 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
> > 17:30:23,888 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> > 17:30:23,888 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> > 17:30:23,888 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> > 17:30:23,889 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > 17:30:23,889 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> > 17:30:23,889 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> > 17:30:23,890 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > 17:30:23,890 INFO [stdout] (default task-33) at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > 17:30:23,891 INFO [stdout] (default task-33) at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > 17:30:23,891 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > 17:30:23,891 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> > 17:30:23,892 INFO [stdout] (default task-33) at
> >
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> > 17:30:23,892 INFO [stdout] (default task-33) at
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > 17:30:23,892 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > 17:30:23,893 INFO [stdout] (default task-33) at
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> > 17:30:23,893 INFO [stdout] (default task-33) at
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > 17:30:23,893 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > 17:30:23,894 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> > 17:30:23,894 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> > 17:30:23,894 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > 17:30:23,895 INFO [stdout] (default task-33) at
> >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > 17:30:23,895 INFO [stdout] (default task-33) at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 17:30:23,895 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > 17:30:23,896 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> > 17:30:23,896 INFO [stdout] (default task-33) at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 17:30:23,896 INFO [stdout] (default task-33) at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> > 17:30:23,897 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> > 17:30:23,899 INFO [stdout] (default task-33) at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> > 17:30:23,899 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> > 17:30:23,900 INFO [stdout] (default task-33) at
> >
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> > 17:30:23,900 INFO [stdout] (default task-33) at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 17:30:23,902 INFO [stdout] (default task-33) at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > 17:30:23,902 INFO [stdout] (default task-33) at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 17:30:23,902 INFO [stdout] (default task-33) at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > 17:30:23,903 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> > 17:30:23,903 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> > 17:30:23,903 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> > 17:30:23,904 INFO [stdout] (default task-33) at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> > 17:30:23,910 INFO [stdout] (default task-33) at
> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> > 17:30:23,912 INFO [stdout] (default task-33) at
> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> > 17:30:23,912 INFO [stdout] (default task-33) at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > 17:30:23,913 INFO [stdout] (default task-33) at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > 17:30:23,913 INFO [stdout] (default task-33) at
> > java.lang.Thread.run(Thread.java:745)
> >
> >
> > Can anyone give me a hint as to where to look or what to look for?
> > I previously had a realm configured and started getting this error so I
> > started fresh and am still getting it.
> > Thanks in advance
> > --
> >
> >
> >
> > Hern?n Metaute
> > Arquitecto
> > Ceiba Software
> > (57 4) 444 5 111 Ext 110
> > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> Colombia
> > Visite nuestro sitio www.ceiba.co
> ________________________________________
> > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> privilegiado.
> > Si usted no es su destinatario, por favor notifique al emisor, luego
> > destruya la comunicacion y todas las copias. Usted no debe copiar,
> > distribuir y/o revelar esta comunicacion parcial o totalmente sin
> > autorizaci?n del emisor.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

*Hern?n Metaute*
Arquitecto

*Ceiba Software *(57 4) 444 5 111 Ext 110
Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
________________________________________
BEste mensaje, incluido su adjunto, es confidencial y puede ser
privilegiado. Si usted no es su destinatario, por favor notifique al
emisor, luego destruya la comunicacion y todas las copias. Usted no debe
copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
autorizaci?n del emisor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/dd2f933c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8377 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/dd2f933c/attachment-0001.png 

From bburke at redhat.com  Wed Mar  4 07:55:16 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 04 Mar 2015 07:55:16 -0500
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
Message-ID: <54F700B4.7020509@redhat.com>

You can still use the PL Filter SP.  Just configure the application in 
the admin console to use SAML.

On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
> Hi bill,
>
> the existing adapters cannot support jboss eap 5.0.2 and websphere 8.5
> and we are not allowed to use keycloak proxy.
>
> can you suggest any other alternative similar to picketlink sp filter?
>
> On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     There is no Keycloak SP filter.  We have various adapters for different
>     platforms that hook into servlet security to make integration seamless:
>
>     Tomcat 6, 7, 8
>     Jetty 8, 9
>     EAP 6.x
>     Wildfly
>     Node.js
>     Browser Javascript adapter.
>
>     On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>      > Hi,
>      >
>      > Please share some lights for implementing Keycloak sp filter which is
>      > similar to picketlink sp filter.
>      >
>      > org.picketlink.identity.federation.web.filters.SPFilter
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Wed Mar  4 08:04:10 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Mar 2015 21:04:10 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54F700B4.7020509@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
Message-ID: <CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>

Hi bill,

Yup. I have configured the app in keycloak admin console. However i
encountered 2 issues.

First issue is that i was able to login to the app via pl sp filter but the
login session cannot be seen in keycloak admin console

Second issue is that global logout was not working and the landing page
just did a self refresh.
On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com> wrote:

> You can still use the PL Filter SP.  Just configure the application in the
> admin console to use SAML.
>
> On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> the existing adapters cannot support jboss eap 5.0.2 and websphere 8.5
>> and we are not allowed to use keycloak proxy.
>>
>> can you suggest any other alternative similar to picketlink sp filter?
>>
>> On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     There is no Keycloak SP filter.  We have various adapters for
>> different
>>     platforms that hook into servlet security to make integration
>> seamless:
>>
>>     Tomcat 6, 7, 8
>>     Jetty 8, 9
>>     EAP 6.x
>>     Wildfly
>>     Node.js
>>     Browser Javascript adapter.
>>
>>     On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>>      > Hi,
>>      >
>>      > Please share some lights for implementing Keycloak sp filter which
>> is
>>      > similar to picketlink sp filter.
>>      >
>>      > org.picketlink.identity.federation.web.filters.SPFilter
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/177fbe5e/attachment.html 

From stian at redhat.com  Wed Mar  4 08:11:50 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 4 Mar 2015 08:11:50 -0500 (EST)
Subject: [keycloak-user] applications-by-id
In-Reply-To: <CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
	<2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
	<CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>
Message-ID: <1227843031.20423988.1425474710737.JavaMail.zimbra@redhat.com>

In the first email you said you're using a "wildfly install with keycloak from the appliance distribution". That doesn't make sense as the appliance distribution comes with WildFly.

Also now you're saying you've upgraded $WILDFLY_HOME/standalone/deployments from the war distribution.

It sounds like your problems may be caused by a miss-match between the admin console and the rest services. 

Please try the appliance distribution and see if you get the same issue there, if not then refer to the migration guides on how to upgrade correctly.

----- Original Message -----
> From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, March 4, 2015 1:44:55 PM
> Subject: Re: [keycloak-user] applications-by-id
> 
> Hi, Stian. Thanks for taking the time of answering:
> Yes I have in fact cleared the browser's cache. Also I have replaced the
> contents of $WILDFLY_HOME/standalone/deployments with a fresh install of
> keycloak from the war distribution. As I said before, I am starting from
> the appliance distribution.
> The stacktrace I sent you comes from the server's logs so I doubt it might
> be cache issues.
> I understand that in the default configuration (which I'm not using since
> I'm using a mongo database) keycloak uses a h2 database for storing
> configuration data (what I can see in
> $WILDFLY_HOME/standalone/deployments/keycloak-ds.xml). However, deleting
> this file didn't make much difference
> 
> 2015-03-04 1:14 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
> 
> > Have you tried to clear you browsers cache? It maybe be caused by cached
> > resources from a previous release.
> >
> > ----- Original Message -----
> > > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 3, 2015 11:36:21 PM
> > > Subject: [keycloak-user] applications-by-id
> > >
> > > Hi, I've been using keycloak for some time now and I'm having this weird
> > > error all of a sudden
> > > I have a fresh wildfly install with keycloak from the appliance
> > distribution.
> > > I also configured a fresh database (mongodb), configured the connection
> > on
> > > keycloak-server.json and fired up the server.
> > > I log in the first time to the admin console, change the password, etc.
> > > Then I create a realm called, let's say, myApp. Everything goes well and
> > then
> > > I use that realm (change it on the drop down) and click on applications.
> > > I get an error on screen saying "Not Found" and when going to the
> > console I
> > > get
> > >
> > > 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23 WARN
> > > ExceptionHandler:135 - failed to execute
> > > 17:30:23,886 INFO [stdout] (default task-33)
> > javax.ws.rs.NotFoundException:
> > > Could not find resource for full path:
> > > http://localhost:8080/auth/admin/realms/myApp/applications-by-id
> > > 17:30:23,886 INFO [stdout] (default task-33) at
> > > org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
> > > 17:30:23,887 INFO [stdout] (default task-33) at
> > > org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> > > 17:30:23,887 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
> > > 17:30:23,888 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
> > > 17:30:23,888 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> > > 17:30:23,888 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> > > 17:30:23,888 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> > > 17:30:23,889 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > > 17:30:23,889 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> > > 17:30:23,889 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> > > 17:30:23,890 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > > 17:30:23,890 INFO [stdout] (default task-33) at
> > >
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > > 17:30:23,891 INFO [stdout] (default task-33) at
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > 17:30:23,891 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > > 17:30:23,891 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> > > 17:30:23,892 INFO [stdout] (default task-33) at
> > >
> > org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> > > 17:30:23,892 INFO [stdout] (default task-33) at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > > 17:30:23,892 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > > 17:30:23,893 INFO [stdout] (default task-33) at
> > >
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> > > 17:30:23,893 INFO [stdout] (default task-33) at
> > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > > 17:30:23,893 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > > 17:30:23,894 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> > > 17:30:23,894 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> > > 17:30:23,894 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > > 17:30:23,895 INFO [stdout] (default task-33) at
> > >
> > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > 17:30:23,895 INFO [stdout] (default task-33) at
> > >
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > 17:30:23,895 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > > 17:30:23,896 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> > > 17:30:23,896 INFO [stdout] (default task-33) at
> > >
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > 17:30:23,896 INFO [stdout] (default task-33) at
> > >
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> > > 17:30:23,897 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> > > 17:30:23,899 INFO [stdout] (default task-33) at
> > >
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> > > 17:30:23,899 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> > > 17:30:23,900 INFO [stdout] (default task-33) at
> > >
> > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> > > 17:30:23,900 INFO [stdout] (default task-33) at
> > >
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > 17:30:23,902 INFO [stdout] (default task-33) at
> > >
> > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > > 17:30:23,902 INFO [stdout] (default task-33) at
> > >
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > 17:30:23,902 INFO [stdout] (default task-33) at
> > >
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > 17:30:23,903 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> > > 17:30:23,903 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> > > 17:30:23,903 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> > > 17:30:23,904 INFO [stdout] (default task-33) at
> > >
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> > > 17:30:23,910 INFO [stdout] (default task-33) at
> > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> > > 17:30:23,912 INFO [stdout] (default task-33) at
> > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> > > 17:30:23,912 INFO [stdout] (default task-33) at
> > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > 17:30:23,913 INFO [stdout] (default task-33) at
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > 17:30:23,913 INFO [stdout] (default task-33) at
> > > java.lang.Thread.run(Thread.java:745)
> > >
> > >
> > > Can anyone give me a hint as to where to look or what to look for?
> > > I previously had a realm configured and started getting this error so I
> > > started fresh and am still getting it.
> > > Thanks in advance
> > > --
> > >
> > >
> > >
> > > Hern?n Metaute
> > > Arquitecto
> > > Ceiba Software
> > > (57 4) 444 5 111 Ext 110
> > > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> > Colombia
> > > Visite nuestro sitio www.ceiba.co
> > ________________________________________
> > > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> > privilegiado.
> > > Si usted no es su destinatario, por favor notifique al emisor, luego
> > > destruya la comunicacion y todas las copias. Usted no debe copiar,
> > > distribuir y/o revelar esta comunicacion parcial o totalmente sin
> > > autorizaci?n del emisor.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> 
> *Hern?n Metaute*
> Arquitecto
> 
> *Ceiba Software *(57 4) 444 5 111 Ext 110
> Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
> Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> ________________________________________
> BEste mensaje, incluido su adjunto, es confidencial y puede ser
> privilegiado. Si usted no es su destinatario, por favor notifique al
> emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
> autorizaci?n del emisor.
>


From hernan.metaute at ceiba.com.co  Wed Mar  4 08:30:54 2015
From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento)
Date: Wed, 4 Mar 2015 08:30:54 -0500
Subject: [keycloak-user] applications-by-id
In-Reply-To: <1227843031.20423988.1425474710737.JavaMail.zimbra@redhat.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
	<2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
	<CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>
	<1227843031.20423988.1425474710737.JavaMail.zimbra@redhat.com>
Message-ID: <CAGvMg3DiDeS8pF-iwvaZQw5S3om_pbZaZz7HAjqOZkzJXchb2Q@mail.gmail.com>

Hi, Stian. Thanks a lot again for answering
Well, maybe I didn't explain myself clearly:
What I was trying to say was that my starting point was this file:
http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-appliance-dist-all-1.1.0.Final.zip/download
I unzipped, configured my mongo database and imported my realm from a json
I had previously configured in another instance.
At some point I started getting the error from the first email.
That being said, it does make sense that at some point I might have
replaced the deployments folder with the contents of
http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-war-dist-all-1.1.0.Final.zip/download/deployments
so the mismatch of versions could be the issue. I will try then configuring
from scratch starting from the appliance distribution and will come back
and tell you how it went.
Thanks again for your time.




2015-03-04 8:11 GMT-05:00 Stian Thorgersen <stian at redhat.com>:

> In the first email you said you're using a "wildfly install with keycloak
> from the appliance distribution". That doesn't make sense as the appliance
> distribution comes with WildFly.
>
> Also now you're saying you've upgraded
> $WILDFLY_HOME/standalone/deployments from the war distribution.
>
> It sounds like your problems may be caused by a miss-match between the
> admin console and the rest services.
>
> Please try the appliance distribution and see if you get the same issue
> there, if not then refer to the migration guides on how to upgrade
> correctly.
>
> ----- Original Message -----
> > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Wednesday, March 4, 2015 1:44:55 PM
> > Subject: Re: [keycloak-user] applications-by-id
> >
> > Hi, Stian. Thanks for taking the time of answering:
> > Yes I have in fact cleared the browser's cache. Also I have replaced the
> > contents of $WILDFLY_HOME/standalone/deployments with a fresh install of
> > keycloak from the war distribution. As I said before, I am starting from
> > the appliance distribution.
> > The stacktrace I sent you comes from the server's logs so I doubt it
> might
> > be cache issues.
> > I understand that in the default configuration (which I'm not using since
> > I'm using a mongo database) keycloak uses a h2 database for storing
> > configuration data (what I can see in
> > $WILDFLY_HOME/standalone/deployments/keycloak-ds.xml). However, deleting
> > this file didn't make much difference
> >
> > 2015-03-04 1:14 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
> >
> > > Have you tried to clear you browsers cache? It maybe be caused by
> cached
> > > resources from a previous release.
> > >
> > > ----- Original Message -----
> > > > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 3, 2015 11:36:21 PM
> > > > Subject: [keycloak-user] applications-by-id
> > > >
> > > > Hi, I've been using keycloak for some time now and I'm having this
> weird
> > > > error all of a sudden
> > > > I have a fresh wildfly install with keycloak from the appliance
> > > distribution.
> > > > I also configured a fresh database (mongodb), configured the
> connection
> > > on
> > > > keycloak-server.json and fired up the server.
> > > > I log in the first time to the admin console, change the password,
> etc.
> > > > Then I create a realm called, let's say, myApp. Everything goes well
> and
> > > then
> > > > I use that realm (change it on the drop down) and click on
> applications.
> > > > I get an error on screen saying "Not Found" and when going to the
> > > console I
> > > > get
> > > >
> > > > 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23 WARN
> > > > ExceptionHandler:135 - failed to execute
> > > > 17:30:23,886 INFO [stdout] (default task-33)
> > > javax.ws.rs.NotFoundException:
> > > > Could not find resource for full path:
> > > > http://localhost:8080/auth/admin/realms/myApp/applications-by-id
> > > > 17:30:23,886 INFO [stdout] (default task-33) at
> > > >
> org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
> > > > 17:30:23,887 INFO [stdout] (default task-33) at
> > > > org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> > > > 17:30:23,887 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> > > > 17:30:23,890 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > > > 17:30:23,890 INFO [stdout] (default task-33) at
> > > >
> > >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> > > >
> > >
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> > > >
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> > > >
> > >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> > > >
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> > > >
> > >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> > > > 17:30:23,897 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> > > > 17:30:23,899 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> > > > 17:30:23,899 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> > > > 17:30:23,900 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> > > > 17:30:23,900 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> > > >
> > >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> > > > 17:30:23,904 INFO [stdout] (default task-33) at
> > > >
> > >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> > > > 17:30:23,910 INFO [stdout] (default task-33) at
> > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> > > > 17:30:23,912 INFO [stdout] (default task-33) at
> > > >
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> > > > 17:30:23,912 INFO [stdout] (default task-33) at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > 17:30:23,913 INFO [stdout] (default task-33) at
> > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > 17:30:23,913 INFO [stdout] (default task-33) at
> > > > java.lang.Thread.run(Thread.java:745)
> > > >
> > > >
> > > > Can anyone give me a hint as to where to look or what to look for?
> > > > I previously had a realm configured and started getting this error
> so I
> > > > started fresh and am still getting it.
> > > > Thanks in advance
> > > > --
> > > >
> > > >
> > > >
> > > > Hern?n Metaute
> > > > Arquitecto
> > > > Ceiba Software
> > > > (57 4) 444 5 111 Ext 110
> > > > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> > > Colombia
> > > > Visite nuestro sitio www.ceiba.co
> > > ________________________________________
> > > > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> > > privilegiado.
> > > > Si usted no es su destinatario, por favor notifique al emisor, luego
> > > > destruya la comunicacion y todas las copias. Usted no debe copiar,
> > > > distribuir y/o revelar esta comunicacion parcial o totalmente sin
> > > > autorizaci?n del emisor.
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> >
> > *Hern?n Metaute*
> > Arquitecto
> >
> > *Ceiba Software *(57 4) 444 5 111 Ext 110
> > Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> Colombia
> > Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> > ________________________________________
> > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> > privilegiado. Si usted no es su destinatario, por favor notifique al
> > emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
> > autorizaci?n del emisor.
> >
>



-- 

*Hern?n Metaute*
Arquitecto

*Ceiba Software *(57 4) 444 5 111 Ext 110
Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
________________________________________
BEste mensaje, incluido su adjunto, es confidencial y puede ser
privilegiado. Si usted no es su destinatario, por favor notifique al
emisor, luego destruya la comunicacion y todas las copias. Usted no debe
copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
autorizaci?n del emisor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/0eab0fc1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8377 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/0eab0fc1/attachment-0001.png 

From bburke at redhat.com  Wed Mar  4 08:44:01 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 04 Mar 2015 08:44:01 -0500
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>	<54F5D70F.2030309@redhat.com>	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
Message-ID: <54F70C21.3030701@redhat.com>

Our testsuite uses PL SAML SP, not the filter though, and it works fine. 
  I'd have to recreate the problem using the PL SAML SP filter.

On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Yup. I have configured the app in keycloak admin console. However i
> encountered 2 issues.
>
> First issue is that i was able to login to the app via pl sp filter but
> the login session cannot be seen in keycloak admin console
>
> Second issue is that global logout was not working and the landing page
> just did a self refresh.
>
> On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You can still use the PL Filter SP.  Just configure the application
>     in the admin console to use SAML.
>
>     On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>
>         Hi bill,
>
>         the existing adapters cannot support jboss eap 5.0.2 and
>         websphere 8.5
>         and we are not allowed to use keycloak proxy.
>
>         can you suggest any other alternative similar to picketlink sp
>         filter?
>
>         On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              There is no Keycloak SP filter.  We have various adapters
>         for different
>              platforms that hook into servlet security to make
>         integration seamless:
>
>              Tomcat 6, 7, 8
>              Jetty 8, 9
>              EAP 6.x
>              Wildfly
>              Node.js
>              Browser Javascript adapter.
>
>              On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>               > Hi,
>               >
>               > Please share some lights for implementing Keycloak sp
>         filter which is
>               > similar to picketlink sp filter.
>               >
>               > org.picketlink.identity.__federation.web.filters.__SPFilter
>               >
>               >
>               > _________________________________________________
>               > keycloak-user mailing list
>               > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>               >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _________________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From hernan.metaute at ceiba.com.co  Wed Mar  4 08:54:30 2015
From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento)
Date: Wed, 4 Mar 2015 08:54:30 -0500
Subject: [keycloak-user] applications-by-id
In-Reply-To: <CAGvMg3DiDeS8pF-iwvaZQw5S3om_pbZaZz7HAjqOZkzJXchb2Q@mail.gmail.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
	<2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
	<CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>
	<1227843031.20423988.1425474710737.JavaMail.zimbra@redhat.com>
	<CAGvMg3DiDeS8pF-iwvaZQw5S3om_pbZaZz7HAjqOZkzJXchb2Q@mail.gmail.com>
Message-ID: <CAGvMg3DvMP8H1DmEy-2xgSoo2BCWBEbtaMvMRqyugHNhO=TDVQ@mail.gmail.com>

Hi, Stian
I noticed something odd when trying to begin from scratch.
I downloaded the appliance server zip
http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-appliance-dist-all-1.1.0.Final.zip/download
however, inside the keycloak/standalone/deployments there are no files of
keycloak server. The files I usually see in this folder are:
keycloak/standalone/deployments/auth-server.war
keycloak/standalone/deployments/auth-server.war.deployed
keycloak/standalone/deployments/keycloak-ds.xml
keycloak/standalone/deployments/keycloak-ds.xml.deployed

or at least keycloak/standalone/deployments/auth-server.war should be there
according to the documentation from
http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/server-installation.html

should I then start from the war distribution and a wildfly server from the
wildfly downloads page?

2015-03-04 8:30 GMT-05:00 Hernan Dario Metaute Sarmiento <
hernan.metaute at ceiba.com.co>:

> Hi, Stian. Thanks a lot again for answering
> Well, maybe I didn't explain myself clearly:
> What I was trying to say was that my starting point was this file:
> http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-appliance-dist-all-1.1.0.Final.zip/download
> I unzipped, configured my mongo database and imported my realm from a json
> I had previously configured in another instance.
> At some point I started getting the error from the first email.
> That being said, it does make sense that at some point I might have
> replaced the deployments folder with the contents of
> http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-war-dist-all-1.1.0.Final.zip/download/deployments
> so the mismatch of versions could be the issue. I will try then configuring
> from scratch starting from the appliance distribution and will come back
> and tell you how it went.
> Thanks again for your time.
>
>
>
>
> 2015-03-04 8:11 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
>
> In the first email you said you're using a "wildfly install with keycloak
>> from the appliance distribution". That doesn't make sense as the appliance
>> distribution comes with WildFly.
>>
>> Also now you're saying you've upgraded
>> $WILDFLY_HOME/standalone/deployments from the war distribution.
>>
>> It sounds like your problems may be caused by a miss-match between the
>> admin console and the rest services.
>>
>> Please try the appliance distribution and see if you get the same issue
>> there, if not then refer to the migration guides on how to upgrade
>> correctly.
>>
>> ----- Original Message -----
>> > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
>> > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Wednesday, March 4, 2015 1:44:55 PM
>> > Subject: Re: [keycloak-user] applications-by-id
>> >
>> > Hi, Stian. Thanks for taking the time of answering:
>> > Yes I have in fact cleared the browser's cache. Also I have replaced the
>> > contents of $WILDFLY_HOME/standalone/deployments with a fresh install of
>> > keycloak from the war distribution. As I said before, I am starting from
>> > the appliance distribution.
>> > The stacktrace I sent you comes from the server's logs so I doubt it
>> might
>> > be cache issues.
>> > I understand that in the default configuration (which I'm not using
>> since
>> > I'm using a mongo database) keycloak uses a h2 database for storing
>> > configuration data (what I can see in
>> > $WILDFLY_HOME/standalone/deployments/keycloak-ds.xml). However, deleting
>> > this file didn't make much difference
>> >
>> > 2015-03-04 1:14 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
>> >
>> > > Have you tried to clear you browsers cache? It maybe be caused by
>> cached
>> > > resources from a previous release.
>> > >
>> > > ----- Original Message -----
>> > > > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co
>> >
>> > > > To: keycloak-user at lists.jboss.org
>> > > > Sent: Tuesday, March 3, 2015 11:36:21 PM
>> > > > Subject: [keycloak-user] applications-by-id
>> > > >
>> > > > Hi, I've been using keycloak for some time now and I'm having this
>> weird
>> > > > error all of a sudden
>> > > > I have a fresh wildfly install with keycloak from the appliance
>> > > distribution.
>> > > > I also configured a fresh database (mongodb), configured the
>> connection
>> > > on
>> > > > keycloak-server.json and fired up the server.
>> > > > I log in the first time to the admin console, change the password,
>> etc.
>> > > > Then I create a realm called, let's say, myApp. Everything goes
>> well and
>> > > then
>> > > > I use that realm (change it on the drop down) and click on
>> applications.
>> > > > I get an error on screen saying "Not Found" and when going to the
>> > > console I
>> > > > get
>> > > >
>> > > > 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23
>> WARN
>> > > > ExceptionHandler:135 - failed to execute
>> > > > 17:30:23,886 INFO [stdout] (default task-33)
>> > > javax.ws.rs.NotFoundException:
>> > > > Could not find resource for full path:
>> > > > http://localhost:8080/auth/admin/realms/myApp/applications-by-id
>> > > > 17:30:23,886 INFO [stdout] (default task-33) at
>> > > >
>> org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
>> > > > 17:30:23,887 INFO [stdout] (default task-33) at
>> > > > org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>> > > > 17:30:23,887 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
>> > > > 17:30:23,888 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
>> > > > 17:30:23,888 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>> > > > 17:30:23,888 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>> > > > 17:30:23,888 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>> > > > 17:30:23,889 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>> > > > 17:30:23,889 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>> > > > 17:30:23,889 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>> > > > 17:30:23,890 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> > > > 17:30:23,890 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> > > > 17:30:23,891 INFO [stdout] (default task-33) at
>> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> > > > 17:30:23,891 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> > > > 17:30:23,891 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>> > > > 17:30:23,892 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>> > > > 17:30:23,892 INFO [stdout] (default task-33) at
>> > > >
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> > > > 17:30:23,892 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>> > > > 17:30:23,893 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>> > > > 17:30:23,893 INFO [stdout] (default task-33) at
>> > > >
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> > > > 17:30:23,893 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>> > > > 17:30:23,894 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>> > > > 17:30:23,894 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
>> > > > 17:30:23,894 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> > > > 17:30:23,895 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> > > > 17:30:23,895 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> > > > 17:30:23,895 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> > > > 17:30:23,896 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
>> > > > 17:30:23,896 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> > > > 17:30:23,896 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
>> > > > 17:30:23,897 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
>> > > > 17:30:23,899 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>> > > > 17:30:23,899 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
>> > > > 17:30:23,900 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>> > > > 17:30:23,900 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> > > > 17:30:23,902 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> > > > 17:30:23,902 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> > > > 17:30:23,902 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> > > > 17:30:23,903 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
>> > > > 17:30:23,903 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
>> > > > 17:30:23,903 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
>> > > > 17:30:23,904 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
>> > > > 17:30:23,910 INFO [stdout] (default task-33) at
>> > > >
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
>> > > > 17:30:23,912 INFO [stdout] (default task-33) at
>> > > >
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
>> > > > 17:30:23,912 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> > > > 17:30:23,913 INFO [stdout] (default task-33) at
>> > > >
>> > >
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> > > > 17:30:23,913 INFO [stdout] (default task-33) at
>> > > > java.lang.Thread.run(Thread.java:745)
>> > > >
>> > > >
>> > > > Can anyone give me a hint as to where to look or what to look for?
>> > > > I previously had a realm configured and started getting this error
>> so I
>> > > > started fresh and am still getting it.
>> > > > Thanks in advance
>> > > > --
>> > > >
>> > > >
>> > > >
>> > > > Hern?n Metaute
>> > > > Arquitecto
>> > > > Ceiba Software
>> > > > (57 4) 444 5 111 Ext 110
>> > > > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
>> > > Colombia
>> > > > Visite nuestro sitio www.ceiba.co
>> > > ________________________________________
>> > > > BEste mensaje, incluido su adjunto, es confidencial y puede ser
>> > > privilegiado.
>> > > > Si usted no es su destinatario, por favor notifique al emisor, luego
>> > > > destruya la comunicacion y todas las copias. Usted no debe copiar,
>> > > > distribuir y/o revelar esta comunicacion parcial o totalmente sin
>> > > > autorizaci?n del emisor.
>> > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>> >
>> >
>> > --
>> >
>> > *Hern?n Metaute*
>> > Arquitecto
>> >
>> > *Ceiba Software *(57 4) 444 5 111 Ext 110
>> > Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
>> Colombia
>> > Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
>> > ________________________________________
>> > BEste mensaje, incluido su adjunto, es confidencial y puede ser
>> > privilegiado. Si usted no es su destinatario, por favor notifique al
>> > emisor, luego destruya la comunicacion y todas las copias. Usted no debe
>> > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente
>> sin
>> > autorizaci?n del emisor.
>> >
>>
>
>
>
> --
>
> *Hern?n Metaute*
> Arquitecto
>
> *Ceiba Software *(57 4) 444 5 111 Ext 110
> Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
> Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> ________________________________________
> BEste mensaje, incluido su adjunto, es confidencial y puede ser
> privilegiado. Si usted no es su destinatario, por favor notifique al
> emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
> autorizaci?n del emisor.
>



-- 

*Hern?n Metaute*
Arquitecto

*Ceiba Software *(57 4) 444 5 111 Ext 110
Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
________________________________________
BEste mensaje, incluido su adjunto, es confidencial y puede ser
privilegiado. Si usted no es su destinatario, por favor notifique al
emisor, luego destruya la comunicacion y todas las copias. Usted no debe
copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
autorizaci?n del emisor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/faece0c1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8377 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/faece0c1/attachment-0001.png 

From stian at redhat.com  Wed Mar  4 09:03:03 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 4 Mar 2015 09:03:03 -0500 (EST)
Subject: [keycloak-user] applications-by-id
In-Reply-To: <CAGvMg3DvMP8H1DmEy-2xgSoo2BCWBEbtaMvMRqyugHNhO=TDVQ@mail.gmail.com>
References: <CAGvMg3Co7iaNu_RRz1-Kk0TAD27D0oJwcG7ADmaZ2U-GdEw6PA@mail.gmail.com>
	<2011950070.20240848.1425449691461.JavaMail.zimbra@redhat.com>
	<CAGvMg3CU-kXfcHxDjreU=5jLQ_=0b3vaGgdJv1A0xh7=iuw=-g@mail.gmail.com>
	<1227843031.20423988.1425474710737.JavaMail.zimbra@redhat.com>
	<CAGvMg3DiDeS8pF-iwvaZQw5S3om_pbZaZz7HAjqOZkzJXchb2Q@mail.gmail.com>
	<CAGvMg3DvMP8H1DmEy-2xgSoo2BCWBEbtaMvMRqyugHNhO=TDVQ@mail.gmail.com>
Message-ID: <13585947.20466176.1425477783818.JavaMail.zimbra@redhat.com>

In 1.1.0.Final Keycloak is deployed as a WildFly subsystem not as a WAR, that's why there's no auth-server.war anymore

----- Original Message -----
> From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, March 4, 2015 2:54:30 PM
> Subject: Re: [keycloak-user] applications-by-id
> 
> Hi, Stian
> I noticed something odd when trying to begin from scratch.
> I downloaded the appliance server zip
> http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-appliance-dist-all-1.1.0.Final.zip/download
> however, inside the keycloak/standalone/deployments there are no files of
> keycloak server. The files I usually see in this folder are:
> keycloak/standalone/deployments/auth-server.war
> keycloak/standalone/deployments/auth-server.war.deployed
> keycloak/standalone/deployments/keycloak-ds.xml
> keycloak/standalone/deployments/keycloak-ds.xml.deployed
> 
> or at least keycloak/standalone/deployments/auth-server.war should be there
> according to the documentation from
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/server-installation.html
> 
> should I then start from the war distribution and a wildfly server from the
> wildfly downloads page?
> 
> 2015-03-04 8:30 GMT-05:00 Hernan Dario Metaute Sarmiento <
> hernan.metaute at ceiba.com.co>:
> 
> > Hi, Stian. Thanks a lot again for answering
> > Well, maybe I didn't explain myself clearly:
> > What I was trying to say was that my starting point was this file:
> > http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-appliance-dist-all-1.1.0.Final.zip/download
> > I unzipped, configured my mongo database and imported my realm from a json
> > I had previously configured in another instance.
> > At some point I started getting the error from the first email.
> > That being said, it does make sense that at some point I might have
> > replaced the deployments folder with the contents of
> > http://sourceforge.net/projects/keycloak/files/1.1.0.Final/keycloak-war-dist-all-1.1.0.Final.zip/download/deployments
> > so the mismatch of versions could be the issue. I will try then configuring
> > from scratch starting from the appliance distribution and will come back
> > and tell you how it went.
> > Thanks again for your time.
> >
> >
> >
> >
> > 2015-03-04 8:11 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
> >
> > In the first email you said you're using a "wildfly install with keycloak
> >> from the appliance distribution". That doesn't make sense as the appliance
> >> distribution comes with WildFly.
> >>
> >> Also now you're saying you've upgraded
> >> $WILDFLY_HOME/standalone/deployments from the war distribution.
> >>
> >> It sounds like your problems may be caused by a miss-match between the
> >> admin console and the rest services.
> >>
> >> Please try the appliance distribution and see if you get the same issue
> >> there, if not then refer to the migration guides on how to upgrade
> >> correctly.
> >>
> >> ----- Original Message -----
> >> > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co>
> >> > To: "Stian Thorgersen" <stian at redhat.com>
> >> > Cc: keycloak-user at lists.jboss.org
> >> > Sent: Wednesday, March 4, 2015 1:44:55 PM
> >> > Subject: Re: [keycloak-user] applications-by-id
> >> >
> >> > Hi, Stian. Thanks for taking the time of answering:
> >> > Yes I have in fact cleared the browser's cache. Also I have replaced the
> >> > contents of $WILDFLY_HOME/standalone/deployments with a fresh install of
> >> > keycloak from the war distribution. As I said before, I am starting from
> >> > the appliance distribution.
> >> > The stacktrace I sent you comes from the server's logs so I doubt it
> >> might
> >> > be cache issues.
> >> > I understand that in the default configuration (which I'm not using
> >> since
> >> > I'm using a mongo database) keycloak uses a h2 database for storing
> >> > configuration data (what I can see in
> >> > $WILDFLY_HOME/standalone/deployments/keycloak-ds.xml). However, deleting
> >> > this file didn't make much difference
> >> >
> >> > 2015-03-04 1:14 GMT-05:00 Stian Thorgersen <stian at redhat.com>:
> >> >
> >> > > Have you tried to clear you browsers cache? It maybe be caused by
> >> cached
> >> > > resources from a previous release.
> >> > >
> >> > > ----- Original Message -----
> >> > > > From: "Hernan Dario Metaute Sarmiento" <hernan.metaute at ceiba.com.co
> >> >
> >> > > > To: keycloak-user at lists.jboss.org
> >> > > > Sent: Tuesday, March 3, 2015 11:36:21 PM
> >> > > > Subject: [keycloak-user] applications-by-id
> >> > > >
> >> > > > Hi, I've been using keycloak for some time now and I'm having this
> >> weird
> >> > > > error all of a sudden
> >> > > > I have a fresh wildfly install with keycloak from the appliance
> >> > > distribution.
> >> > > > I also configured a fresh database (mongodb), configured the
> >> connection
> >> > > on
> >> > > > keycloak-server.json and fired up the server.
> >> > > > I log in the first time to the admin console, change the password,
> >> etc.
> >> > > > Then I create a realm called, let's say, myApp. Everything goes
> >> well and
> >> > > then
> >> > > > I use that realm (change it on the drop down) and click on
> >> applications.
> >> > > > I get an error on screen saying "Not Found" and when going to the
> >> > > console I
> >> > > > get
> >> > > >
> >> > > > 17:30:23,885 INFO [stdout] (default task-33) 2015-03-03 17:30:23
> >> WARN
> >> > > > ExceptionHandler:135 - failed to execute
> >> > > > 17:30:23,886 INFO [stdout] (default task-33)
> >> > > javax.ws.rs.NotFoundException:
> >> > > > Could not find resource for full path:
> >> > > > http://localhost:8080/auth/admin/realms/myApp/applications-by-id
> >> > > > 17:30:23,886 INFO [stdout] (default task-33) at
> >> > > >
> >> org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112)
> >> > > > 17:30:23,887 INFO [stdout] (default task-33) at
> >> > > > org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> >> > > > 17:30:23,887 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
> >> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:131)
> >> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> >> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> >> > > > 17:30:23,888 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> >> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> >> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> >> > > > 17:30:23,889 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> >> > > > 17:30:23,890 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >> > > > 17:30:23,890 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> >> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> >> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> >> > > > 17:30:23,891 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> >> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> >> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> >> > > >
> >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> >> > > > 17:30:23,892 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> >> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> >> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> >> > > >
> >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> >> > > > 17:30:23,893 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> >> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> >> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> >> > > > 17:30:23,894 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >> > > > 17:30:23,895 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> >> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> >> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >> > > > 17:30:23,896 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> >> > > > 17:30:23,897 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> >> > > > 17:30:23,899 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> >> > > > 17:30:23,899 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> >> > > > 17:30:23,900 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> >> > > > 17:30:23,900 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >> > > > 17:30:23,902 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> >> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> >> > > > 17:30:23,903 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> >> > > > 17:30:23,904 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> >> > > > 17:30:23,910 INFO [stdout] (default task-33) at
> >> > > >
> >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> >> > > > 17:30:23,912 INFO [stdout] (default task-33) at
> >> > > >
> >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> >> > > > 17:30:23,912 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >> > > > 17:30:23,913 INFO [stdout] (default task-33) at
> >> > > >
> >> > >
> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> >> > > > 17:30:23,913 INFO [stdout] (default task-33) at
> >> > > > java.lang.Thread.run(Thread.java:745)
> >> > > >
> >> > > >
> >> > > > Can anyone give me a hint as to where to look or what to look for?
> >> > > > I previously had a realm configured and started getting this error
> >> so I
> >> > > > started fresh and am still getting it.
> >> > > > Thanks in advance
> >> > > > --
> >> > > >
> >> > > >
> >> > > >
> >> > > > Hern?n Metaute
> >> > > > Arquitecto
> >> > > > Ceiba Software
> >> > > > (57 4) 444 5 111 Ext 110
> >> > > > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> >> > > Colombia
> >> > > > Visite nuestro sitio www.ceiba.co
> >> > > ________________________________________
> >> > > > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> >> > > privilegiado.
> >> > > > Si usted no es su destinatario, por favor notifique al emisor, luego
> >> > > > destruya la comunicacion y todas las copias. Usted no debe copiar,
> >> > > > distribuir y/o revelar esta comunicacion parcial o totalmente sin
> >> > > > autorizaci?n del emisor.
> >> > > >
> >> > > > _______________________________________________
> >> > > > keycloak-user mailing list
> >> > > > keycloak-user at lists.jboss.org
> >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > *Hern?n Metaute*
> >> > Arquitecto
> >> >
> >> > *Ceiba Software *(57 4) 444 5 111 Ext 110
> >> > Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n,
> >> Colombia
> >> > Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> >> > ________________________________________
> >> > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> >> > privilegiado. Si usted no es su destinatario, por favor notifique al
> >> > emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> >> > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente
> >> sin
> >> > autorizaci?n del emisor.
> >> >
> >>
> >
> >
> >
> > --
> >
> > *Hern?n Metaute*
> > Arquitecto
> >
> > *Ceiba Software *(57 4) 444 5 111 Ext 110
> > Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
> > Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> > ________________________________________
> > BEste mensaje, incluido su adjunto, es confidencial y puede ser
> > privilegiado. Si usted no es su destinatario, por favor notifique al
> > emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
> > autorizaci?n del emisor.
> >
> 
> 
> 
> --
> 
> *Hern?n Metaute*
> Arquitecto
> 
> *Ceiba Software *(57 4) 444 5 111 Ext 110
> Cl 8 B  65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia
> Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
> ________________________________________
> BEste mensaje, incluido su adjunto, es confidencial y puede ser
> privilegiado. Si usted no es su destinatario, por favor notifique al
> emisor, luego destruya la comunicacion y todas las copias. Usted no debe
> copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
> autorizaci?n del emisor.
>

From chenkeong.yap at izeno.com  Wed Mar  4 09:07:17 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Mar 2015 22:07:17 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54F70C21.3030701@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
Message-ID: <CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>

Hi bill,

If i understand from you correctly,
PL SAML SP and keycloak adapters are the same and referring to below items.

Tomcat 6, 7, 8
Jetty 8, 9
EAP 6.x
Wildfly
Node.js
Browser Javascript adapter.

So far i have tested PL SAML SP filter using the following libs and it got
the same 2 issues that was mentioned in the previous email.

Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3 (commercial)

keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
 On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com> wrote:

> Our testsuite uses PL SAML SP, not the filter though, and it works fine.
> I'd have to recreate the problem using the PL SAML SP filter.
>
> On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> Yup. I have configured the app in keycloak admin console. However i
>> encountered 2 issues.
>>
>> First issue is that i was able to login to the app via pl sp filter but
>> the login session cannot be seen in keycloak admin console
>>
>> Second issue is that global logout was not working and the landing page
>> just did a self refresh.
>>
>> On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     You can still use the PL Filter SP.  Just configure the application
>>     in the admin console to use SAML.
>>
>>     On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>>
>>         Hi bill,
>>
>>         the existing adapters cannot support jboss eap 5.0.2 and
>>         websphere 8.5
>>         and we are not allowed to use keycloak proxy.
>>
>>         can you suggest any other alternative similar to picketlink sp
>>         filter?
>>
>>         On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              There is no Keycloak SP filter.  We have various adapters
>>         for different
>>              platforms that hook into servlet security to make
>>         integration seamless:
>>
>>              Tomcat 6, 7, 8
>>              Jetty 8, 9
>>              EAP 6.x
>>              Wildfly
>>              Node.js
>>              Browser Javascript adapter.
>>
>>              On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>>               > Hi,
>>               >
>>               > Please share some lights for implementing Keycloak sp
>>         filter which is
>>               > similar to picketlink sp filter.
>>               >
>>               > org.picketlink.identity.__federation.web.filters.__
>> SPFilter
>>               >
>>               >
>>               > _________________________________________________
>>               > keycloak-user mailing list
>>               > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>               >
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>              _________________________________________________
>>              keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>>
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150304/5e534fb5/attachment-0001.html 

From bburke at redhat.com  Wed Mar  4 10:12:51 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 04 Mar 2015 10:12:51 -0500
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>	<54F5D70F.2030309@redhat.com>	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>	<54F700B4.7020509@redhat.com>	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
Message-ID: <54F720F3.90204@redhat.com>

Ok, I may have diagnosed the problem.  Go to the admin console.  Go to 
the definition of your application.  Look at the Admin Url.  Does it 
have a "/" at the end of the URL?  If not, add a '/' at the end of this.

i.e.

http://somhere.com/app/

If that solves the issue, let me know and I'll explain what is going on. 
  FYI, I ran into the same problem running the SAML example in the 
distro and this fixed the problem.




On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
> Hi bill,
>
> If i understand from you correctly,
> PL SAML SP and keycloak adapters are the same and referring to below items.
>
> Tomcat 6, 7, 8
> Jetty 8, 9
> EAP 6.x
> Wildfly
> Node.js
> Browser Javascript adapter.
>
> So far i have tested PL SAML SP filter using the following libs and it
> got the same 2 issues that was mentioned in the previous email.
>
> Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3 (commercial)
>
> keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>
> On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Our testsuite uses PL SAML SP, not the filter though, and it works
>     fine.  I'd have to recreate the problem using the PL SAML SP filter.
>
>     On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>
>         Hi bill,
>
>         Yup. I have configured the app in keycloak admin console. However i
>         encountered 2 issues.
>
>         First issue is that i was able to login to the app via pl sp
>         filter but
>         the login session cannot be seen in keycloak admin console
>
>         Second issue is that global logout was not working and the
>         landing page
>         just did a self refresh.
>
>         On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              You can still use the PL Filter SP.  Just configure the
>         application
>              in the admin console to use SAML.
>
>              On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>
>                  Hi bill,
>
>                  the existing adapters cannot support jboss eap 5.0.2 and
>                  websphere 8.5
>                  and we are not allowed to use keycloak proxy.
>
>                  can you suggest any other alternative similar to
>         picketlink sp
>                  filter?
>
>                  On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>         <bburke at redhat.com <mailto:bburke at redhat.com>
>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>
>                       There is no Keycloak SP filter.  We have various
>         adapters
>                  for different
>                       platforms that hook into servlet security to make
>                  integration seamless:
>
>                       Tomcat 6, 7, 8
>                       Jetty 8, 9
>                       EAP 6.x
>                       Wildfly
>                       Node.js
>                       Browser Javascript adapter.
>
>                       On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>                        > Hi,
>                        >
>                        > Please share some lights for implementing
>         Keycloak sp
>                  filter which is
>                        > similar to picketlink sp filter.
>                        >
>                        >
>         org.picketlink.identity.____federation.web.filters.____SPFilter
>                        >
>                        >
>                        > ___________________________________________________
>                        > keycloak-user mailing list
>                        > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                  <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>                        >
>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>                        >
>
>                       --
>                       Bill Burke
>                       JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>                       ___________________________________________________
>                       keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                  <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>
>
>
>
>
>
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Peng.Chen at halliburton.com  Wed Mar  4 15:44:09 2015
From: Peng.Chen at halliburton.com (Kevin Chen)
Date: Wed, 4 Mar 2015 20:44:09 +0000
Subject: [keycloak-user] [EXTERNAL] Re: does keycloak work with
 sharepoint 2010/2013
In-Reply-To: <54D93731.6060307@redhat.com>
References: <C99103E898479F4E9919CBC1420E23E70DD409F1@NP1EXMB029.corp.halliburton.com>
	<54D93731.6060307@redhat.com>
Message-ID: <C99103E898479F4E9919CBC1420E23E70DD5A79D@NP1EXMB029.corp.halliburton.com>

Bill:

Can you give us guideline on how to implement it? The way to hook up with the Keycloak.

Thanks
Kevin

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, February 09, 2015 4:40 PM
To: keycloak-user at lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] does keycloak work with sharepoint 2010/2013

No, we don't.  But, I was told that Sharepoint can be secured via SAML? 
  If so, it might be possible to integrate Sharepoint with Keycloak. 
Sharepoint is on the roadmap, but were months away from having the time to do it.  Now, if we could get somebody in the community to at least research what is needed.... ;)

On 2/9/2015 5:37 PM, Kevin Chen wrote:
> Hi:
>
> Does Keycloak support integration with Sharepoint? We want to 
> configure the Sharepoint to use Keycloak as Identity Manager.
>
> Thanks
>
> Kevin
>
> ----------------------------------------------------------------------
> -- This e-mail, including any attached files, may contain confidential 
> and privileged information for the sole use of the intended recipient. 
> Any review, use, distribution, or disclosure by others is strictly 
> prohibited. If you are not the intended recipient (or authorized to 
> receive information for the intended recipient), please contact the 
> sender by reply e-mail and delete all copies of this message.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From chenkeong.yap at izeno.com  Wed Mar  4 20:29:52 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 5 Mar 2015 09:29:52 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54F720F3.90204@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
Message-ID: <CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>

hi bill,

Thanks for the solution given and it has resolved the first issue ( login
to the app via pl sp filter but the login session cannot be seen in
keycloak admin console)

However now there are few more issues with single sign out.

a) When i click on the global logout link (
http://localhost:8080/employee/?GLO=true), the page just did a self refresh
and it's not redirected to keycloak login page. I can see the keycloak
session was gone from the keycloak admin console but the sample employee
session still there.

b)  When i click on the local logout link (
http://localhost:8080/employee/?LLO=true), the page just did a self refresh
and it's not redirected to keycloak login page. I can see the keycloak
session still in the keycloak admin console but the sample employee session
still there.

c) When i click on the logout link (
http://localhost:8080/employee/logout.jsp), the page just did a self
refresh and it's not redirected to keycloak login page. I noticed the
keycloak session still in the keycloak admin console but the sample
employee session still there. Just wondering do i need to implement
session.invalidate() in the logout,jsp but how to invalidate the keycloak
session?


On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke <bburke at redhat.com> wrote:

> Ok, I may have diagnosed the problem.  Go to the admin console.  Go to the
> definition of your application.  Look at the Admin Url.  Does it have a "/"
> at the end of the URL?  If not, add a '/' at the end of this.
>
> i.e.
>
> http://somhere.com/app/
>
> If that solves the issue, let me know and I'll explain what is going on.
> FYI, I ran into the same problem running the SAML example in the distro and
> this fixed the problem.
>
>
>
>
> On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> If i understand from you correctly,
>> PL SAML SP and keycloak adapters are the same and referring to below
>> items.
>>
>> Tomcat 6, 7, 8
>> Jetty 8, 9
>> EAP 6.x
>> Wildfly
>> Node.js
>> Browser Javascript adapter.
>>
>> So far i have tested PL SAML SP filter using the following libs and it
>> got the same 2 issues that was mentioned in the previous email.
>>
>> Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3 (commercial)
>>
>> keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>>
>> On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Our testsuite uses PL SAML SP, not the filter though, and it works
>>     fine.  I'd have to recreate the problem using the PL SAML SP filter.
>>
>>     On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>>
>>         Hi bill,
>>
>>         Yup. I have configured the app in keycloak admin console. However
>> i
>>         encountered 2 issues.
>>
>>         First issue is that i was able to login to the app via pl sp
>>         filter but
>>         the login session cannot be seen in keycloak admin console
>>
>>         Second issue is that global logout was not working and the
>>         landing page
>>         just did a self refresh.
>>
>>         On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              You can still use the PL Filter SP.  Just configure the
>>         application
>>              in the admin console to use SAML.
>>
>>              On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>>
>>                  Hi bill,
>>
>>                  the existing adapters cannot support jboss eap 5.0.2 and
>>                  websphere 8.5
>>                  and we are not allowed to use keycloak proxy.
>>
>>                  can you suggest any other alternative similar to
>>         picketlink sp
>>                  filter?
>>
>>                  On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>
>>                       There is no Keycloak SP filter.  We have various
>>         adapters
>>                  for different
>>                       platforms that hook into servlet security to make
>>                  integration seamless:
>>
>>                       Tomcat 6, 7, 8
>>                       Jetty 8, 9
>>                       EAP 6.x
>>                       Wildfly
>>                       Node.js
>>                       Browser Javascript adapter.
>>
>>                       On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>>                        > Hi,
>>                        >
>>                        > Please share some lights for implementing
>>         Keycloak sp
>>                  filter which is
>>                        > similar to picketlink sp filter.
>>                        >
>>                        >
>>         org.picketlink.identity.____federation.web.filters.____SPFilter
>>                        >
>>                        >
>>                        > ______________________________
>> _____________________
>>                        > keycloak-user mailing list
>>                        > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                  <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>                        >
>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>                        >
>>
>>                       --
>>                       Bill Burke
>>                       JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>                       ___________________________________________________
>>                       keycloak-user mailing list
>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                  <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>
>>
>>
>>
>>
>>
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150305/f0b98e46/attachment-0001.html 

From stian at redhat.com  Thu Mar  5 01:07:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 5 Mar 2015 01:07:14 -0500 (EST)
Subject: [keycloak-user] Extra Registration Information
In-Reply-To: <337CB56A25624D4185E961FFB48AA00F04C57CD80145@SWANS20.fitzroy01.local>
References: <337CB56A25624D4185E961FFB48AA00F04C57CD80145@SWANS20.fitzroy01.local>
Message-ID: <1237173877.21051261.1425535634660.JavaMail.zimbra@redhat.com>

Hi,

This is a feature we'd like to add and we're working on something related at the moment, but afraid it's not possible right now.


----- Original Message -----
> From: "Graeme Collis" <gcollis at iinet.net.au>
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, March 3, 2015 6:00:26 AM
> Subject: [keycloak-user] Extra Registration Information
> 
> 
> 
> I want to add 1 required field of user information to the Keycloak
> registration.
> 
> 
> 
> From what I?ve read this is not currently possible.
> 
> 
> 
> Does this mean I basically have to
> 
> 1. duplicate the Keycloak Registration application in another application
> 
> 2. use the admin api?s to update Keycloak
> 
> 3. Using the Keycloak user id store it with the extra data information.
> 
> 4. Have this available to all the different apps that need it.
> 
> 
> 
> Regards, Graeme
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bdawidow at redhat.com  Thu Mar  5 05:58:31 2015
From: bdawidow at redhat.com (Boleslaw Dawidowicz)
Date: Thu, 05 Mar 2015 11:58:31 +0100
Subject: [keycloak-user] [EXTERNAL] Re: does keycloak work with
 sharepoint 2010/2013
In-Reply-To: <C99103E898479F4E9919CBC1420E23E70DD5A79D@NP1EXMB029.corp.halliburton.com>
References: <C99103E898479F4E9919CBC1420E23E70DD409F1@NP1EXMB029.corp.halliburton.com>	<54D93731.6060307@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD5A79D@NP1EXMB029.corp.halliburton.com>
Message-ID: <54F836D7.30502@redhat.com>

SharePoint should be possible to integrate via SAML if you use Active 
Directory Federation Services.

https://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

Without ADFS we'll need to have WS-Trust/STS for direct integration. 
Something we have on a radar for Keycloak but it is not clear when 
someone will have time to work on it atm.

W dniu 2015-03-04 o 21:44, Kevin Chen pisze:
> Bill:
>
> Can you give us guideline on how to implement it? The way to hook up with the Keycloak.
>
> Thanks
> Kevin
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Monday, February 09, 2015 4:40 PM
> To: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] does keycloak work with sharepoint 2010/2013
>
> No, we don't.  But, I was told that Sharepoint can be secured via SAML?
>    If so, it might be possible to integrate Sharepoint with Keycloak.
> Sharepoint is on the roadmap, but were months away from having the time to do it.  Now, if we could get somebody in the community to at least research what is needed.... ;)
>
> On 2/9/2015 5:37 PM, Kevin Chen wrote:
>> Hi:
>>
>> Does Keycloak support integration with Sharepoint? We want to
>> configure the Sharepoint to use Keycloak as Identity Manager.
>>
>> Thanks
>>
>> Kevin
>>
>> ----------------------------------------------------------------------
>> -- This e-mail, including any attached files, may contain confidential
>> and privileged information for the sole use of the intended recipient.
>> Any review, use, distribution, or disclosure by others is strictly
>> prohibited. If you are not the intended recipient (or authorized to
>> receive information for the intended recipient), please contact the
>> sender by reply e-mail and delete all copies of this message.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Boles?aw Dawidowicz
Supervisor, Software Engineering | Red Hat Middleware Security


From Peng.Chen at halliburton.com  Thu Mar  5 09:36:29 2015
From: Peng.Chen at halliburton.com (Kevin Chen)
Date: Thu, 5 Mar 2015 14:36:29 +0000
Subject: [keycloak-user] [EXTERNAL] Re: does keycloak work with
 sharepoint 2010/2013
In-Reply-To: <54F836D7.30502@redhat.com>
References: <C99103E898479F4E9919CBC1420E23E70DD409F1@NP1EXMB029.corp.halliburton.com>
	<54D93731.6060307@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD5A79D@NP1EXMB029.corp.halliburton.com>
	<54F836D7.30502@redhat.com>
Message-ID: <C99103E898479F4E9919CBC1420E23E70DD5A8CB@NP1EXMB029.corp.halliburton.com>

Boleslaw:

We did the integration with ADFS directly already. Right now we are evaluating using keycloak as our authentication server, I am not clear  how to configure Sharepoint with Keycloak. The approach you are talking about sound like using ADFS as the entry point, and using Keycloak as ADFS' IPD?


If you can give us a jump start on how to integrate Keycloak with WS-Trust, we can help to contribute on this.

Thanks
Kevin
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Boleslaw Dawidowicz
Sent: Thursday, March 05, 2015 4:59 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] [EXTERNAL] Re: does keycloak work with sharepoint 2010/2013

SharePoint should be possible to integrate via SAML if you use Active Directory Federation Services.

https://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx

Without ADFS we'll need to have WS-Trust/STS for direct integration. 
Something we have on a radar for Keycloak but it is not clear when someone will have time to work on it atm.

W dniu 2015-03-04 o 21:44, Kevin Chen pisze:
> Bill:
>
> Can you give us guideline on how to implement it? The way to hook up with the Keycloak.
>
> Thanks
> Kevin
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org 
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Monday, February 09, 2015 4:40 PM
> To: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] does keycloak work with 
> sharepoint 2010/2013
>
> No, we don't.  But, I was told that Sharepoint can be secured via SAML?
>    If so, it might be possible to integrate Sharepoint with Keycloak.
> Sharepoint is on the roadmap, but were months away from having the 
> time to do it.  Now, if we could get somebody in the community to at 
> least research what is needed.... ;)
>
> On 2/9/2015 5:37 PM, Kevin Chen wrote:
>> Hi:
>>
>> Does Keycloak support integration with Sharepoint? We want to 
>> configure the Sharepoint to use Keycloak as Identity Manager.
>>
>> Thanks
>>
>> Kevin
>>
>> ---------------------------------------------------------------------
>> -
>> -- This e-mail, including any attached files, may contain 
>> confidential and privileged information for the sole use of the intended recipient.
>> Any review, use, distribution, or disclosure by others is strictly 
>> prohibited. If you are not the intended recipient (or authorized to 
>> receive information for the intended recipient), please contact the 
>> sender by reply e-mail and delete all copies of this message.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Boles?aw Dawidowicz
Supervisor, Software Engineering | Red Hat Middleware Security

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Fri Mar  6 00:48:13 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 6 Mar 2015 00:48:13 -0500 (EST)
Subject: [keycloak-user] Client options for authenticating
	against	Keycloak-secured services
In-Reply-To: <CAAgmn1ouOVw-AL+1fX+-WPtAS=39z0snePJQA7PhB4YG0d0pEA@mail.gmail.com>
References: <CAAgmn1ouOVw-AL+1fX+-WPtAS=39z0snePJQA7PhB4YG0d0pEA@mail.gmail.com>
Message-ID: <555753253.22082313.1425620893914.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Guy Davis" <guydavis.ca at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 11:38:43 PM
> Subject: [keycloak-user] Client options for authenticating against	Keycloak-secured services
> 
> Good day,
> 
> I'm hoping to summarize the methods for a client Java program to authenticate
> against a Keycloak-secured service endpoint. Please correct any
> misunderstandings I have in the summary below:
> 
> 
>     1. Client program can issue a KC REST API call to get a token and then
>     use it as "Authorization" header of type "Bearer" as per example
>     2. Client program (such as Apache HttpClient lib) can use Basic
>     Authorization if KC secured-deployment has been configured to allow.
>     3. Client program can negotiate a SAML v2.0 SP-initiated SSO session
>     directly against KC if the service is so configured.
>     4. Client program can negotiate a OpenID Connect SSO session directly
>     against KC if the service is so configured.
> 
> I have working Java examples now for #1 and #2, but was wondering if there
> were any Java examples of #3 and #4. Is my understanding of the
> authentication options for clients correct?

1 is a good option and it's just oauth resource owner password credentials. If possible embedding a webview (or using external browser to login) and using the standard login flow is a good option as well.

I'm not sure what you mean about 3 and 4. Both SAML and OpenID Connect are web based flows.

> 
> By the way, I am greatly impressed by the progress being made on the master
> branch around Kerberos/SPNEGO and Identity Brokering. Kudos to the team.
> 
> Thanks in advance,
> Guy
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bdawidow at redhat.com  Fri Mar  6 03:49:11 2015
From: bdawidow at redhat.com (Boleslaw Dawidowicz)
Date: Fri, 06 Mar 2015 09:49:11 +0100
Subject: [keycloak-user] [EXTERNAL] Re: does keycloak work with
 sharepoint 2010/2013
In-Reply-To: <C99103E898479F4E9919CBC1420E23E70DD5A8CB@NP1EXMB029.corp.halliburton.com>
References: <C99103E898479F4E9919CBC1420E23E70DD409F1@NP1EXMB029.corp.halliburton.com>	<54D93731.6060307@redhat.com>	<C99103E898479F4E9919CBC1420E23E70DD5A79D@NP1EXMB029.corp.halliburton.com>
	<54F836D7.30502@redhat.com>
	<C99103E898479F4E9919CBC1420E23E70DD5A8CB@NP1EXMB029.corp.halliburton.com>
Message-ID: <54F96A07.60601@redhat.com>

W dniu 2015-03-05 o 15:36, Kevin Chen pisze:
> Boleslaw:
>
> We did the integration with ADFS directly already. Right now we are
> evaluating using keycloak as our authentication server, I am not
> clear  how to configure Sharepoint with Keycloak. The approach you
> are talking about sound like using ADFS as the entry point, and using
> Keycloak as ADFS' IPD?

Yes. If I understand correctly this is the way to do it with SAML.

>
>
> If you can give us a jump start on how to integrate Keycloak with
> WS-Trust, we can help to contribute on this.

Not much to share upfront unfortunately. Someone needs to dive in and 
investigate this and what exactly is missing.

Pedro maybe able to help with WS-Trust part as he did some related work 
in PicketLink - although he is away atm.

>
> Thanks Kevin -----Original Message----- From:
> keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Boleslaw
> Dawidowicz Sent: Thursday, March 05, 2015 4:59 AM To:
> keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] [EXTERNAL]
> Re: does keycloak work with sharepoint 2010/2013
>
> SharePoint should be possible to integrate via SAML if you use Active
> Directory Federation Services.
>
> https://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx
>
>  Without ADFS we'll need to have WS-Trust/STS for direct
> integration. Something we have on a radar for Keycloak but it is not
> clear when someone will have time to work on it atm.
>
> W dniu 2015-03-04 o 21:44, Kevin Chen pisze:
>> Bill:
>>
>> Can you give us guideline on how to implement it? The way to hook
>> up with the Keycloak.
>>
>> Thanks Kevin
>>
>> -----Original Message----- From:
>> keycloak-user-bounces at lists.jboss.org
>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill
>> Burke Sent: Monday, February 09, 2015 4:40 PM To:
>> keycloak-user at lists.jboss.org Subject: [EXTERNAL] Re:
>> [keycloak-user] does keycloak work with sharepoint 2010/2013
>>
>> No, we don't.  But, I was told that Sharepoint can be secured via
>> SAML? If so, it might be possible to integrate Sharepoint with
>> Keycloak. Sharepoint is on the roadmap, but were months away from
>> having the time to do it.  Now, if we could get somebody in the
>> community to at least research what is needed.... ;)
>>
>> On 2/9/2015 5:37 PM, Kevin Chen wrote:
>>> Hi:
>>>
>>> Does Keycloak support integration with Sharepoint? We want to
>>> configure the Sharepoint to use Keycloak as Identity Manager.
>>>
>>> Thanks
>>>
>>> Kevin
>>>
>>> ---------------------------------------------------------------------
>>>
>>>
-
>>> -- This e-mail, including any attached files, may contain
>>> confidential and privileged information for the sole use of the
>>> intended recipient. Any review, use, distribution, or disclosure
>>> by others is strictly prohibited. If you are not the intended
>>> recipient (or authorized to receive information for the intended
>>> recipient), please contact the sender by reply e-mail and delete
>>> all copies of this message.
>>>
>>>
>>> _______________________________________________ keycloak-user
>>> mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> -- Bill Burke JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________ keycloak-user
>> mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________ keycloak-user
>> mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> -- Boles?aw Dawidowicz Supervisor, Software Engineering | Red Hat
> Middleware Security
>
> _______________________________________________ keycloak-user mailing
> list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From gbrown at redhat.com  Fri Mar  6 05:59:57 2015
From: gbrown at redhat.com (Gary Brown)
Date: Fri, 6 Mar 2015 05:59:57 -0500 (EST)
Subject: [keycloak-user] When 1.2.0.Beta1 will be released?
Message-ID: <1531728521.22507769.1425639597274.JavaMail.zimbra@redhat.com>

Hi

Do you have an estimate for when 1.2.0.Beta1 will be released?

Thanks in advance.

Regards
Gary

From stian at redhat.com  Fri Mar  6 06:04:19 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 6 Mar 2015 06:04:19 -0500 (EST)
Subject: [keycloak-user] When 1.2.0.Beta1 will be released?
In-Reply-To: <1531728521.22507769.1425639597274.JavaMail.zimbra@redhat.com>
References: <1531728521.22507769.1425639597274.JavaMail.zimbra@redhat.com>
Message-ID: <210642798.22250837.1425639859547.JavaMail.zimbra@redhat.com>

Probably end of March or early April

----- Original Message -----
> From: "Gary Brown" <gbrown at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 6 March, 2015 11:59:57 AM
> Subject: [keycloak-user] When 1.2.0.Beta1 will be released?
> 
> Hi
> 
> Do you have an estimate for when 1.2.0.Beta1 will be released?
> 
> Thanks in advance.
> 
> Regards
> Gary
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From chenkeong.yap at izeno.com  Fri Mar  6 06:23:30 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Fri, 6 Mar 2015 19:23:30 +0800
Subject: [keycloak-user] When 1.2.0.Beta1 will be released?
In-Reply-To: <210642798.22250837.1425639859547.JavaMail.zimbra@redhat.com>
References: <1531728521.22507769.1425639597274.JavaMail.zimbra@redhat.com>
	<210642798.22250837.1425639859547.JavaMail.zimbra@redhat.com>
Message-ID: <CAC2UnuVz+zuQ_XuirGzb4HYLkQtfXcf_HP9g4gFKjfyLoe5QiA@mail.gmail.com>

Hi,

Is there any plan to put keycloak in the jboss eap roadmap?
On Mar 6, 2015 7:04 PM, "Stian Thorgersen" <stian at redhat.com> wrote:

> Probably end of March or early April
>
> ----- Original Message -----
> > From: "Gary Brown" <gbrown at redhat.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 6 March, 2015 11:59:57 AM
> > Subject: [keycloak-user] When 1.2.0.Beta1 will be released?
> >
> > Hi
> >
> > Do you have an estimate for when 1.2.0.Beta1 will be released?
> >
> > Thanks in advance.
> >
> > Regards
> > Gary
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150306/6518986e/attachment-0001.html 

From Randall_Theobald at dell.com  Fri Mar  6 08:41:00 2015
From: Randall_Theobald at dell.com (Randall_Theobald at dell.com)
Date: Fri, 6 Mar 2015 07:41:00 -0600
Subject: [keycloak-user] WS-Federation capability for SSO
Message-ID: <9A20E07E433AEB4D8D4025EEBE12E414069EC57209@AUSX7MCPC107.AMER.DELL.COM>

Any response to my note below? Just looking if it is on the roadmap. Thanks.

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336

From: Theobald, Randall
Sent: Monday, March 02, 2015 2:54 PM
To: 'keycloak-user at lists.jboss.org'
Subject: WS-Federation capability for SSO

Hi,

We're looking to use Keycloak capabilities to enable SSO between some systems. Does Keycloak have a timeline to support the following?

 *   WS-Federation (passive) protocol
 *   WS-Federation wrapped JSON Web Tokens (JWT)
 *   WS-Trust + JWT
Thanks,

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150306/6c5ea721/attachment.html 

From ha.hamed at gmail.com  Sat Mar  7 04:29:01 2015
From: ha.hamed at gmail.com (ha.hamed at gmail.com)
Date: Sat, 7 Mar 2015 17:29:01 +0800
Subject: [keycloak-user] Generate user setting page
Message-ID: <CAFyNp-xXkOFyHdzSMQibtHXU6uMaQhrDzP8F3GNQzEDFi_9+QQ@mail.gmail.com>

Hi,

I know the user setting page is:

https://DOMAIN:PORT/auth/realms/REALM/account/?referrer=APPLICATION

Is there anyway to generate this URL on a servlet without hard-coding
server DOMAIN and the other parameters (Getting these parameters from
keycloak.json or from application server by any provided API)?

Regards,
Hamed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150307/953f576c/attachment.html 

From peterson.dean at gmail.com  Sun Mar  8 12:31:17 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 8 Mar 2015 11:31:17 -0500
Subject: [keycloak-user] Discourse SSO with Keycloak
Message-ID: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>

Is there a best practice when it comes to adding hooks to Keycloak for
integrating with software that let's you replace their security with
Keycloak security?  For example, Discourse provides this guide:
https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045.
It assumes the user is using their own home grown security where they can
easily intercept redirects.  Is there a mechanism in Keycloak that allows
end users to more easily implement the solution they describe in that
guide?  I realize you don't have time to give me a solution.  Can you just
nudge me in the right direction?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150308/b65ab770/attachment.html 

From bburke at redhat.com  Sun Mar  8 12:39:26 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 08 Mar 2015 12:39:26 -0400
Subject: [keycloak-user] Discourse SSO with Keycloak
In-Reply-To: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
References: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
Message-ID: <54FC7B3E.1040604@redhat.com>

Looks like they require their own proprietary protocol?  We have a 
protocol abstraction that we used to implement OIDC and SAML, I guess 
you could do the same for Discourse.

On 3/8/2015 12:31 PM, Dean Peterson wrote:
> Is there a best practice when it comes to adding hooks to Keycloak for
> integrating with software that let's you replace their security with
> Keycloak security?  For example, Discourse provides this guide:
> https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045.
> It assumes the user is using their own home grown security where they
> can easily intercept redirects.  Is there a mechanism in Keycloak that
> allows end users to more easily implement the solution they describe in
> that guide?  I realize you don't have time to give me a solution.  Can
> you just nudge me in the right direction?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Sun Mar  8 14:19:35 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 8 Mar 2015 13:19:35 -0500
Subject: [keycloak-user] Discourse SSO with Keycloak
In-Reply-To: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
References: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
Message-ID: <CAFGzvPnKRsx0H6q1H860GPUhXfJpr7h+mhPOQExQQ2tatPcwOg@mail.gmail.com>

I do not want to replace what I currently have though.  I use Keycloak.js
to include security in my own AngularJS client side applications and those
communicate with REST services in a separate Wildfly server secured with
Keycloak using the wildfly adapter.  I want to add Discourse as a third
party messaging application and want to integrate it with my existing
security.  I just wanted to be sure there wasn't something, feature wise,
in Keycloak I might be able to leverage.  I will probably just make a REST
endpoint in my Wildfly server that gets the already logged in user
information and create the necessary sso response Discourse is looking
for.  It will be more complicated if users are not currently logged into my
application and they try to go directly to the Discourse portion of the
site.  I will have to redirect the user somehow to the keycloak login page,
then when that flow ends remember where they were in the Discourse flow of
things.  I just hate having to maintain security code though and that is
why I went with Keycloak in the first place.  I wonder how Auth0 did it:
https://meta.discourse.org/t/auth0-single-sign-on-for-enterprise-and-support-for-20-social-providers/12713

On Sun, Mar 8, 2015 at 11:31 AM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> Is there a best practice when it comes to adding hooks to Keycloak for
> integrating with software that let's you replace their security with
> Keycloak security?  For example, Discourse provides this guide:
> https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045.
> It assumes the user is using their own home grown security where they can
> easily intercept redirects.  Is there a mechanism in Keycloak that allows
> end users to more easily implement the solution they describe in that
> guide?  I realize you don't have time to give me a solution.  Can you just
> nudge me in the right direction?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150308/fac770ac/attachment.html 

From bburke at redhat.com  Sun Mar  8 14:31:48 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 08 Mar 2015 14:31:48 -0400
Subject: [keycloak-user] Discourse SSO with Keycloak
In-Reply-To: <CAFGzvPnKRsx0H6q1H860GPUhXfJpr7h+mhPOQExQQ2tatPcwOg@mail.gmail.com>
References: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
	<CAFGzvPnKRsx0H6q1H860GPUhXfJpr7h+mhPOQExQQ2tatPcwOg@mail.gmail.com>
Message-ID: <54FC9594.80909@redhat.com>

Keycloak supports SAML and OpenID Connect concurrently.  It could do the 
same for Discourse's protocol.  I didn't see how they handled rest 
invocations though.

On 3/8/2015 2:19 PM, Dean Peterson wrote:
> I do not want to replace what I currently have though.  I use
> Keycloak.js to include security in my own AngularJS client side
> applications and those communicate with REST services in a separate
> Wildfly server secured with Keycloak using the wildfly adapter.  I want
> to add Discourse as a third party messaging application and want to
> integrate it with my existing security.  I just wanted to be sure there
> wasn't something, feature wise, in Keycloak I might be able to
> leverage.  I will probably just make a REST endpoint in my Wildfly
> server that gets the already logged in user information and create the
> necessary sso response Discourse is looking for.  It will be more
> complicated if users are not currently logged into my application and
> they try to go directly to the Discourse portion of the site.  I will
> have to redirect the user somehow to the keycloak login page, then when
> that flow ends remember where they were in the Discourse flow of
> things.  I just hate having to maintain security code though and that is
> why I went with Keycloak in the first place.  I wonder how Auth0 did it:
> https://meta.discourse.org/t/auth0-single-sign-on-for-enterprise-and-support-for-20-social-providers/12713
>
> On Sun, Mar 8, 2015 at 11:31 AM, Dean Peterson <peterson.dean at gmail.com
> <mailto:peterson.dean at gmail.com>> wrote:
>
>     Is there a best practice when it comes to adding hooks to Keycloak
>     for integrating with software that let's you replace their security
>     with Keycloak security?  For example, Discourse provides this guide:
>     https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045.
>     It assumes the user is using their own home grown security where
>     they can easily intercept redirects.  Is there a mechanism in
>     Keycloak that allows end users to more easily implement the solution
>     they describe in that guide?  I realize you don't have time to give
>     me a solution.  Can you just nudge me in the right direction?
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Sun Mar  8 14:37:10 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 8 Mar 2015 13:37:10 -0500
Subject: [keycloak-user] Discourse SSO with Keycloak
In-Reply-To: <CAFGzvPnKRsx0H6q1H860GPUhXfJpr7h+mhPOQExQQ2tatPcwOg@mail.gmail.com>
References: <CAFGzvPmTW7AQ68cG+=iQDp9uy0kYaH5Qr3VmwN8=1_=+k4CY4g@mail.gmail.com>
	<CAFGzvPnKRsx0H6q1H860GPUhXfJpr7h+mhPOQExQQ2tatPcwOg@mail.gmail.com>
Message-ID: <CAFGzvPm_ie3w9tZemAYJeLNdkmHV1uQ00vNVAS7hsNKNzOZAsg@mail.gmail.com>

Ok thank you!  I should have enough to go on now.

On Sun, Mar 8, 2015 at 1:19 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I do not want to replace what I currently have though.  I use Keycloak.js
> to include security in my own AngularJS client side applications and those
> communicate with REST services in a separate Wildfly server secured with
> Keycloak using the wildfly adapter.  I want to add Discourse as a third
> party messaging application and want to integrate it with my existing
> security.  I just wanted to be sure there wasn't something, feature wise,
> in Keycloak I might be able to leverage.  I will probably just make a REST
> endpoint in my Wildfly server that gets the already logged in user
> information and create the necessary sso response Discourse is looking
> for.  It will be more complicated if users are not currently logged into my
> application and they try to go directly to the Discourse portion of the
> site.  I will have to redirect the user somehow to the keycloak login page,
> then when that flow ends remember where they were in the Discourse flow of
> things.  I just hate having to maintain security code though and that is
> why I went with Keycloak in the first place.  I wonder how Auth0 did it:
> https://meta.discourse.org/t/auth0-single-sign-on-for-enterprise-and-support-for-20-social-providers/12713
>
> On Sun, Mar 8, 2015 at 11:31 AM, Dean Peterson <peterson.dean at gmail.com>
> wrote:
>
>> Is there a best practice when it comes to adding hooks to Keycloak for
>> integrating with software that let's you replace their security with
>> Keycloak security?  For example, Discourse provides this guide:
>> https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045.
>> It assumes the user is using their own home grown security where they can
>> easily intercept redirects.  Is there a mechanism in Keycloak that allows
>> end users to more easily implement the solution they describe in that
>> guide?  I realize you don't have time to give me a solution.  Can you just
>> nudge me in the right direction?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150308/f1455542/attachment.html 

From chenkeong.yap at izeno.com  Sun Mar  8 21:53:22 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Mon, 9 Mar 2015 09:53:22 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
Message-ID: <CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>

hi bill,

can you advise regarding the global sign out issue?

On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> hi bill,
>
> Thanks for the solution given and it has resolved the first issue ( login
> to the app via pl sp filter but the login session cannot be seen in
> keycloak admin console)
>
> However now there are few more issues with single sign out.
>
> a) When i click on the global logout link (
> http://localhost:8080/employee/?GLO=true), the page just did a self
> refresh and it's not redirected to keycloak login page. I can see the
> keycloak session was gone from the keycloak admin console but the sample
> employee session still there.
>
> b)  When i click on the local logout link (
> http://localhost:8080/employee/?LLO=true), the page just did a self
> refresh and it's not redirected to keycloak login page. I can see the
> keycloak session still in the keycloak admin console but the sample
> employee session still there.
>
> c) When i click on the logout link (
> http://localhost:8080/employee/logout.jsp), the page just did a self
> refresh and it's not redirected to keycloak login page. I noticed the
> keycloak session still in the keycloak admin console but the sample
> employee session still there. Just wondering do i need to implement
> session.invalidate() in the logout,jsp but how to invalidate the keycloak
> session?
>
>
> On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> Ok, I may have diagnosed the problem.  Go to the admin console.  Go to
>> the definition of your application.  Look at the Admin Url.  Does it have a
>> "/" at the end of the URL?  If not, add a '/' at the end of this.
>>
>> i.e.
>>
>> http://somhere.com/app/
>>
>> If that solves the issue, let me know and I'll explain what is going on.
>> FYI, I ran into the same problem running the SAML example in the distro and
>> this fixed the problem.
>>
>>
>>
>>
>> On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>>
>>> Hi bill,
>>>
>>> If i understand from you correctly,
>>> PL SAML SP and keycloak adapters are the same and referring to below
>>> items.
>>>
>>> Tomcat 6, 7, 8
>>> Jetty 8, 9
>>> EAP 6.x
>>> Wildfly
>>> Node.js
>>> Browser Javascript adapter.
>>>
>>> So far i have tested PL SAML SP filter using the following libs and it
>>> got the same 2 issues that was mentioned in the previous email.
>>>
>>> Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3 (commercial)
>>>
>>> keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>>>
>>> On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     Our testsuite uses PL SAML SP, not the filter though, and it works
>>>     fine.  I'd have to recreate the problem using the PL SAML SP filter.
>>>
>>>     On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>>>
>>>         Hi bill,
>>>
>>>         Yup. I have configured the app in keycloak admin console.
>>> However i
>>>         encountered 2 issues.
>>>
>>>         First issue is that i was able to login to the app via pl sp
>>>         filter but
>>>         the login session cannot be seen in keycloak admin console
>>>
>>>         Second issue is that global logout was not working and the
>>>         landing page
>>>         just did a self refresh.
>>>
>>>         On Mar 4, 2015 8:55 PM, "Bill Burke" <bburke at redhat.com
>>>         <mailto:bburke at redhat.com>
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>
>>>              You can still use the PL Filter SP.  Just configure the
>>>         application
>>>              in the admin console to use SAML.
>>>
>>>              On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>>>
>>>                  Hi bill,
>>>
>>>                  the existing adapters cannot support jboss eap 5.0.2 and
>>>                  websphere 8.5
>>>                  and we are not allowed to use keycloak proxy.
>>>
>>>                  can you suggest any other alternative similar to
>>>         picketlink sp
>>>                  filter?
>>>
>>>                  On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>>
>>>                       There is no Keycloak SP filter.  We have various
>>>         adapters
>>>                  for different
>>>                       platforms that hook into servlet security to make
>>>                  integration seamless:
>>>
>>>                       Tomcat 6, 7, 8
>>>                       Jetty 8, 9
>>>                       EAP 6.x
>>>                       Wildfly
>>>                       Node.js
>>>                       Browser Javascript adapter.
>>>
>>>                       On 3/2/2015 10:22 PM, Chen Keong Yap wrote:
>>>                        > Hi,
>>>                        >
>>>                        > Please share some lights for implementing
>>>         Keycloak sp
>>>                  filter which is
>>>                        > similar to picketlink sp filter.
>>>                        >
>>>                        >
>>>         org.picketlink.identity.____federation.web.filters.____SPFilter
>>>                        >
>>>                        >
>>>                        > ______________________________
>>> _____________________
>>>                        > keycloak-user mailing list
>>>                        > keycloak-user at lists.jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>
>>>                  <mailto:keycloak-user at lists.
>>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>>
>>>                        >
>>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>>                        >
>>>
>>>                       --
>>>                       Bill Burke
>>>                       JBoss, a division of Red Hat
>>>         http://bill.burkecentral.com
>>>                       ______________________________
>>> _____________________
>>>                       keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>>> jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>
>>>                  <mailto:keycloak-user at lists.
>>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>>
>>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>              --
>>>              Bill Burke
>>>              JBoss, a division of Red Hat
>>>         http://bill.burkecentral.com
>>>
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
>
>
>
>


-- 
Best Regards,

CK Yap
Technology Consultant

Tel: +65 6100 2788
Fax:+65 6233 9376

iZeno Pte Ltd
72 Bendemeer Road
Luzerne #05-28
Singapore 339941


This communication contains information which may be confidential or
privileged. The information is intended solely for the use of the
individual or entity named above. If you are not the intended recipient,be
aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited.If you have received this communication in
error, please notify me by telephone immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150309/7dd76090/attachment-0001.html 

From koster at tizin.nl  Mon Mar  9 07:41:29 2015
From: koster at tizin.nl (Marcel Koster)
Date: Mon, 9 Mar 2015 12:41:29 +0100
Subject: [keycloak-user] Getting Error! not found when selecting an
	application or role
Message-ID: <CAL7D5uRxzjEXQAZJ=eTmm4Rj3w8=U0Bk65t5fpjBAvCV9mRY7Q@mail.gmail.com>

Good afternoon,

I am using the keycloak 1.1.0-Final standalone in a fresh installation and
I am receiving an "Error! Not found" when I select an application or a role
which I just created. I checked the mongo database that I use and
everything seems to be okay.

Met vriendelijke groeten,

Marcel Koster

[image: Tizin]
  0642044604       *Peizerstate*
 <http://www.twitter.com/TizinMobile>  koster at tizin.nl Peizerweg 87A
www.tizin.nl 9727AH Groningen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150309/fa53a542/attachment.html 

From stian at redhat.com  Mon Mar  9 10:26:00 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 9 Mar 2015 10:26:00 -0400 (EDT)
Subject: [keycloak-user] Getting Error! not found when selecting
	an	application or role
In-Reply-To: <CAL7D5uRxzjEXQAZJ=eTmm4Rj3w8=U0Bk65t5fpjBAvCV9mRY7Q@mail.gmail.com>
References: <CAL7D5uRxzjEXQAZJ=eTmm4Rj3w8=U0Bk65t5fpjBAvCV9mRY7Q@mail.gmail.com>
Message-ID: <1815900720.2177941.1425911160156.JavaMail.zimbra@redhat.com>

Please try clearing your browser cache as this may be due to old versions of the admin console being cached.

----- Original Message -----
> From: "Marcel Koster" <koster at tizin.nl>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 9 March, 2015 12:41:29 PM
> Subject: [keycloak-user] Getting Error! not found when selecting an	application or role
> 
> Good afternoon,
> 
> I am using the keycloak 1.1.0-Final standalone in a fresh installation and I
> am receiving an "Error! Not found" when I select an application or a role
> which I just created. I checked the mongo database that I use and everything
> seems to be okay.
> 
> Met vriendelijke groeten,
> 
> Marcel Koster
> 
> 
> 
> 	0642044604 				Peizerstate
> 
> 	koster at tizin.nl 	Peizerweg 87A
> 	www.tizin.nl 	9727AH Groningen
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Mon Mar  9 14:02:28 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 09 Mar 2015 14:02:28 -0400
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
	<CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
Message-ID: <54FDE034.50806@redhat.com>

I fixed some bugs around logout in 1.2, master git, but we're not 
releasing this for a few weeks.   I don't know if that is your problem 
or not.  I have not yet been able to take the time to reproduce your 
problems on 1.1 yet.

On 3/8/2015 9:53 PM, Chen Keong Yap wrote:
> hi bill,
>
> can you advise regarding the global sign out issue?
>
> On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>> wrote:
>
>     hi bill,
>
>     Thanks for the solution given and it has resolved the first issue
>     ( login to the app via pl sp filter but the login session cannot be
>     seen in keycloak admin console)
>
>     However now there are few more issues with single sign out.
>
>     a) When i click on the global logout link
>     (http://localhost:8080/employee/?GLO=true), the page just did a self
>     refresh and it's not redirected to keycloak login page. I can see
>     the keycloak session was gone from the keycloak admin console but
>     the sample employee session still there.
>
>     b)  When i click on the local logout link
>     (http://localhost:8080/employee/?LLO=true), the page just did a self
>     refresh and it's not redirected to keycloak login page. I can see
>     the keycloak session still in the keycloak admin console but the
>     sample employee session still there.
>
>     c) When i click on the logout link
>     (http://localhost:8080/employee/logout.jsp), the page just did a
>     self refresh and it's not redirected to keycloak login page. I
>     noticed the keycloak session still in the keycloak admin console but
>     the sample employee session still there. Just wondering do i need to
>     implement session.invalidate() in the logout,jsp but how to
>     invalidate the keycloak session?
>
>
>     On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>
>         Ok, I may have diagnosed the problem.  Go to the admin console.
>         Go to the definition of your application.  Look at the Admin
>         Url.  Does it have a "/" at the end of the URL?  If not, add a
>         '/' at the end of this.
>
>         i.e.
>
>         http://somhere.com/app/
>
>         If that solves the issue, let me know and I'll explain what is
>         going on.  FYI, I ran into the same problem running the SAML
>         example in the distro and this fixed the problem.
>
>
>
>
>         On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>
>             Hi bill,
>
>             If i understand from you correctly,
>             PL SAML SP and keycloak adapters are the same and referring
>             to below items.
>
>             Tomcat 6, 7, 8
>             Jetty 8, 9
>             EAP 6.x
>             Wildfly
>             Node.js
>             Browser Javascript adapter.
>
>             So far i have tested PL SAML SP filter using the following
>             libs and it
>             got the same 2 issues that was mentioned in the previous email.
>
>             Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3
>             (commercial)
>
>             keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>
>             On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
>             <mailto:bburke at redhat.com>
>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>                  Our testsuite uses PL SAML SP, not the filter though,
>             and it works
>                  fine.  I'd have to recreate the problem using the PL
>             SAML SP filter.
>
>                  On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>
>                      Hi bill,
>
>                      Yup. I have configured the app in keycloak admin
>             console. However i
>                      encountered 2 issues.
>
>                      First issue is that i was able to login to the app
>             via pl sp
>                      filter but
>                      the login session cannot be seen in keycloak admin
>             console
>
>                      Second issue is that global logout was not working
>             and the
>                      landing page
>                      just did a self refresh.
>
>                      On Mar 4, 2015 8:55 PM, "Bill Burke"
>             <bburke at redhat.com <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>> wrote:
>
>                           You can still use the PL Filter SP.  Just
>             configure the
>                      application
>                           in the admin console to use SAML.
>
>                           On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>
>                               Hi bill,
>
>                               the existing adapters cannot support jboss
>             eap 5.0.2 and
>                               websphere 8.5
>                               and we are not allowed to use keycloak proxy.
>
>                               can you suggest any other alternative
>             similar to
>                      picketlink sp
>                               filter?
>
>                               On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                               <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>
>                               <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>>> wrote:
>
>                                    There is no Keycloak SP filter.  We
>             have various
>                      adapters
>                               for different
>                                    platforms that hook into servlet
>             security to make
>                               integration seamless:
>
>                                    Tomcat 6, 7, 8
>                                    Jetty 8, 9
>                                    EAP 6.x
>                                    Wildfly
>                                    Node.js
>                                    Browser Javascript adapter.
>
>                                    On 3/2/2015 10:22 PM, Chen Keong Yap
>             wrote:
>                                     > Hi,
>                                     >
>                                     > Please share some lights for
>             implementing
>                      Keycloak sp
>                               filter which is
>                                     > similar to picketlink sp filter.
>                                     >
>                                     >
>
>             org.picketlink.identity.______federation.web.filters.______SPFilter
>                                     >
>                                     >
>                                     >
>             _____________________________________________________
>                                     > keycloak-user mailing list
>                                     > keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>
>                               <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.>______jboss.org
>             <http://jboss.org> <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>>
>                                     >
>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>                                     >
>
>                                    --
>                                    Bill Burke
>                                    JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>             _____________________________________________________
>                                    keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>
>                               <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.>______jboss.org
>             <http://jboss.org> <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>>
>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>
>
>
>
>
>
>
>                           --
>                           Bill Burke
>                           JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>
>                  --
>                  Bill Burke
>                  JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>
>         --
>         Bill Burke
>         JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>
>
>
>
>
>
>
> --
> Best Regards,
>
> CK Yap
> Technology Consultant
>
> Tel: +65 6100 2788
> Fax:+65 6233 9376
>
> iZeno Pte Ltd
> 72 Bendemeer Road
> Luzerne #05-28
> Singapore 339941
>
>
> This communication contains information which may be confidential or
> privileged. The information is intended solely for the use of the
> individual or entity named above. If you are not the intended
> recipient,be aware that any disclosure, copying, distribution or use of
> the contents of this information is prohibited.If you have received this
> communication in error, please notify me by telephone immediately.
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Tue Mar 10 05:27:23 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 10 Mar 2015 17:27:23 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54FDE034.50806@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
	<CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
	<54FDE034.50806@redhat.com>
Message-ID: <CAC2UnuXNobZkCrK35eDF-OT6HOccVcnZPCCadAsGHnfcS3rdYw@mail.gmail.com>

hi bill,

thanks for the update. btw, can you advise when redhat will put keycloak
into jboss eap roadmap?

On Tue, Mar 10, 2015 at 2:02 AM, Bill Burke <bburke at redhat.com> wrote:

> I fixed some bugs around logout in 1.2, master git, but we're not
> releasing this for a few weeks.   I don't know if that is your problem or
> not.  I have not yet been able to take the time to reproduce your problems
> on 1.1 yet.
>
> On 3/8/2015 9:53 PM, Chen Keong Yap wrote:
>
>> hi bill,
>>
>> can you advise regarding the global sign out issue?
>>
>> On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap <chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>> wrote:
>>
>>     hi bill,
>>
>>     Thanks for the solution given and it has resolved the first issue
>>     ( login to the app via pl sp filter but the login session cannot be
>>     seen in keycloak admin console)
>>
>>     However now there are few more issues with single sign out.
>>
>>     a) When i click on the global logout link
>>     (http://localhost:8080/employee/?GLO=true), the page just did a self
>>     refresh and it's not redirected to keycloak login page. I can see
>>     the keycloak session was gone from the keycloak admin console but
>>     the sample employee session still there.
>>
>>     b)  When i click on the local logout link
>>     (http://localhost:8080/employee/?LLO=true), the page just did a self
>>     refresh and it's not redirected to keycloak login page. I can see
>>     the keycloak session still in the keycloak admin console but the
>>     sample employee session still there.
>>
>>     c) When i click on the logout link
>>     (http://localhost:8080/employee/logout.jsp), the page just did a
>>     self refresh and it's not redirected to keycloak login page. I
>>     noticed the keycloak session still in the keycloak admin console but
>>     the sample employee session still there. Just wondering do i need to
>>     implement session.invalidate() in the logout,jsp but how to
>>     invalidate the keycloak session?
>>
>>
>>     On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke <bburke at redhat.com
>>     <mailto:bburke at redhat.com>> wrote:
>>
>>         Ok, I may have diagnosed the problem.  Go to the admin console.
>>         Go to the definition of your application.  Look at the Admin
>>         Url.  Does it have a "/" at the end of the URL?  If not, add a
>>         '/' at the end of this.
>>
>>         i.e.
>>
>>         http://somhere.com/app/
>>
>>         If that solves the issue, let me know and I'll explain what is
>>         going on.  FYI, I ran into the same problem running the SAML
>>         example in the distro and this fixed the problem.
>>
>>
>>
>>
>>         On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>>
>>             Hi bill,
>>
>>             If i understand from you correctly,
>>             PL SAML SP and keycloak adapters are the same and referring
>>             to below items.
>>
>>             Tomcat 6, 7, 8
>>             Jetty 8, 9
>>             EAP 6.x
>>             Wildfly
>>             Node.js
>>             Browser Javascript adapter.
>>
>>             So far i have tested PL SAML SP filter using the following
>>             libs and it
>>             got the same 2 issues that was mentioned in the previous
>> email.
>>
>>             Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3
>>             (commercial)
>>
>>             keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>>
>>             On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
>>             <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>                  Our testsuite uses PL SAML SP, not the filter though,
>>             and it works
>>                  fine.  I'd have to recreate the problem using the PL
>>             SAML SP filter.
>>
>>                  On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>>
>>                      Hi bill,
>>
>>                      Yup. I have configured the app in keycloak admin
>>             console. However i
>>                      encountered 2 issues.
>>
>>                      First issue is that i was able to login to the app
>>             via pl sp
>>                      filter but
>>                      the login session cannot be seen in keycloak admin
>>             console
>>
>>                      Second issue is that global logout was not working
>>             and the
>>                      landing page
>>                      just did a self refresh.
>>
>>                      On Mar 4, 2015 8:55 PM, "Bill Burke"
>>             <bburke at redhat.com <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>> wrote:
>>
>>                           You can still use the PL Filter SP.  Just
>>             configure the
>>                      application
>>                           in the admin console to use SAML.
>>
>>                           On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>>
>>                               Hi bill,
>>
>>                               the existing adapters cannot support jboss
>>             eap 5.0.2 and
>>                               websphere 8.5
>>                               and we are not allowed to use keycloak
>> proxy.
>>
>>                               can you suggest any other alternative
>>             similar to
>>                      picketlink sp
>>                               filter?
>>
>>                               On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>>> wrote:
>>
>>                                    There is no Keycloak SP filter.  We
>>             have various
>>                      adapters
>>                               for different
>>                                    platforms that hook into servlet
>>             security to make
>>                               integration seamless:
>>
>>                                    Tomcat 6, 7, 8
>>                                    Jetty 8, 9
>>                                    EAP 6.x
>>                                    Wildfly
>>                                    Node.js
>>                                    Browser Javascript adapter.
>>
>>                                    On 3/2/2015 10:22 PM, Chen Keong Yap
>>             wrote:
>>                                     > Hi,
>>                                     >
>>                                     > Please share some lights for
>>             implementing
>>                      Keycloak sp
>>                               filter which is
>>                                     > similar to picketlink sp filter.
>>                                     >
>>                                     >
>>
>>             org.picketlink.identity.______federation.web.filters.______
>> SPFilter
>>                                     >
>>                                     >
>>                                     >
>>             _____________________________________________________
>>                                     > keycloak-user mailing list
>>                                     > keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>                                     >
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>                                     >
>>
>>                                    --
>>                                    Bill Burke
>>                                    JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>             _____________________________________________________
>>                                    keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>
>>
>>
>>
>>
>>
>>
>>
>>                           --
>>                           Bill Burke
>>                           JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>                  --
>>                  Bill Burke
>>                  JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>         --
>>         Bill Burke
>>         JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150310/6cd68b8e/attachment-0001.html 

From mposolda at redhat.com  Tue Mar 10 05:39:52 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Mar 2015 10:39:52 +0100
Subject: [keycloak-user] Generate user setting page
In-Reply-To: <CAFyNp-xXkOFyHdzSMQibtHXU6uMaQhrDzP8F3GNQzEDFi_9+QQ@mail.gmail.com>
References: <CAFyNp-xXkOFyHdzSMQibtHXU6uMaQhrDzP8F3GNQzEDFi_9+QQ@mail.gmail.com>
Message-ID: <54FEBBE8.1090902@redhat.com>

Yes, in servlet you can retrieve the info from KeycloakSecurityContext. 
Probably something like:

RefreshableKeycloakSecurityContext keycloakCtx = 
(RefreshableKeycloakSecurityContext) 
servletRequest.getAttribute(KeycloakSecurityContext.class);
String uriOrigin = 
UriUtils.getOrigin(keycloakCtx.getDeployment().getCodeUrl());
String realm = keycloakCtx.getToken().getIssuer();
String application = keycloakCtx.getToken().getAudience();

or something like that. See our examples for some details if needed.

Marek

On 7.3.2015 10:29, ha.hamed at gmail.com wrote:
> Hi,
>
> I know the user setting page is:
>
> https://DOMAIN:PORT/auth/realms/REALM/account/?referrer=APPLICATION
>
> Is there anyway to generate this URL on a servlet without hard-coding 
> server DOMAIN and the other parameters (Getting these parameters from 
> keycloak.json or from application server by any provided API)?
>
> Regards,
> Hamed
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150310/33207eb7/attachment.html 

From bdawidow at redhat.com  Tue Mar 10 06:00:02 2015
From: bdawidow at redhat.com (Boleslaw Dawidowicz)
Date: Tue, 10 Mar 2015 11:00:02 +0100
Subject: [keycloak-user] PicketLink and Keycloak projects are merging!
Message-ID: <54FEC0A2.1020904@redhat.com>

We would like to announce that PicketLink and Keycloak projects will be 
merging their efforts. Code base of both will get unified and new 
features will be developed in a single place.

DZone link:
http://www.dzone.com/links/picketlink_and_keycloak_projects_are_merging.html

Blog post:
http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html

FAQ covering most important questions:

http://picketlink.org/keycloak-merge-faq/

-- 
Boles?aw Dawidowicz



From bburke at redhat.com  Tue Mar 10 07:44:15 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Mar 2015 07:44:15 -0400
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <CAC2UnuXNobZkCrK35eDF-OT6HOccVcnZPCCadAsGHnfcS3rdYw@mail.gmail.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
	<CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
	<54FDE034.50806@redhat.com>
	<CAC2UnuXNobZkCrK35eDF-OT6HOccVcnZPCCadAsGHnfcS3rdYw@mail.gmail.com>
Message-ID: <54FED90F.8010708@redhat.com>

Plan is to productize about the same time as EAP7.

On 3/10/2015 5:27 AM, Chen Keong Yap wrote:
> hi bill,
>
> thanks for the update. btw, can you advise when redhat will put keycloak
> into jboss eap roadmap?
>
> On Tue, Mar 10, 2015 at 2:02 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     I fixed some bugs around logout in 1.2, master git, but we're not
>     releasing this for a few weeks.   I don't know if that is your
>     problem or not.  I have not yet been able to take the time to
>     reproduce your problems on 1.1 yet.
>
>     On 3/8/2015 9:53 PM, Chen Keong Yap wrote:
>
>         hi bill,
>
>         can you advise regarding the global sign out issue?
>
>         On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap
>         <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>         <mailto:chenkeong.yap at izeno.__com
>         <mailto:chenkeong.yap at izeno.com>>> wrote:
>
>              hi bill,
>
>              Thanks for the solution given and it has resolved the first
>         issue
>              ( login to the app via pl sp filter but the login session
>         cannot be
>              seen in keycloak admin console)
>
>              However now there are few more issues with single sign out.
>
>              a) When i click on the global logout link
>              (http://localhost:8080/__employee/?GLO=true
>         <http://localhost:8080/employee/?GLO=true>), the page just did a
>         self
>              refresh and it's not redirected to keycloak login page. I
>         can see
>              the keycloak session was gone from the keycloak admin
>         console but
>              the sample employee session still there.
>
>              b)  When i click on the local logout link
>              (http://localhost:8080/__employee/?LLO=true
>         <http://localhost:8080/employee/?LLO=true>), the page just did a
>         self
>              refresh and it's not redirected to keycloak login page. I
>         can see
>              the keycloak session still in the keycloak admin console
>         but the
>              sample employee session still there.
>
>              c) When i click on the logout link
>              (http://localhost:8080/__employee/logout.jsp
>         <http://localhost:8080/employee/logout.jsp>), the page just did a
>              self refresh and it's not redirected to keycloak login page. I
>              noticed the keycloak session still in the keycloak admin
>         console but
>              the sample employee session still there. Just wondering do
>         i need to
>              implement session.invalidate() in the logout,jsp but how to
>              invalidate the keycloak session?
>
>
>              On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke
>         <bburke at redhat.com <mailto:bburke at redhat.com>
>              <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>                  Ok, I may have diagnosed the problem.  Go to the admin
>         console.
>                  Go to the definition of your application.  Look at the
>         Admin
>                  Url.  Does it have a "/" at the end of the URL?  If
>         not, add a
>                  '/' at the end of this.
>
>                  i.e.
>
>         http://somhere.com/app/
>
>                  If that solves the issue, let me know and I'll explain
>         what is
>                  going on.  FYI, I ran into the same problem running the
>         SAML
>                  example in the distro and this fixed the problem.
>
>
>
>
>                  On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>
>                      Hi bill,
>
>                      If i understand from you correctly,
>                      PL SAML SP and keycloak adapters are the same and
>         referring
>                      to below items.
>
>                      Tomcat 6, 7, 8
>                      Jetty 8, 9
>                      EAP 6.x
>                      Wildfly
>                      Node.js
>                      Browser Javascript adapter.
>
>                      So far i have tested PL SAML SP filter using the
>         following
>                      libs and it
>                      got the same 2 issues that was mentioned in the
>         previous email.
>
>                      Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3
>                      (commercial)
>
>                      keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0
>         beta 2
>
>                      On Mar 4, 2015 9:44 PM, "Bill Burke"
>         <bburke at redhat.com <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>>> wrote:
>
>                           Our testsuite uses PL SAML SP, not the filter
>         though,
>                      and it works
>                           fine.  I'd have to recreate the problem using
>         the PL
>                      SAML SP filter.
>
>                           On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>
>                               Hi bill,
>
>                               Yup. I have configured the app in keycloak
>         admin
>                      console. However i
>                               encountered 2 issues.
>
>                               First issue is that i was able to login to
>         the app
>                      via pl sp
>                               filter but
>                               the login session cannot be seen in
>         keycloak admin
>                      console
>
>                               Second issue is that global logout was not
>         working
>                      and the
>                               landing page
>                               just did a self refresh.
>
>                               On Mar 4, 2015 8:55 PM, "Bill Burke"
>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                               <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>>
>                               <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>>>> wrote:
>
>                                    You can still use the PL Filter SP.  Just
>                      configure the
>                               application
>                                    in the admin console to use SAML.
>
>                                    On 3/3/2015 11:36 PM, Chen Keong Yap
>         wrote:
>
>                                        Hi bill,
>
>                                        the existing adapters cannot
>         support jboss
>                      eap 5.0.2 and
>                                        websphere 8.5
>                                        and we are not allowed to use
>         keycloak proxy.
>
>                                        can you suggest any other alternative
>                      similar to
>                               picketlink sp
>                                        filter?
>
>                                        On Tue, Mar 3, 2015 at 11:45 PM,
>         Bill Burke
>                               <bburke at redhat.com
>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>>
>                                        <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>>
>                                        <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>
>                               <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com
>         <mailto:bburke at redhat.com>>>>>> wrote:
>
>                                             There is no Keycloak SP
>         filter.  We
>                      have various
>                               adapters
>                                        for different
>                                             platforms that hook into servlet
>                      security to make
>                                        integration seamless:
>
>                                             Tomcat 6, 7, 8
>                                             Jetty 8, 9
>                                             EAP 6.x
>                                             Wildfly
>                                             Node.js
>                                             Browser Javascript adapter.
>
>                                             On 3/2/2015 10:22 PM, Chen
>         Keong Yap
>                      wrote:
>                                              > Hi,
>                                              >
>                                              > Please share some lights for
>                      implementing
>                               Keycloak sp
>                                        filter which is
>                                              > similar to picketlink sp
>         filter.
>                                              >
>                                              >
>
>
>         org.picketlink.identity.________federation.web.filters.________SPFilter
>                                              >
>                                              >
>                                              >
>                      _______________________________________________________
>                                              > keycloak-user mailing list
>                                              >
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                               <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>         <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>>.
>                               <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>>.>________jboss.org <http://jboss.org>
>                      <http://jboss.org> <http://jboss.org>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>         <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>>>
>                                              >
>         https://lists.jboss.org/________mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>__>
>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>__>
>
>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>__>
>                                              >
>
>                                             --
>                                             Bill Burke
>                                             JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>                      _______________________________________________________
>                                             keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                      <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>         <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>>.
>                               <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>>.>________jboss.org <http://jboss.org>
>                      <http://jboss.org> <http://jboss.org>
>                                        <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>         <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>>>
>         https://lists.jboss.org/________mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>__>
>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>__>
>
>
>
>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>__>
>
>
>
>
>
>
>
>
>                                    --
>                                    Bill Burke
>                                    JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>                           --
>                           Bill Burke
>                           JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>                  --
>                  Bill Burke
>                  JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From koster at tizin.nl  Tue Mar 10 11:19:38 2015
From: koster at tizin.nl (Marcel Koster)
Date: Tue, 10 Mar 2015 16:19:38 +0100
Subject: [keycloak-user] Getting Error! not found when selecting an
 application or role
In-Reply-To: <1815900720.2177941.1425911160156.JavaMail.zimbra@redhat.com>
References: <CAL7D5uRxzjEXQAZJ=eTmm4Rj3w8=U0Bk65t5fpjBAvCV9mRY7Q@mail.gmail.com>
	<1815900720.2177941.1425911160156.JavaMail.zimbra@redhat.com>
Message-ID: <CAL7D5uRvr5Um2j79vd0DLJ7T63VhGOpEXaWQo35LZm7_qkQ56w@mail.gmail.com>

Yes, this solved the issues, thank you very much. Didn't expect the cache
to be an issue.

Met vriendelijke groeten,

Marcel Koster

[image: Tizin]
  0642044604       *Peizerstate*
 <http://www.twitter.com/TizinMobile>  koster at tizin.nl Peizerweg 87A
www.tizin.nl 9727AH Groningen

2015-03-09 15:26 GMT+01:00 Stian Thorgersen <stian at redhat.com>:

> Please try clearing your browser cache as this may be due to old versions
> of the admin console being cached.
>
> ----- Original Message -----
> > From: "Marcel Koster" <koster at tizin.nl>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 9 March, 2015 12:41:29 PM
> > Subject: [keycloak-user] Getting Error! not found when selecting an
>  application or role
> >
> > Good afternoon,
> >
> > I am using the keycloak 1.1.0-Final standalone in a fresh installation
> and I
> > am receiving an "Error! Not found" when I select an application or a role
> > which I just created. I checked the mongo database that I use and
> everything
> > seems to be okay.
> >
> > Met vriendelijke groeten,
> >
> > Marcel Koster
> >
> >
> >
> >       0642044604                              Peizerstate
> >
> >       koster at tizin.nl         Peizerweg 87A
> >       www.tizin.nl    9727AH Groningen
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150310/052f6582/attachment-0001.html 

From chenkeong.yap at izeno.com  Tue Mar 10 17:01:49 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 11 Mar 2015 05:01:49 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54FED90F.8010708@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
	<CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
	<54FDE034.50806@redhat.com>
	<CAC2UnuXNobZkCrK35eDF-OT6HOccVcnZPCCadAsGHnfcS3rdYw@mail.gmail.com>
	<54FED90F.8010708@redhat.com>
Message-ID: <CAC2UnuUQPv3TNPyH+gMnsG_hwuSuz=ZraJROTEJT2FRhhbij3g@mail.gmail.com>

Hi bill,

Keycloack will be merged with picketlink as one product/module in eap 7?
On Mar 10, 2015 7:44 PM, "Bill Burke" <bburke at redhat.com> wrote:

> Plan is to productize about the same time as EAP7.
>
> On 3/10/2015 5:27 AM, Chen Keong Yap wrote:
>
>> hi bill,
>>
>> thanks for the update. btw, can you advise when redhat will put keycloak
>> into jboss eap roadmap?
>>
>> On Tue, Mar 10, 2015 at 2:02 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     I fixed some bugs around logout in 1.2, master git, but we're not
>>     releasing this for a few weeks.   I don't know if that is your
>>     problem or not.  I have not yet been able to take the time to
>>     reproduce your problems on 1.1 yet.
>>
>>     On 3/8/2015 9:53 PM, Chen Keong Yap wrote:
>>
>>         hi bill,
>>
>>         can you advise regarding the global sign out issue?
>>
>>         On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap
>>         <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>         <mailto:chenkeong.yap at izeno.__com
>>         <mailto:chenkeong.yap at izeno.com>>> wrote:
>>
>>              hi bill,
>>
>>              Thanks for the solution given and it has resolved the first
>>         issue
>>              ( login to the app via pl sp filter but the login session
>>         cannot be
>>              seen in keycloak admin console)
>>
>>              However now there are few more issues with single sign out.
>>
>>              a) When i click on the global logout link
>>              (http://localhost:8080/__employee/?GLO=true
>>         <http://localhost:8080/employee/?GLO=true>), the page just did a
>>         self
>>              refresh and it's not redirected to keycloak login page. I
>>         can see
>>              the keycloak session was gone from the keycloak admin
>>         console but
>>              the sample employee session still there.
>>
>>              b)  When i click on the local logout link
>>              (http://localhost:8080/__employee/?LLO=true
>>         <http://localhost:8080/employee/?LLO=true>), the page just did a
>>         self
>>              refresh and it's not redirected to keycloak login page. I
>>         can see
>>              the keycloak session still in the keycloak admin console
>>         but the
>>              sample employee session still there.
>>
>>              c) When i click on the logout link
>>              (http://localhost:8080/__employee/logout.jsp
>>         <http://localhost:8080/employee/logout.jsp>), the page just did a
>>              self refresh and it's not redirected to keycloak login page.
>> I
>>              noticed the keycloak session still in the keycloak admin
>>         console but
>>              the sample employee session still there. Just wondering do
>>         i need to
>>              implement session.invalidate() in the logout,jsp but how to
>>              invalidate the keycloak session?
>>
>>
>>              On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke
>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>              <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>
>> wrote:
>>
>>                  Ok, I may have diagnosed the problem.  Go to the admin
>>         console.
>>                  Go to the definition of your application.  Look at the
>>         Admin
>>                  Url.  Does it have a "/" at the end of the URL?  If
>>         not, add a
>>                  '/' at the end of this.
>>
>>                  i.e.
>>
>>         http://somhere.com/app/
>>
>>                  If that solves the issue, let me know and I'll explain
>>         what is
>>                  going on.  FYI, I ran into the same problem running the
>>         SAML
>>                  example in the distro and this fixed the problem.
>>
>>
>>
>>
>>                  On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>>
>>                      Hi bill,
>>
>>                      If i understand from you correctly,
>>                      PL SAML SP and keycloak adapters are the same and
>>         referring
>>                      to below items.
>>
>>                      Tomcat 6, 7, 8
>>                      Jetty 8, 9
>>                      EAP 6.x
>>                      Wildfly
>>                      Node.js
>>                      Browser Javascript adapter.
>>
>>                      So far i have tested PL SAML SP filter using the
>>         following
>>                      libs and it
>>                      got the same 2 issues that was mentioned in the
>>         previous email.
>>
>>                      Picketlink lib : Picketlink 2.70 cr2, picketlink
>> 2.5.3
>>                      (commercial)
>>
>>                      keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0
>>         beta 2
>>
>>                      On Mar 4, 2015 9:44 PM, "Bill Burke"
>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>>> wrote:
>>
>>                           Our testsuite uses PL SAML SP, not the filter
>>         though,
>>                      and it works
>>                           fine.  I'd have to recreate the problem using
>>         the PL
>>                      SAML SP filter.
>>
>>                           On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>>
>>                               Hi bill,
>>
>>                               Yup. I have configured the app in keycloak
>>         admin
>>                      console. However i
>>                               encountered 2 issues.
>>
>>                               First issue is that i was able to login to
>>         the app
>>                      via pl sp
>>                               filter but
>>                               the login session cannot be seen in
>>         keycloak admin
>>                      console
>>
>>                               Second issue is that global logout was not
>>         working
>>                      and the
>>                               landing page
>>                               just did a self refresh.
>>
>>                               On Mar 4, 2015 8:55 PM, "Bill Burke"
>>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                               <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>>
>>                               <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>>>> wrote:
>>
>>                                    You can still use the PL Filter SP.
>> Just
>>                      configure the
>>                               application
>>                                    in the admin console to use SAML.
>>
>>                                    On 3/3/2015 11:36 PM, Chen Keong Yap
>>         wrote:
>>
>>                                        Hi bill,
>>
>>                                        the existing adapters cannot
>>         support jboss
>>                      eap 5.0.2 and
>>                                        websphere 8.5
>>                                        and we are not allowed to use
>>         keycloak proxy.
>>
>>                                        can you suggest any other
>> alternative
>>                      similar to
>>                               picketlink sp
>>                                        filter?
>>
>>                                        On Tue, Mar 3, 2015 at 11:45 PM,
>>         Bill Burke
>>                               <bburke at redhat.com
>>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>>
>>                                        <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>>>
>>                                        <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>>
>>                               <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>> <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com
>>         <mailto:bburke at redhat.com>>>>>> wrote:
>>
>>                                             There is no Keycloak SP
>>         filter.  We
>>                      have various
>>                               adapters
>>                                        for different
>>                                             platforms that hook into
>> servlet
>>                      security to make
>>                                        integration seamless:
>>
>>                                             Tomcat 6, 7, 8
>>                                             Jetty 8, 9
>>                                             EAP 6.x
>>                                             Wildfly
>>                                             Node.js
>>                                             Browser Javascript adapter.
>>
>>                                             On 3/2/2015 10:22 PM, Chen
>>         Keong Yap
>>                      wrote:
>>                                              > Hi,
>>                                              >
>>                                              > Please share some lights
>> for
>>                      implementing
>>                               Keycloak sp
>>                                        filter which is
>>                                              > similar to picketlink sp
>>         filter.
>>                                              >
>>                                              >
>>
>>
>>         org.picketlink.identity.________federation.web.filters._____
>> ___SPFilter
>>                                              >
>>                                              >
>>                                              >
>>                      ______________________________
>> _________________________
>>                                              > keycloak-user mailing list
>>                                              >
>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>>         <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>>.
>>                               <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>>.>________jboss.org <
>> http://jboss.org>
>>                      <http://jboss.org> <http://jboss.org>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>>         <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>>>
>>                                              >
>>         https://lists.jboss.org/________mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>__>
>>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>__>
>>
>>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>__>
>>                                              >
>>
>>                                             --
>>                                             Bill Burke
>>                                             JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>                      ______________________________
>> _________________________
>>                                             keycloak-user mailing list
>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                      <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>>         <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>>.
>>                               <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>>.>________jboss.org <
>> http://jboss.org>
>>                      <http://jboss.org> <http://jboss.org>
>>                                        <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>         <mailto:keycloak-user at lists>.>______jboss.org <http://jboss.org>
>>         <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>>>
>>         https://lists.jboss.org/________mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>__>
>>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>__>
>>
>>
>>
>>         <https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>         <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>__>
>>
>>
>>
>>
>>
>>
>>
>>
>>                                    --
>>                                    Bill Burke
>>                                    JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>                           --
>>                           Bill Burke
>>                           JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>                  --
>>                  Bill Burke
>>                  JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150311/2155d40d/attachment-0001.html 

From Randall_Theobald at dell.com  Wed Mar 11 13:08:48 2015
From: Randall_Theobald at dell.com (Randall_Theobald at dell.com)
Date: Wed, 11 Mar 2015 12:08:48 -0500
Subject: [keycloak-user] SAML claim/user attribute mapping from LDAP
	integration
Message-ID: <9A20E07E433AEB4D8D4025EEBE12E414069EC57767@AUSX7MCPC107.AMER.DELL.COM>

I am currently using Keycloak 1.1.0.Final, trying to enable SSO between two apps with an Active Directory user store. I have keycloak connected to the AD directly in my realm and have sync'ed the users. I can successfully login in to one of my apps. However, the other app requires an 'email' claim, which is missing. It looks like the AD uses just 'mail'. Is there any way to make this simple claim mapping in keycloak?

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150311/c78f2e5e/attachment.html 

From mposolda at redhat.com  Wed Mar 11 15:14:31 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Mar 2015 20:14:31 +0100
Subject: [keycloak-user] SAML claim/user attribute mapping from LDAP
	integration
In-Reply-To: <9A20E07E433AEB4D8D4025EEBE12E414069EC57767@AUSX7MCPC107.AMER.DELL.COM>
References: <9A20E07E433AEB4D8D4025EEBE12E414069EC57767@AUSX7MCPC107.AMER.DELL.COM>
Message-ID: <55009417.1020006@redhat.com>

Hi,

Currently it's hardcoded so that LDAP attribute "mail" is mapped to 
UserModel.email property. We have opened JIRA for dynamic mappings of 
attributes from LDAP to the user attributes/properties and I hope to 
start on it later this month.

However it looks that for your case, hardcoded mapping should be 
sufficient for the email property. When you synced users, are you seeing 
in admin console that synced users have filled email from the Active 
Directory? If yes, then only issue is maybe propagating the email value 
as attribute in the SAML response. Bill is working on protocol mappers 
and this use-case is handled by it AFAIK. You can try latest Keycloak 
master though.

Marek

On 11.3.2015 18:08, Randall_Theobald at dell.com wrote:
>
> I am currently using Keycloak 1.1.0.Final, trying to enable SSO 
> between two apps with an Active Directory user store. I have keycloak 
> connected to the AD directly in my realm and have sync?ed the users. I 
> can successfully login in to one of my apps. However, the other app 
> requires an ?email? claim, which is missing. It looks like the AD uses 
> just ?mail?. Is there any way to make this simple claim mapping in 
> keycloak?
>
> *Randall Theobald *
>
> Common Engineering? Performance
>
> Dell Software Group  | Office of the CTO
>
> randall_theobald at dell.com <mailto:randall_theobald at dell.com>  |  
> RR1-C336
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150311/d25c5db0/attachment.html 

From emil.posmyk at gmail.com  Wed Mar 11 16:45:20 2015
From: emil.posmyk at gmail.com (Emil Posmyk)
Date: Wed, 11 Mar 2015 21:45:20 +0100
Subject: [keycloak-user] Keycloak token and refresh token
Message-ID: <CAGf0ewA8H-bRFyymvarhbOTGTjTbRgYeaFz2zwHw4YnxxpKg2g@mail.gmail.com>

Hi all

I did some research about refreshing the tokens and now I know how to do
this, but more important question is how should I use it. For example: when
we have an object AccessTokenResponse then we can use token (String) or
refresh token (this is used also for logout), first will be active eg: 5
minuts, but refresh token will be active forever (there is no expiration
time if I understood correctly). But should I use refresh token to
authenticate application or maybe only token with expiration should be used
?

Other case is that I have a method for getting a map with access token. I
used for that refresh token to get it. This access token now should be used
as a new token and it is right way ?




*regards*
*--*

*Emil Posmyk*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150311/5e2870fb/attachment.html 

From Randall_Theobald at dell.com  Wed Mar 11 16:48:44 2015
From: Randall_Theobald at dell.com (Randall_Theobald at dell.com)
Date: Wed, 11 Mar 2015 15:48:44 -0500
Subject: [keycloak-user] SAML claim/user attribute mapping from LDAP
 integration
In-Reply-To: <55009417.1020006@redhat.com>
References: <9A20E07E433AEB4D8D4025EEBE12E414069EC57767@AUSX7MCPC107.AMER.DELL.COM>
	<55009417.1020006@redhat.com>
Message-ID: <9A20E07E433AEB4D8D4025EEBE12E414069EC577F9@AUSX7MCPC107.AMER.DELL.COM>

Dell Customer Communication
Yes, I captured the SAMLResponse from Keycloak and it is behaving properly. Turned out the receiving app wasn't parsing the SAMLResponse correctly. Thanks,

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, March 11, 2015 2:15 PM
To: Theobald, Randall; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SAML claim/user attribute mapping from LDAP integration

Hi,

Currently it's hardcoded so that LDAP attribute "mail" is mapped to UserModel.email property. We have opened JIRA for dynamic mappings of attributes from LDAP to the user attributes/properties and I hope to start on it later this month.

However it looks that for your case, hardcoded mapping should be sufficient for the email property. When you synced users, are you seeing in admin console that synced users have filled email from the Active Directory? If yes, then only issue is maybe propagating the email value as attribute in the SAML response. Bill is working on protocol mappers and this use-case is handled by it AFAIK. You can try latest Keycloak master though.

Marek

On 11.3.2015 18:08, Randall_Theobald at dell.com<mailto:Randall_Theobald at dell.com> wrote:
I am currently using Keycloak 1.1.0.Final, trying to enable SSO between two apps with an Active Directory user store. I have keycloak connected to the AD directly in my realm and have sync'ed the users. I can successfully login in to one of my apps. However, the other app requires an 'email' claim, which is missing. It looks like the AD uses just 'mail'. Is there any way to make this simple claim mapping in keycloak?

Randall Theobald
Common Engineering - Performance
Dell Software Group  |  Office of the CTO
randall_theobald at dell.com<mailto:randall_theobald at dell.com>  |  RR1-C336





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150311/6f1014e3/attachment-0001.html 

From bburke at redhat.com  Wed Mar 11 23:06:02 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 11 Mar 2015 23:06:02 -0400
Subject: [keycloak-user] Keycloak token and refresh token
In-Reply-To: <CAGf0ewA8H-bRFyymvarhbOTGTjTbRgYeaFz2zwHw4YnxxpKg2g@mail.gmail.com>
References: <CAGf0ewA8H-bRFyymvarhbOTGTjTbRgYeaFz2zwHw4YnxxpKg2g@mail.gmail.com>
Message-ID: <5501029A.60409@redhat.com>

access token used to securely invoke remote apps.  refresh token to 
refreesh the access token.  You have to call the auth-server's refresh 
endpoint though and provide client credentials (not user credentials). 
AccessTokenResponse has info about when the access token will expire.

On 3/11/2015 4:45 PM, Emil Posmyk wrote:
> Hi all
>
> I did some research about refreshing the tokens and now I know how to do
> this, but more important question is how should I use it. For example:
> when we have an object AccessTokenResponse then we can use token
> (String) or refresh token (this is used also for logout), first will be
> active eg: 5 minuts, but refresh token will be active forever (there is
> no expiration time if I understood correctly). But should I use refresh
> token to authenticate application or maybe only token with expiration
> should be used ?
>
> Other case is that I have a method for getting a map with access token.
> I used for that refresh token to get it. This access token now should be
> used as a new token and it is right way ?
>
>
>
> /
> regards/
> /--/
> /Emil Posmyk
> /
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Thu Mar 12 03:40:50 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 12 Mar 2015 03:40:50 -0400 (EDT)
Subject: [keycloak-user] WS-Federation capability for SSO
In-Reply-To: <9A20E07E433AEB4D8D4025EEBE12E414069EC57209@AUSX7MCPC107.AMER.DELL.COM>
References: <9A20E07E433AEB4D8D4025EEBE12E414069EC57209@AUSX7MCPC107.AMER.DELL.COM>
Message-ID: <1892498623.4430431.1426146050875.JavaMail.zimbra@redhat.com>

Hi,

It's on the roadmap, but it's not a high priority ATM, so the best estimate I can give you is it should be added this year. If it's of high priority to you and you're willing to help test or even contribute we may be able to push it ahead.

----- Original Message -----
> From: "Randall Theobald" <Randall_Theobald at dell.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 6 March, 2015 2:41:00 PM
> Subject: Re: [keycloak-user] WS-Federation capability for SSO
> 
> 
> 
> Any response to my note below? Just looking if it is on the roadmap. Thanks.
> 
> 
> 
> 
> Randall Theobald
> 
> Common Engineering ? Performance
> 
> Dell Software Group | Office of the CTO
> 
> randall_theobald at dell.com | RR1-C336
> 
> 
> 
> 
> 
> From: Theobald, Randall
> Sent: Monday, March 02, 2015 2:54 PM
> To: 'keycloak-user at lists.jboss.org'
> Subject: WS-Federation capability for SSO
> 
> 
> 
> 
> Hi,
> 
> 
> 
> We?re looking to use Keycloak capabilities to enable SSO between some
> systems. Does Keycloak have a timeline to support the following?
> 
>     * WS-Federation (passive) protocol
>     * WS-Federation wrapped JSON Web Tokens (JWT)
>     * WS-Trust + JWT
> 
> 
> 
> Thanks,
> 
> 
> 
> Randall Theobald
> 
> Common Engineering ? Performance
> 
> Dell Software Group | Office of the CTO
> 
> randall_theobald at dell.com | RR1-C336
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From prabhalar at yahoo.com  Thu Mar 12 05:48:47 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Thu, 12 Mar 2015 09:48:47 +0000 (UTC)
Subject: [keycloak-user] WS-Federation capability for SSO
In-Reply-To: <1892498623.4430431.1426146050875.JavaMail.zimbra@redhat.com>
References: <1892498623.4430431.1426146050875.JavaMail.zimbra@redhat.com>
Message-ID: <1367259589.3179921.1426153727840.JavaMail.yahoo@mail.yahoo.com>

Stian - The below functionality is important for me also and I am willing to test it out, building it from the master as I have been doing for Kerberos, SAML identity broker and claims mapping.
Thanks,Raghu
?      From: Stian Thorgersen <stian at redhat.com>
 To: Randall Theobald <Randall_Theobald at dell.com> 
Cc: keycloak-user at lists.jboss.org 
 Sent: Thursday, March 12, 2015 3:40 AM
 Subject: Re: [keycloak-user] WS-Federation capability for SSO
   
Hi,

It's on the roadmap, but it's not a high priority ATM, so the best estimate I can give you is it should be added this year. If it's of high priority to you and you're willing to help test or even contribute we may be able to push it ahead.

----- Original Message -----
> From: "Randall Theobald" <Randall_Theobald at dell.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 6 March, 2015 2:41:00 PM
> Subject: Re: [keycloak-user] WS-Federation capability for SSO
> 
> 
> 
> Any response to my note below? Just looking if it is on the roadmap. Thanks.
> 
> 
> 
> 
> Randall Theobald
> 
> Common Engineering ? Performance
> 
> Dell Software Group | Office of the CTO
> 
> randall_theobald at dell.com | RR1-C336
> 
> 
> 
> 
> 
> From: Theobald, Randall
> Sent: Monday, March 02, 2015 2:54 PM
> To: 'keycloak-user at lists.jboss.org'
> Subject: WS-Federation capability for SSO
> 
> 
> 
> 
> Hi,
> 
> 
> 
> We?re looking to use Keycloak capabilities to enable SSO between some
> systems. Does Keycloak have a timeline to support the following?
> 
>? ? * WS-Federation (passive) protocol
>? ? * WS-Federation wrapped JSON Web Tokens (JWT)
>? ? * WS-Trust + JWT
> 
> 
> 
> Thanks,
> 
> 
> 
> Randall Theobald
> 
> Common Engineering ? Performance
> 
> Dell Software Group | Office of the CTO
> 
> randall_theobald at dell.com | RR1-C336
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150312/b39d02c5/attachment.html 

From kalinga at leapset.com  Mon Mar 16 05:48:55 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Mon, 16 Mar 2015 15:18:55 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
Message-ID: <1426499335.4721402@apps.rackspace.com>


Guys,
I need to understand the capability of keycloak with my requirement and to ensure that keycloak is scalable to meet my needs. My main requirement is to integrate keycloak to our system to support SSO hence I need to migrate my existing users. My main concerns;
 
1/ Customize authentication method.
I need to authenticate users similar to what we currently use in our production system. In our system, users are identified by username, password and the pin.
For instance;
User -> jack, password -> pwd, pin -> 50000
User should enter all three to login to the system.
I went through the codebase and I saw that the Authentication Manager (which is a concrete class) does all the work inside keycloak. I managed to customize the frontend with ease, however, in order to support the pin in the backend seems like I have to customize the AuthenticationManager class (no direct SPIs).
Although there is a link here;
[ http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html ]( http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html )
I cant seem to find anything here which matches the current code base (to via a new authentication method via spis) and the example has been removed.
 
2/ Customize password hashes.
We have our own algorithm used to store password hashes. What should I do to add this to keycloak?
I do not know the current passwords of the users already in our system, so when doing the migration i need keyclock to support the current algorithm we use. Can we plugin new hashing algorithms to meet my needs?
 
 Any other issues I might face?
I feel key cloak is the right choice if the above two questions are answered. Please let me know.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150316/74431b88/attachment.html 

From stian at redhat.com  Mon Mar 16 06:01:22 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 16 Mar 2015 06:01:22 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426499335.4721402@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
Message-ID: <41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>

We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.

You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, March 16, 2015 10:48:55 AM
> Subject: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Guys,
> 
> I need to understand the capability of keycloak with my requirement and to
> ensure that keycloak is scalable to meet my needs. My main requirement is to
> integrate keycloak to our system to support SSO hence I need to migrate my
> existing users. My main concerns;
> 
> 
> 
> 1/ Customize authentication method.
> 
> I need to authenticate users similar to what we currently use in our
> production system. In our system, users are identified by username, password
> and the pin.
> 
> For instance;
> 
> User -> jack, password -> pwd, pin -> 50000
> 
> User should enter all three to login to the system.
> 
> I went through the codebase and I saw that the Authentication Manager (which
> is a concrete class) does all the work inside keycloak. I managed to
> customize the frontend with ease, however, in order to support the pin in
> the backend seems like I have to customize the AuthenticationManager class
> (no direct SPIs).
> 
> Although there is a link here;
> 
> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> 
> I cant seem to find anything here which matches the current code base (to via
> a new authentication method via spis) and the example has been removed.
> 
> 
> 
> 2/ Customize password hashes.
> 
> We have our own algorithm used to store password hashes. What should I do to
> add this to keycloak?
> 
> I do not know the current passwords of the users already in our system, so
> when doing the migration i need keyclock to support the current algorithm we
> use. Can we plugin new hashing algorithms to meet my needs?
> 
> 
> 
> Any other issues I might face?
> 
> I feel key cloak is the right choice if the above two questions are answered.
> Please let me know.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kalinga at leapset.com  Mon Mar 16 06:32:03 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Mon, 16 Mar 2015 16:02:03 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
Message-ID: <1426501923.96612519@apps.rackspace.com>


Stian,
Thanks  for responding in a matter of few minutes.
 
I will then look to see if i can manage my doing changes on the Authentication Manager class for now.
Further, I will have a look at the user provider and get back to u.
btw, Is the content on this link outdated;
 http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
 
Kalinga.
 
-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Monday, March 16, 2015 3:31pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.

You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, March 16, 2015 10:48:55 AM
> Subject: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Guys,
> 
> I need to understand the capability of keycloak with my requirement and to
> ensure that keycloak is scalable to meet my needs. My main requirement is to
> integrate keycloak to our system to support SSO hence I need to migrate my
> existing users. My main concerns;
> 
> 
> 
> 1/ Customize authentication method.
> 
> I need to authenticate users similar to what we currently use in our
> production system. In our system, users are identified by username, password
> and the pin.
> 
> For instance;
> 
> User -> jack, password -> pwd, pin -> 50000
> 
> User should enter all three to login to the system.
> 
> I went through the codebase and I saw that the Authentication Manager (which
> is a concrete class) does all the work inside keycloak. I managed to
> customize the frontend with ease, however, in order to support the pin in
> the backend seems like I have to customize the AuthenticationManager class
> (no direct SPIs).
> 
> Although there is a link here;
> 
> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> 
> I cant seem to find anything here which matches the current code base (to via
> a new authentication method via spis) and the example has been removed.
> 
> 
> 
> 2/ Customize password hashes.
> 
> We have our own algorithm used to store password hashes. What should I do to
> add this to keycloak?
> 
> I do not know the current passwords of the users already in our system, so
> when doing the migration i need keyclock to support the current algorithm we
> use. Can we plugin new hashing algorithms to meet my needs?
> 
> 
> 
> Any other issues I might face?
> 
> I feel key cloak is the right choice if the above two questions are answered.
> Please let me know.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150316/3bff918e/attachment-0001.html 

From prabhalar at yahoo.com  Mon Mar 16 06:39:06 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Mon, 16 Mar 2015 10:39:06 +0000 (UTC)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426501923.96612519@apps.rackspace.com>
References: <1426501923.96612519@apps.rackspace.com>
Message-ID: <1811386394.171946.1426502346921.JavaMail.yahoo@mail.yahoo.com>

Kalinga - The latest published version is 1.1 and you can find the documentation at the below link.
http://keycloak.jboss.org/docs
Raghu
?      From: Kalinga Dissanayake <kalinga at leapset.com>
 To: Stian Thorgersen <stian at redhat.com> 
Cc: keycloak-user at lists.jboss.org 
 Sent: Monday, March 16, 2015 6:32 AM
 Subject: Re: [keycloak-user] Customization of authentication mechanism and +
   
Stian,Thanks? for responding in a matter of few minutes.?I will then look to see if i can manage my doing changes on the Authentication Manager class for now.Further, I will have a look at the user provider and get back to u.btw, Is the content on this link outdated; http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html?Kalinga.?

-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Monday, March 16, 2015 3:31pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +

We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.

You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, March 16, 2015 10:48:55 AM
> Subject: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Guys,
> 
> I need to understand the capability of keycloak with my requirement and to
> ensure that keycloak is scalable to meet my needs. My main requirement is to
> integrate keycloak to our system to support SSO hence I need to migrate my
> existing users. My main concerns;
> 
> 
> 
> 1/ Customize authentication method.
> 
> I need to authenticate users similar to what we currently use in our
> production system. In our system, users are identified by username, password
> and the pin.
> 
> For instance;
> 
> User -> jack, password -> pwd, pin -> 50000
> 
> User should enter all three to login to the system.
> 
> I went through the codebase and I saw that the Authentication Manager (which
> is a concrete class) does all the work inside keycloak. I managed to
> customize the frontend with ease, however, in order to support the pin in
> the backend seems like I have to customize the AuthenticationManager class
> (no direct SPIs).
> 
> Although there is a link here;
> 
> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> 
> I cant seem to find anything here which matches the current code base (to via
> a new authentication method via spis) and the example has been removed.
> 
> 
> 
> 2/ Customize password hashes.
> 
> We have our own algorithm used to store password hashes. What should I do to
> add this to keycloak?
> 
> I do not know the current passwords of the users already in our system, so
> when doing the migration i need keyclock to support the current algorithm we
> use. Can we plugin new hashing algorithms to meet my needs?
> 
> 
> 
> Any other issues I might face?
> 
> I feel key cloak is the right choice if the above two questions are answered.
> Please let me know.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150316/9ac9433b/attachment.html 

From kalinga at leapset.com  Mon Mar 16 06:44:57 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Mon, 16 Mar 2015 16:14:57 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1811386394.171946.1426502346921.JavaMail.yahoo@mail.yahoo.com>
References: <1426501923.96612519@apps.rackspace.com> 
	<1811386394.171946.1426502346921.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1426502697.8235198@apps.rackspace.com>


Thanks
Kalinga.
-----Original Message-----
From: "Raghu Prabhala" <prabhalar at yahoo.com>
Sent: Monday, March 16, 2015 4:09pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>, "Stian Thorgersen" <stian at redhat.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Customization of authentication mechanism and +




Kalinga - The latest published version is 1.1 and you can find the documentation at the below link.
[ http://keycloak.jboss.org/docs ]( http://keycloak.jboss.org/docs )
Raghu
 


 From: Kalinga Dissanayake <kalinga at leapset.com>
To: Stian Thorgersen <stian at redhat.com> 
Cc: keycloak-user at lists.jboss.org 
Sent: Monday, March 16, 2015 6:32 AM
Subject: Re: [keycloak-user] Customization of authentication mechanism and +





Stian,
Thanks  for responding in a matter of few minutes.
 
I will then look to see if i can manage my doing changes on the Authentication Manager class for now.
Further, I will have a look at the user provider and get back to u.
btw, Is the content on this link outdated;
 http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
 
Kalinga.
 




-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Monday, March 16, 2015 3:31pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.

You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, March 16, 2015 10:48:55 AM
> Subject: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Guys,
> 
> I need to understand the capability of keycloak with my requirement and to
> ensure that keycloak is scalable to meet my needs. My main requirement is to
> integrate keycloak to our system to support SSO hence I need to migrate my
> existing users. My main concerns;
> 
> 
> 
> 1/ Customize authentication method.
> 
> I need to authenticate users similar to what we currently use in our
> production system. In our system, users are identified by username, password
> and the pin.
> 
> For instance;
> 
> User -> jack, password -> pwd, pin -> 50000
> 
> User should enter all three to login to the system.
> 
> I went through the codebase and I saw that the Authentication Manager (which
> is a concrete class) does all the work inside keycloak. I managed to
> customize the frontend with ease, however, in order to support the pin in
> the backend seems like I have to customize the AuthenticationManager class
> (no direct SPIs).
> 
> Although there is a link here;
> 
> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> 
> I cant seem to find anything here which matches the current code base (to via
> a new authentication method via spis) and the example has been removed.
> 
> 
> 
> 2/ Customize password hashes.
> 
> We have our own algorithm used to store password hashes. What should I do to
> add this to keycloak?
> 
> I do not know the current passwords of the users already in our system, so
> when doing the migration i need keyclock to support the current algorithm we
> use. Can we plugin new hashing algorithms to meet my needs?
> 
> 
> 
> Any other issues I might face?
> 
> I feel key cloak is the right choice if the above two questions are answered.
> Please let me know.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )
[ https://lists.jboss.org/mailman/listinfo/keycloak-user ]( https://lists.jboss.org/mailman/listinfo/keycloak-user )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150316/c451686b/attachment-0001.html 

From bburke at redhat.com  Mon Mar 16 10:16:47 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Mar 2015 10:16:47 -0400
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com>
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
Message-ID: <5506E5CF.5010409@redhat.com>

Minimally you need to import username.  Probably email too if you want 
to use any of our email-based features.  With UserFederationProvider you 
can delegate to the third-party storage for other user attributes/metadata.

On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.
>
> You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.
>
> ----- Original Message -----
>> From: "Kalinga Dissanayake" <kalinga at leapset.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, March 16, 2015 10:48:55 AM
>> Subject: [keycloak-user] Customization of authentication mechanism and +
>>
>>
>>
>> Guys,
>>
>> I need to understand the capability of keycloak with my requirement and to
>> ensure that keycloak is scalable to meet my needs. My main requirement is to
>> integrate keycloak to our system to support SSO hence I need to migrate my
>> existing users. My main concerns;
>>
>>
>>
>> 1/ Customize authentication method.
>>
>> I need to authenticate users similar to what we currently use in our
>> production system. In our system, users are identified by username, password
>> and the pin.
>>
>> For instance;
>>
>> User -> jack, password -> pwd, pin -> 50000
>>
>> User should enter all three to login to the system.
>>
>> I went through the codebase and I saw that the Authentication Manager (which
>> is a concrete class) does all the work inside keycloak. I managed to
>> customize the frontend with ease, however, in order to support the pin in
>> the backend seems like I have to customize the AuthenticationManager class
>> (no direct SPIs).
>>
>> Although there is a link here;
>>
>> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
>>
>> I cant seem to find anything here which matches the current code base (to via
>> a new authentication method via spis) and the example has been removed.
>>
>>
>>
>> 2/ Customize password hashes.
>>
>> We have our own algorithm used to store password hashes. What should I do to
>> add this to keycloak?
>>
>> I do not know the current passwords of the users already in our system, so
>> when doing the migration i need keyclock to support the current algorithm we
>> use. Can we plugin new hashing algorithms to meet my needs?
>>
>>
>>
>> Any other issues I might face?
>>
>> I feel key cloak is the right choice if the above two questions are answered.
>> Please let me know.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalinga at leapset.com  Tue Mar 17 03:52:12 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Tue, 17 Mar 2015 13:22:12 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <5506E5CF.5010409@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com> 
	<5506E5CF.5010409@redhat.com>
Message-ID: <1426578732.697118522@apps.rackspace.com>


Thanks again for your quick feedbacks.
Sorry I have a number of questions so I will be buzzing u guys regularly.
I went through the document for the adapters;
[ http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html ]( http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html )
 
So lets say I need a php application to be deployed using keycloak as my SSO manager application.
So my basic requirement is that user should have the ability to signin via keycloak. I see that there are no dedicated adapters for php (I guess it must be in the works)
 
Is there a guideline that I should follow if I am  to do it manually? Basically what I should to do replicate what an adapter does (if I dont want to use any adapters or my apps are mobile based or deployed on containers hat keycloak does not have adapters for). Hope my question is clear.
 
Kalinga
 

-----Original Message-----
From: "Bill Burke" <bburke at redhat.com>
Sent: Monday, March 16, 2015 7:46pm
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



Minimally you need to import username. Probably email too if you want 
to use any of our email-based features. With UserFederationProvider you 
can delegate to the third-party storage for other user attributes/metadata.

On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding.
>
> You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms.
>
> ----- Original Message -----
>> From: "Kalinga Dissanayake" <kalinga at leapset.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, March 16, 2015 10:48:55 AM
>> Subject: [keycloak-user] Customization of authentication mechanism and +
>>
>>
>>
>> Guys,
>>
>> I need to understand the capability of keycloak with my requirement and to
>> ensure that keycloak is scalable to meet my needs. My main requirement is to
>> integrate keycloak to our system to support SSO hence I need to migrate my
>> existing users. My main concerns;
>>
>>
>>
>> 1/ Customize authentication method.
>>
>> I need to authenticate users similar to what we currently use in our
>> production system. In our system, users are identified by username, password
>> and the pin.
>>
>> For instance;
>>
>> User -> jack, password -> pwd, pin -> 50000
>>
>> User should enter all three to login to the system.
>>
>> I went through the codebase and I saw that the Authentication Manager (which
>> is a concrete class) does all the work inside keycloak. I managed to
>> customize the frontend with ease, however, in order to support the pin in
>> the backend seems like I have to customize the AuthenticationManager class
>> (no direct SPIs).
>>
>> Although there is a link here;
>>
>> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
>>
>> I cant seem to find anything here which matches the current code base (to via
>> a new authentication method via spis) and the example has been removed.
>>
>>
>>
>> 2/ Customize password hashes.
>>
>> We have our own algorithm used to store password hashes. What should I do to
>> add this to keycloak?
>>
>> I do not know the current passwords of the users already in our system, so
>> when doing the migration i need keyclock to support the current algorithm we
>> use. Can we plugin new hashing algorithms to meet my needs?
>>
>>
>>
>> Any other issues I might face?
>>
>> I feel key cloak is the right choice if the above two questions are answered.
>> Please let me know.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/30a07646/attachment.html 

From stian at redhat.com  Tue Mar 17 04:55:33 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Mar 2015 04:55:33 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426578732.697118522@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
	<5506E5CF.5010409@redhat.com>
	<1426578732.697118522@apps.rackspace.com>
Message-ID: <1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 8:52:12 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Thanks again for your quick feedbacks.
> 
> Sorry I have a number of questions so I will be buzzing u guys regularly.
> 
> I went through the document for the adapters;
> 
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> 
> 
> 
> So lets say I need a php application to be deployed using keycloak as my SSO
> manager application.
> 
> So my basic requirement is that user should have the ability to signin via
> keycloak. I see that there are no dedicated adapters for php (I guess it
> must be in the works)

We don't have a PHP adapter, and there's no immediate plans to create one. You could use:

* JavaScript adapter (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
* Proxy  (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)

Alternatively have a look on Google for instructions on using OAuth2 and/or OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a OpenID Connect Discovery endpoint, which should make it easier to use other OpenID Connect client libraries with Keycloak.

If you're willing to contribute a PHP adapter then let me know and I can give you more details on what would be required and some hints to get you started.

> 
> 
> 
> Is there a guideline that I should follow if I am to do it manually?
> Basically what I should to do replicate what an adapter does (if I dont want
> to use any adapters or my apps are mobile based or deployed on containers
> hat keycloak does not have adapters for). Hope my question is clear.
> 
> 
> 
> Kalinga
> 
> 
> 
> 
> -----Original Message-----
> From: "Bill Burke" <bburke at redhat.com>
> Sent: Monday, March 16, 2015 7:46pm
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Minimally you need to import username. Probably email too if you want
> to use any of our email-based features. With UserFederationProvider you
> can delegate to the third-party storage for other user attributes/metadata.
> 
> On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > We don't currently have a way to plugin your own authentication mechanism,
> > but this is something we'll be adding.
> > 
> > You have two choices when it comes to users, you can either use our user
> > federation provider mechanism to sync between Keycloak and your current
> > db. Or you can migrate the users fully to the Keycloak db. In either case
> > you have an option on overriding how passwords are verified (either
> > UserFederationProvider or by extending an existing UserProvider). With the
> > above authentication mechanism we'll most likely also make the
> > verification of passwords pluggable which would support different hash
> > algorithms.
> > 
> > ----- Original Message -----
> >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Monday, March 16, 2015 10:48:55 AM
> >> Subject: [keycloak-user] Customization of authentication mechanism and +
> >> 
> >> 
> >> 
> >> Guys,
> >> 
> >> I need to understand the capability of keycloak with my requirement and to
> >> ensure that keycloak is scalable to meet my needs. My main requirement is
> >> to
> >> integrate keycloak to our system to support SSO hence I need to migrate my
> >> existing users. My main concerns;
> >> 
> >> 
> >> 
> >> 1/ Customize authentication method.
> >> 
> >> I need to authenticate users similar to what we currently use in our
> >> production system. In our system, users are identified by username,
> >> password
> >> and the pin.
> >> 
> >> For instance;
> >> 
> >> User -> jack, password -> pwd, pin -> 50000
> >> 
> >> User should enter all three to login to the system.
> >> 
> >> I went through the codebase and I saw that the Authentication Manager
> >> (which
> >> is a concrete class) does all the work inside keycloak. I managed to
> >> customize the frontend with ease, however, in order to support the pin in
> >> the backend seems like I have to customize the AuthenticationManager class
> >> (no direct SPIs).
> >> 
> >> Although there is a link here;
> >> 
> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> >> 
> >> I cant seem to find anything here which matches the current code base (to
> >> via
> >> a new authentication method via spis) and the example has been removed.
> >> 
> >> 
> >> 
> >> 2/ Customize password hashes.
> >> 
> >> We have our own algorithm used to store password hashes. What should I do
> >> to
> >> add this to keycloak?
> >> 
> >> I do not know the current passwords of the users already in our system, so
> >> when doing the migration i need keyclock to support the current algorithm
> >> we
> >> use. Can we plugin new hashing algorithms to meet my needs?
> >> 
> >> 
> >> 
> >> Any other issues I might face?
> >> 
> >> I feel key cloak is the right choice if the above two questions are
> >> answered.
> >> Please let me know.
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kalinga at leapset.com  Tue Mar 17 05:25:26 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Tue, 17 Mar 2015 14:55:26 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com> 
	<5506E5CF.5010409@redhat.com> <1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
Message-ID: <1426584326.304931416@apps.rackspace.com>


Thanks again.
I need to go thru most documentation to get the hang of it. Will do.
I would love to contribute if u can get a php application in place, is it possible for you to direct me to documentation where there are hints regarding the adapter logic?
 
Kalinga


-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Tuesday, March 17, 2015 2:25pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +




----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 8:52:12 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Thanks again for your quick feedbacks.
> 
> Sorry I have a number of questions so I will be buzzing u guys regularly.
> 
> I went through the document for the adapters;
> 
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> 
> 
> 
> So lets say I need a php application to be deployed using keycloak as my SSO
> manager application.
> 
> So my basic requirement is that user should have the ability to signin via
> keycloak. I see that there are no dedicated adapters for php (I guess it
> must be in the works)

We don't have a PHP adapter, and there's no immediate plans to create one. You could use:

* JavaScript adapter (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
* Proxy (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)

Alternatively have a look on Google for instructions on using OAuth2 and/or OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a OpenID Connect Discovery endpoint, which should make it easier to use other OpenID Connect client libraries with Keycloak.

If you're willing to contribute a PHP adapter then let me know and I can give you more details on what would be required and some hints to get you started.

> 
> 
> 
> Is there a guideline that I should follow if I am to do it manually?
> Basically what I should to do replicate what an adapter does (if I dont want
> to use any adapters or my apps are mobile based or deployed on containers
> hat keycloak does not have adapters for). Hope my question is clear.
> 
> 
> 
> Kalinga
> 
> 
> 
> 
> -----Original Message-----
> From: "Bill Burke" <bburke at redhat.com>
> Sent: Monday, March 16, 2015 7:46pm
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Minimally you need to import username. Probably email too if you want
> to use any of our email-based features. With UserFederationProvider you
> can delegate to the third-party storage for other user attributes/metadata.
> 
> On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > We don't currently have a way to plugin your own authentication mechanism,
> > but this is something we'll be adding.
> > 
> > You have two choices when it comes to users, you can either use our user
> > federation provider mechanism to sync between Keycloak and your current
> > db. Or you can migrate the users fully to the Keycloak db. In either case
> > you have an option on overriding how passwords are verified (either
> > UserFederationProvider or by extending an existing UserProvider). With the
> > above authentication mechanism we'll most likely also make the
> > verification of passwords pluggable which would support different hash
> > algorithms.
> > 
> > ----- Original Message -----
> >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Monday, March 16, 2015 10:48:55 AM
> >> Subject: [keycloak-user] Customization of authentication mechanism and +
> >> 
> >> 
> >> 
> >> Guys,
> >> 
> >> I need to understand the capability of keycloak with my requirement and to
> >> ensure that keycloak is scalable to meet my needs. My main requirement is
> >> to
> >> integrate keycloak to our system to support SSO hence I need to migrate my
> >> existing users. My main concerns;
> >> 
> >> 
> >> 
> >> 1/ Customize authentication method.
> >> 
> >> I need to authenticate users similar to what we currently use in our
> >> production system. In our system, users are identified by username,
> >> password
> >> and the pin.
> >> 
> >> For instance;
> >> 
> >> User -> jack, password -> pwd, pin -> 50000
> >> 
> >> User should enter all three to login to the system.
> >> 
> >> I went through the codebase and I saw that the Authentication Manager
> >> (which
> >> is a concrete class) does all the work inside keycloak. I managed to
> >> customize the frontend with ease, however, in order to support the pin in
> >> the backend seems like I have to customize the AuthenticationManager class
> >> (no direct SPIs).
> >> 
> >> Although there is a link here;
> >> 
> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> >> 
> >> I cant seem to find anything here which matches the current code base (to
> >> via
> >> a new authentication method via spis) and the example has been removed.
> >> 
> >> 
> >> 
> >> 2/ Customize password hashes.
> >> 
> >> We have our own algorithm used to store password hashes. What should I do
> >> to
> >> add this to keycloak?
> >> 
> >> I do not know the current passwords of the users already in our system, so
> >> when doing the migration i need keyclock to support the current algorithm
> >> we
> >> use. Can we plugin new hashing algorithms to meet my needs?
> >> 
> >> 
> >> 
> >> Any other issues I might face?
> >> 
> >> I feel key cloak is the right choice if the above two questions are
> >> answered.
> >> Please let me know.
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/250dce32/attachment-0001.html 

From kalinga at leapset.com  Tue Mar 17 05:26:18 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Tue, 17 Mar 2015 14:56:18 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426584326.304931416@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>  
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>  
	<5506E5CF.5010409@redhat.com> <1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com> 
	<1426584326.304931416@apps.rackspace.com>
Message-ID: <1426584378.44864838@apps.rackspace.com>


* I can get a php application in place
 
Kalinga

-----Original Message-----
From: "Kalinga Dissanayake" <kalinga at leapset.com>
Sent: Tuesday, March 17, 2015 2:55pm
To: "Stian Thorgersen" <stian at redhat.com>
Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



Thanks again.
I need to go thru most documentation to get the hang of it. Will do.
I would love to contribute if u can get a php application in place, is it possible for you to direct me to documentation where there are hints regarding the adapter logic?
 
Kalinga


-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Tuesday, March 17, 2015 2:25pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +




----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 8:52:12 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Thanks again for your quick feedbacks.
> 
> Sorry I have a number of questions so I will be buzzing u guys regularly.
> 
> I went through the document for the adapters;
> 
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> 
> 
> 
> So lets say I need a php application to be deployed using keycloak as my SSO
> manager application.
> 
> So my basic requirement is that user should have the ability to signin via
> keycloak. I see that there are no dedicated adapters for php (I guess it
> must be in the works)

We don't have a PHP adapter, and there's no immediate plans to create one. You could use:

* JavaScript adapter (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
* Proxy (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)

Alternatively have a look on Google for instructions on using OAuth2 and/or OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a OpenID Connect Discovery endpoint, which should make it easier to use other OpenID Connect client libraries with Keycloak.

If you're willing to contribute a PHP adapter then let me know and I can give you more details on what would be required and some hints to get you started.

> 
> 
> 
> Is there a guideline that I should follow if I am to do it manually?
> Basically what I should to do replicate what an adapter does (if I dont want
> to use any adapters or my apps are mobile based or deployed on containers
> hat keycloak does not have adapters for). Hope my question is clear.
> 
> 
> 
> Kalinga
> 
> 
> 
> 
> -----Original Message-----
> From: "Bill Burke" <bburke at redhat.com>
> Sent: Monday, March 16, 2015 7:46pm
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Minimally you need to import username. Probably email too if you want
> to use any of our email-based features. With UserFederationProvider you
> can delegate to the third-party storage for other user attributes/metadata.
> 
> On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > We don't currently have a way to plugin your own authentication mechanism,
> > but this is something we'll be adding.
> > 
> > You have two choices when it comes to users, you can either use our user
> > federation provider mechanism to sync between Keycloak and your current
> > db. Or you can migrate the users fully to the Keycloak db. In either case
> > you have an option on overriding how passwords are verified (either
> > UserFederationProvider or by extending an existing UserProvider). With the
> > above authentication mechanism we'll most likely also make the
> > verification of passwords pluggable which would support different hash
> > algorithms.
> > 
> > ----- Original Message -----
> >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Monday, March 16, 2015 10:48:55 AM
> >> Subject: [keycloak-user] Customization of authentication mechanism and +
> >> 
> >> 
> >> 
> >> Guys,
> >> 
> >> I need to understand the capability of keycloak with my requirement and to
> >> ensure that keycloak is scalable to meet my needs. My main requirement is
> >> to
> >> integrate keycloak to our system to support SSO hence I need to migrate my
> >> existing users. My main concerns;
> >> 
> >> 
> >> 
> >> 1/ Customize authentication method.
> >> 
> >> I need to authenticate users similar to what we currently use in our
> >> production system. In our system, users are identified by username,
> >> password
> >> and the pin.
> >> 
> >> For instance;
> >> 
> >> User -> jack, password -> pwd, pin -> 50000
> >> 
> >> User should enter all three to login to the system.
> >> 
> >> I went through the codebase and I saw that the Authentication Manager
> >> (which
> >> is a concrete class) does all the work inside keycloak. I managed to
> >> customize the frontend with ease, however, in order to support the pin in
> >> the backend seems like I have to customize the AuthenticationManager class
> >> (no direct SPIs).
> >> 
> >> Although there is a link here;
> >> 
> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> >> 
> >> I cant seem to find anything here which matches the current code base (to
> >> via
> >> a new authentication method via spis) and the example has been removed.
> >> 
> >> 
> >> 
> >> 2/ Customize password hashes.
> >> 
> >> We have our own algorithm used to store password hashes. What should I do
> >> to
> >> add this to keycloak?
> >> 
> >> I do not know the current passwords of the users already in our system, so
> >> when doing the migration i need keyclock to support the current algorithm
> >> we
> >> use. Can we plugin new hashing algorithms to meet my needs?
> >> 
> >> 
> >> 
> >> Any other issues I might face?
> >> 
> >> I feel key cloak is the right choice if the above two questions are
> >> answered.
> >> Please let me know.
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/e3b069c3/attachment.html 

From stian at redhat.com  Tue Mar 17 05:41:51 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Mar 2015 05:41:51 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426584378.44864838@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
	<5506E5CF.5010409@redhat.com>
	<1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
Message-ID: <2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>

There is no hints regarding adapter logic, but what you'll need is:

* Configure adapter using keycloak.json
* Implement client side of OAuth2 Authorization Code Grant
  1. Generate a state variable and store in a cookie or session
  2. Redirect to /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate uuid>&redirect_uri=<callback uri>
  3. Once the user has logged-in it's redirected back to <callback uri> with a code query param
  4. Use the code query param to obtain a token by posting to /{realm}/protocols/openid-connect/token the form-data should be grant_type=authorization_code&code=<code> you also need to include a http basic authorization header with client id and secret

Once you've done that you should have a token available to the application. Then you have to deal with:

* Refreshing token when expired
* Handle logout events from Keycloak
* Clustering issues
* If you want to support creating rest endpoints in PHP you also need to support verifying the bearer token included in authorization header, this can be done by checking the jws signature using the realm public key

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 10:26:18 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> * I can get a php application in place
>  
> Kalinga
> 
> -----Original Message-----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> Sent: Tuesday, March 17, 2015 2:55pm
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Thanks again.
> I need to go thru most documentation to get the hang of it. Will do.
> I would love to contribute if u can get a php application in place, is it
> possible for you to direct me to documentation where there are hints
> regarding the adapter logic?
>  
> Kalinga
> 
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 2:25pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Thanks again for your quick feedbacks.
> > 
> > Sorry I have a number of questions so I will be buzzing u guys regularly.
> > 
> > I went through the document for the adapters;
> > 
> > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > 
> > 
> > 
> > So lets say I need a php application to be deployed using keycloak as my
> > SSO
> > manager application.
> > 
> > So my basic requirement is that user should have the ability to signin via
> > keycloak. I see that there are no dedicated adapters for php (I guess it
> > must be in the works)
> 
> We don't have a PHP adapter, and there's no immediate plans to create one.
> You could use:
> 
> * JavaScript adapter
> (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> * Proxy
> (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> 
> Alternatively have a look on Google for instructions on using OAuth2 and/or
> OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> OpenID Connect Discovery endpoint, which should make it easier to use other
> OpenID Connect client libraries with Keycloak.
> 
> If you're willing to contribute a PHP adapter then let me know and I can give
> you more details on what would be required and some hints to get you
> started.
> 
> > 
> > 
> > 
> > Is there a guideline that I should follow if I am to do it manually?
> > Basically what I should to do replicate what an adapter does (if I dont
> > want
> > to use any adapters or my apps are mobile based or deployed on containers
> > hat keycloak does not have adapters for). Hope my question is clear.
> > 
> > 
> > 
> > Kalinga
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: "Bill Burke" <bburke at redhat.com>
> > Sent: Monday, March 16, 2015 7:46pm
> > To: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Minimally you need to import username. Probably email too if you want
> > to use any of our email-based features. With UserFederationProvider you
> > can delegate to the third-party storage for other user attributes/metadata.
> > 
> > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > We don't currently have a way to plugin your own authentication
> > > mechanism,
> > > but this is something we'll be adding.
> > > 
> > > You have two choices when it comes to users, you can either use our user
> > > federation provider mechanism to sync between Keycloak and your current
> > > db. Or you can migrate the users fully to the Keycloak db. In either case
> > > you have an option on overriding how passwords are verified (either
> > > UserFederationProvider or by extending an existing UserProvider). With
> > > the
> > > above authentication mechanism we'll most likely also make the
> > > verification of passwords pluggable which would support different hash
> > > algorithms.
> > > 
> > > ----- Original Message -----
> > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > >> To: keycloak-user at lists.jboss.org
> > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > >> Subject: [keycloak-user] Customization of authentication mechanism and +
> > >> 
> > >> 
> > >> 
> > >> Guys,
> > >> 
> > >> I need to understand the capability of keycloak with my requirement and
> > >> to
> > >> ensure that keycloak is scalable to meet my needs. My main requirement
> > >> is
> > >> to
> > >> integrate keycloak to our system to support SSO hence I need to migrate
> > >> my
> > >> existing users. My main concerns;
> > >> 
> > >> 
> > >> 
> > >> 1/ Customize authentication method.
> > >> 
> > >> I need to authenticate users similar to what we currently use in our
> > >> production system. In our system, users are identified by username,
> > >> password
> > >> and the pin.
> > >> 
> > >> For instance;
> > >> 
> > >> User -> jack, password -> pwd, pin -> 50000
> > >> 
> > >> User should enter all three to login to the system.
> > >> 
> > >> I went through the codebase and I saw that the Authentication Manager
> > >> (which
> > >> is a concrete class) does all the work inside keycloak. I managed to
> > >> customize the frontend with ease, however, in order to support the pin
> > >> in
> > >> the backend seems like I have to customize the AuthenticationManager
> > >> class
> > >> (no direct SPIs).
> > >> 
> > >> Although there is a link here;
> > >> 
> > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > >> 
> > >> I cant seem to find anything here which matches the current code base
> > >> (to
> > >> via
> > >> a new authentication method via spis) and the example has been removed.
> > >> 
> > >> 
> > >> 
> > >> 2/ Customize password hashes.
> > >> 
> > >> We have our own algorithm used to store password hashes. What should I
> > >> do
> > >> to
> > >> add this to keycloak?
> > >> 
> > >> I do not know the current passwords of the users already in our system,
> > >> so
> > >> when doing the migration i need keyclock to support the current
> > >> algorithm
> > >> we
> > >> use. Can we plugin new hashing algorithms to meet my needs?
> > >> 
> > >> 
> > >> 
> > >> Any other issues I might face?
> > >> 
> > >> I feel key cloak is the right choice if the above two questions are
> > >> answered.
> > >> Please let me know.
> > >> 
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Mar 17 05:44:22 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Mar 2015 05:44:22 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com>
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com>
	<5506E5CF.5010409@redhat.com>
	<1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
Message-ID: <677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>

If you have any more questions feel free to ask, anyone contributing code gets extra questions answered ;)


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 10:41:51 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> There is no hints regarding adapter logic, but what you'll need is:
> 
> * Configure adapter using keycloak.json
> * Implement client side of OAuth2 Authorization Code Grant
>   1. Generate a state variable and store in a cookie or session
>   2. Redirect to
>   /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
>   uuid>&redirect_uri=<callback uri>
>   3. Once the user has logged-in it's redirected back to <callback uri> with
>   a code query param
>   4. Use the code query param to obtain a token by posting to
>   /{realm}/protocols/openid-connect/token the form-data should be
>   grant_type=authorization_code&code=<code> you also need to include a http
>   basic authorization header with client id and secret
> 
> Once you've done that you should have a token available to the application.
> Then you have to deal with:
> 
> * Refreshing token when expired
> * Handle logout events from Keycloak
> * Clustering issues
> * If you want to support creating rest endpoints in PHP you also need to
> support verifying the bearer token included in authorization header, this
> can be done by checking the jws signature using the realm public key
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > * I can get a php application in place
> >  
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Sent: Tuesday, March 17, 2015 2:55pm
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Thanks again.
> > I need to go thru most documentation to get the hang of it. Will do.
> > I would love to contribute if u can get a php application in place, is it
> > possible for you to direct me to documentation where there are hints
> > regarding the adapter logic?
> >  
> > Kalinga
> > 
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 2:25pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again for your quick feedbacks.
> > > 
> > > Sorry I have a number of questions so I will be buzzing u guys regularly.
> > > 
> > > I went through the document for the adapters;
> > > 
> > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > 
> > > 
> > > 
> > > So lets say I need a php application to be deployed using keycloak as my
> > > SSO
> > > manager application.
> > > 
> > > So my basic requirement is that user should have the ability to signin
> > > via
> > > keycloak. I see that there are no dedicated adapters for php (I guess it
> > > must be in the works)
> > 
> > We don't have a PHP adapter, and there's no immediate plans to create one.
> > You could use:
> > 
> > * JavaScript adapter
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > * Proxy
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > 
> > Alternatively have a look on Google for instructions on using OAuth2 and/or
> > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > OpenID Connect Discovery endpoint, which should make it easier to use other
> > OpenID Connect client libraries with Keycloak.
> > 
> > If you're willing to contribute a PHP adapter then let me know and I can
> > give
> > you more details on what would be required and some hints to get you
> > started.
> > 
> > > 
> > > 
> > > 
> > > Is there a guideline that I should follow if I am to do it manually?
> > > Basically what I should to do replicate what an adapter does (if I dont
> > > want
> > > to use any adapters or my apps are mobile based or deployed on containers
> > > hat keycloak does not have adapters for). Hope my question is clear.
> > > 
> > > 
> > > 
> > > Kalinga
> > > 
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > Sent: Monday, March 16, 2015 7:46pm
> > > To: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Minimally you need to import username. Probably email too if you want
> > > to use any of our email-based features. With UserFederationProvider you
> > > can delegate to the third-party storage for other user
> > > attributes/metadata.
> > > 
> > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > We don't currently have a way to plugin your own authentication
> > > > mechanism,
> > > > but this is something we'll be adding.
> > > > 
> > > > You have two choices when it comes to users, you can either use our
> > > > user
> > > > federation provider mechanism to sync between Keycloak and your current
> > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > case
> > > > you have an option on overriding how passwords are verified (either
> > > > UserFederationProvider or by extending an existing UserProvider). With
> > > > the
> > > > above authentication mechanism we'll most likely also make the
> > > > verification of passwords pluggable which would support different hash
> > > > algorithms.
> > > > 
> > > > ----- Original Message -----
> > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > >> To: keycloak-user at lists.jboss.org
> > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > >> Subject: [keycloak-user] Customization of authentication mechanism and
> > > >> +
> > > >> 
> > > >> 
> > > >> 
> > > >> Guys,
> > > >> 
> > > >> I need to understand the capability of keycloak with my requirement
> > > >> and
> > > >> to
> > > >> ensure that keycloak is scalable to meet my needs. My main requirement
> > > >> is
> > > >> to
> > > >> integrate keycloak to our system to support SSO hence I need to
> > > >> migrate
> > > >> my
> > > >> existing users. My main concerns;
> > > >> 
> > > >> 
> > > >> 
> > > >> 1/ Customize authentication method.
> > > >> 
> > > >> I need to authenticate users similar to what we currently use in our
> > > >> production system. In our system, users are identified by username,
> > > >> password
> > > >> and the pin.
> > > >> 
> > > >> For instance;
> > > >> 
> > > >> User -> jack, password -> pwd, pin -> 50000
> > > >> 
> > > >> User should enter all three to login to the system.
> > > >> 
> > > >> I went through the codebase and I saw that the Authentication Manager
> > > >> (which
> > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > >> customize the frontend with ease, however, in order to support the pin
> > > >> in
> > > >> the backend seems like I have to customize the AuthenticationManager
> > > >> class
> > > >> (no direct SPIs).
> > > >> 
> > > >> Although there is a link here;
> > > >> 
> > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > >> 
> > > >> I cant seem to find anything here which matches the current code base
> > > >> (to
> > > >> via
> > > >> a new authentication method via spis) and the example has been
> > > >> removed.
> > > >> 
> > > >> 
> > > >> 
> > > >> 2/ Customize password hashes.
> > > >> 
> > > >> We have our own algorithm used to store password hashes. What should I
> > > >> do
> > > >> to
> > > >> add this to keycloak?
> > > >> 
> > > >> I do not know the current passwords of the users already in our
> > > >> system,
> > > >> so
> > > >> when doing the migration i need keyclock to support the current
> > > >> algorithm
> > > >> we
> > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > >> 
> > > >> 
> > > >> 
> > > >> Any other issues I might face?
> > > >> 
> > > >> I feel key cloak is the right choice if the above two questions are
> > > >> answered.
> > > >> Please let me know.
> > > >> 
> > > >> _______________________________________________
> > > >> keycloak-user mailing list
> > > >> keycloak-user at lists.jboss.org
> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From kalinga at leapset.com  Tue Mar 17 06:23:10 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Tue, 17 Mar 2015 15:53:10 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<41183142.7063572.1426500082230.JavaMail.zimbra@redhat.com> 
	<5506E5CF.5010409@redhat.com> <1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com> 
	<1426584326.304931416@apps.rackspace.com> 
	<1426584378.44864838@apps.rackspace.com> 
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com> 
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
Message-ID: <1426587790.632621088@apps.rackspace.com>


Thanks Stian. :) Let me first go thru the resources I have on the website. The java source code of the adapter also must be present somewhere for me to have a look I guess?
 
Kalinga

-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Tuesday, March 17, 2015 3:14pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



If you have any more questions feel free to ask, anyone contributing code gets extra questions answered ;)


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 10:41:51 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> There is no hints regarding adapter logic, but what you'll need is:
> 
> * Configure adapter using keycloak.json
> * Implement client side of OAuth2 Authorization Code Grant
> 1. Generate a state variable and store in a cookie or session
> 2. Redirect to
> /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> uuid>&redirect_uri=<callback uri>
> 3. Once the user has logged-in it's redirected back to <callback uri> with
> a code query param
> 4. Use the code query param to obtain a token by posting to
> /{realm}/protocols/openid-connect/token the form-data should be
> grant_type=authorization_code&code=<code> you also need to include a http
> basic authorization header with client id and secret
> 
> Once you've done that you should have a token available to the application.
> Then you have to deal with:
> 
> * Refreshing token when expired
> * Handle logout events from Keycloak
> * Clustering issues
> * If you want to support creating rest endpoints in PHP you also need to
> support verifying the bearer token included in authorization header, this
> can be done by checking the jws signature using the realm public key
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > * I can get a php application in place
> > 
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Sent: Tuesday, March 17, 2015 2:55pm
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Thanks again.
> > I need to go thru most documentation to get the hang of it. Will do.
> > I would love to contribute if u can get a php application in place, is it
> > possible for you to direct me to documentation where there are hints
> > regarding the adapter logic?
> > 
> > Kalinga
> > 
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 2:25pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again for your quick feedbacks.
> > > 
> > > Sorry I have a number of questions so I will be buzzing u guys regularly.
> > > 
> > > I went through the document for the adapters;
> > > 
> > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > 
> > > 
> > > 
> > > So lets say I need a php application to be deployed using keycloak as my
> > > SSO
> > > manager application.
> > > 
> > > So my basic requirement is that user should have the ability to signin
> > > via
> > > keycloak. I see that there are no dedicated adapters for php (I guess it
> > > must be in the works)
> > 
> > We don't have a PHP adapter, and there's no immediate plans to create one.
> > You could use:
> > 
> > * JavaScript adapter
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > * Proxy
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > 
> > Alternatively have a look on Google for instructions on using OAuth2 and/or
> > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > OpenID Connect Discovery endpoint, which should make it easier to use other
> > OpenID Connect client libraries with Keycloak.
> > 
> > If you're willing to contribute a PHP adapter then let me know and I can
> > give
> > you more details on what would be required and some hints to get you
> > started.
> > 
> > > 
> > > 
> > > 
> > > Is there a guideline that I should follow if I am to do it manually?
> > > Basically what I should to do replicate what an adapter does (if I dont
> > > want
> > > to use any adapters or my apps are mobile based or deployed on containers
> > > hat keycloak does not have adapters for). Hope my question is clear.
> > > 
> > > 
> > > 
> > > Kalinga
> > > 
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > Sent: Monday, March 16, 2015 7:46pm
> > > To: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Minimally you need to import username. Probably email too if you want
> > > to use any of our email-based features. With UserFederationProvider you
> > > can delegate to the third-party storage for other user
> > > attributes/metadata.
> > > 
> > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > We don't currently have a way to plugin your own authentication
> > > > mechanism,
> > > > but this is something we'll be adding.
> > > > 
> > > > You have two choices when it comes to users, you can either use our
> > > > user
> > > > federation provider mechanism to sync between Keycloak and your current
> > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > case
> > > > you have an option on overriding how passwords are verified (either
> > > > UserFederationProvider or by extending an existing UserProvider). With
> > > > the
> > > > above authentication mechanism we'll most likely also make the
> > > > verification of passwords pluggable which would support different hash
> > > > algorithms.
> > > > 
> > > > ----- Original Message -----
> > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > >> To: keycloak-user at lists.jboss.org
> > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > >> Subject: [keycloak-user] Customization of authentication mechanism and
> > > >> +
> > > >> 
> > > >> 
> > > >> 
> > > >> Guys,
> > > >> 
> > > >> I need to understand the capability of keycloak with my requirement
> > > >> and
> > > >> to
> > > >> ensure that keycloak is scalable to meet my needs. My main requirement
> > > >> is
> > > >> to
> > > >> integrate keycloak to our system to support SSO hence I need to
> > > >> migrate
> > > >> my
> > > >> existing users. My main concerns;
> > > >> 
> > > >> 
> > > >> 
> > > >> 1/ Customize authentication method.
> > > >> 
> > > >> I need to authenticate users similar to what we currently use in our
> > > >> production system. In our system, users are identified by username,
> > > >> password
> > > >> and the pin.
> > > >> 
> > > >> For instance;
> > > >> 
> > > >> User -> jack, password -> pwd, pin -> 50000
> > > >> 
> > > >> User should enter all three to login to the system.
> > > >> 
> > > >> I went through the codebase and I saw that the Authentication Manager
> > > >> (which
> > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > >> customize the frontend with ease, however, in order to support the pin
> > > >> in
> > > >> the backend seems like I have to customize the AuthenticationManager
> > > >> class
> > > >> (no direct SPIs).
> > > >> 
> > > >> Although there is a link here;
> > > >> 
> > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > >> 
> > > >> I cant seem to find anything here which matches the current code base
> > > >> (to
> > > >> via
> > > >> a new authentication method via spis) and the example has been
> > > >> removed.
> > > >> 
> > > >> 
> > > >> 
> > > >> 2/ Customize password hashes.
> > > >> 
> > > >> We have our own algorithm used to store password hashes. What should I
> > > >> do
> > > >> to
> > > >> add this to keycloak?
> > > >> 
> > > >> I do not know the current passwords of the users already in our
> > > >> system,
> > > >> so
> > > >> when doing the migration i need keyclock to support the current
> > > >> algorithm
> > > >> we
> > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > >> 
> > > >> 
> > > >> 
> > > >> Any other issues I might face?
> > > >> 
> > > >> I feel key cloak is the right choice if the above two questions are
> > > >> answered.
> > > >> Please let me know.
> > > >> 
> > > >> _______________________________________________
> > > >> keycloak-user mailing list
> > > >> keycloak-user at lists.jboss.org
> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/168edcf5/attachment-0001.html 

From stian at redhat.com  Tue Mar 17 06:25:35 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Mar 2015 06:25:35 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426587790.632621088@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
	<1426587790.632621088@apps.rackspace.com>
Message-ID: <815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>

Source code for all adapters is in:

https://github.com/keycloak/keycloak/tree/master/integration

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 11:23:10 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Thanks Stian. :) Let me first go thru the resources I have on the website.
> The java source code of the adapter also must be present somewhere for me to
> have a look I guess?
>  
> Kalinga
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:14pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> If you have any more questions feel free to ask, anyone contributing code
> gets extra questions answered ;)
> 
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > There is no hints regarding adapter logic, but what you'll need is:
> > 
> > * Configure adapter using keycloak.json
> > * Implement client side of OAuth2 Authorization Code Grant
> > 1. Generate a state variable and store in a cookie or session
> > 2. Redirect to
> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > uuid>&redirect_uri=<callback uri>
> > 3. Once the user has logged-in it's redirected back to <callback uri> with
> > a code query param
> > 4. Use the code query param to obtain a token by posting to
> > /{realm}/protocols/openid-connect/token the form-data should be
> > grant_type=authorization_code&code=<code> you also need to include a http
> > basic authorization header with client id and secret
> > 
> > Once you've done that you should have a token available to the application.
> > Then you have to deal with:
> > 
> > * Refreshing token when expired
> > * Handle logout events from Keycloak
> > * Clustering issues
> > * If you want to support creating rest endpoints in PHP you also need to
> > support verifying the bearer token included in authorization header, this
> > can be done by checking the jws signature using the realm public key
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > * I can get a php application in place
> > > 
> > > Kalinga
> > > 
> > > -----Original Message-----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Sent: Tuesday, March 17, 2015 2:55pm
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again.
> > > I need to go thru most documentation to get the hang of it. Will do.
> > > I would love to contribute if u can get a php application in place, is it
> > > possible for you to direct me to documentation where there are hints
> > > regarding the adapter logic?
> > > 
> > > Kalinga
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Tuesday, March 17, 2015 2:25pm
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Bill Burke" <bburke at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again for your quick feedbacks.
> > > > 
> > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > regularly.
> > > > 
> > > > I went through the document for the adapters;
> > > > 
> > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > 
> > > > 
> > > > 
> > > > So lets say I need a php application to be deployed using keycloak as
> > > > my
> > > > SSO
> > > > manager application.
> > > > 
> > > > So my basic requirement is that user should have the ability to signin
> > > > via
> > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > it
> > > > must be in the works)
> > > 
> > > We don't have a PHP adapter, and there's no immediate plans to create
> > > one.
> > > You could use:
> > > 
> > > * JavaScript adapter
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > * Proxy
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > 
> > > Alternatively have a look on Google for instructions on using OAuth2
> > > and/or
> > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > other
> > > OpenID Connect client libraries with Keycloak.
> > > 
> > > If you're willing to contribute a PHP adapter then let me know and I can
> > > give
> > > you more details on what would be required and some hints to get you
> > > started.
> > > 
> > > > 
> > > > 
> > > > 
> > > > Is there a guideline that I should follow if I am to do it manually?
> > > > Basically what I should to do replicate what an adapter does (if I dont
> > > > want
> > > > to use any adapters or my apps are mobile based or deployed on
> > > > containers
> > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > 
> > > > 
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Bill Burke" <bburke at redhat.com>
> > > > Sent: Monday, March 16, 2015 7:46pm
> > > > To: keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Minimally you need to import username. Probably email too if you want
> > > > to use any of our email-based features. With UserFederationProvider you
> > > > can delegate to the third-party storage for other user
> > > > attributes/metadata.
> > > > 
> > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > We don't currently have a way to plugin your own authentication
> > > > > mechanism,
> > > > > but this is something we'll be adding.
> > > > > 
> > > > > You have two choices when it comes to users, you can either use our
> > > > > user
> > > > > federation provider mechanism to sync between Keycloak and your
> > > > > current
> > > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > > case
> > > > > you have an option on overriding how passwords are verified (either
> > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > With
> > > > > the
> > > > > above authentication mechanism we'll most likely also make the
> > > > > verification of passwords pluggable which would support different
> > > > > hash
> > > > > algorithms.
> > > > > 
> > > > > ----- Original Message -----
> > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > >> To: keycloak-user at lists.jboss.org
> > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > >> and
> > > > >> +
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Guys,
> > > > >> 
> > > > >> I need to understand the capability of keycloak with my requirement
> > > > >> and
> > > > >> to
> > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > >> requirement
> > > > >> is
> > > > >> to
> > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > >> migrate
> > > > >> my
> > > > >> existing users. My main concerns;
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 1/ Customize authentication method.
> > > > >> 
> > > > >> I need to authenticate users similar to what we currently use in our
> > > > >> production system. In our system, users are identified by username,
> > > > >> password
> > > > >> and the pin.
> > > > >> 
> > > > >> For instance;
> > > > >> 
> > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > >> 
> > > > >> User should enter all three to login to the system.
> > > > >> 
> > > > >> I went through the codebase and I saw that the Authentication
> > > > >> Manager
> > > > >> (which
> > > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > > >> customize the frontend with ease, however, in order to support the
> > > > >> pin
> > > > >> in
> > > > >> the backend seems like I have to customize the AuthenticationManager
> > > > >> class
> > > > >> (no direct SPIs).
> > > > >> 
> > > > >> Although there is a link here;
> > > > >> 
> > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > >> 
> > > > >> I cant seem to find anything here which matches the current code
> > > > >> base
> > > > >> (to
> > > > >> via
> > > > >> a new authentication method via spis) and the example has been
> > > > >> removed.
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 2/ Customize password hashes.
> > > > >> 
> > > > >> We have our own algorithm used to store password hashes. What should
> > > > >> I
> > > > >> do
> > > > >> to
> > > > >> add this to keycloak?
> > > > >> 
> > > > >> I do not know the current passwords of the users already in our
> > > > >> system,
> > > > >> so
> > > > >> when doing the migration i need keyclock to support the current
> > > > >> algorithm
> > > > >> we
> > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Any other issues I might face?
> > > > >> 
> > > > >> I feel key cloak is the right choice if the above two questions are
> > > > >> answered.
> > > > >> Please let me know.
> > > > >> 
> > > > >> _______________________________________________
> > > > >> keycloak-user mailing list
> > > > >> keycloak-user at lists.jboss.org
> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > > --
> > > > Bill Burke
> > > > JBoss, a division of Red Hat
> > > > http://bill.burkecentral.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >

From guydavis.ca at gmail.com  Tue Mar 17 11:46:34 2015
From: guydavis.ca at gmail.com (Guy Davis)
Date: Tue, 17 Mar 2015 09:46:34 -0600
Subject: [keycloak-user] XML tag name for "enable-basic-auth" in
	keycloak.json
In-Reply-To: <1549483681.18842929.1425354226468.JavaMail.zimbra@redhat.com>
References: <CAAgmn1qKwNGxgOvtKk9u3Q1C07qsq7h2hHJh4oong9XMA0agdw@mail.gmail.com>
	<1549483681.18842929.1425354226468.JavaMail.zimbra@redhat.com>
Message-ID: <CAAgmn1pvkMXTZjYCvSa5jxKO_AMfBhCO5W3QZcseSB1VB_GoGw@mail.gmail.com>

Done.  I've created JIRA 1076
<https://issues.jboss.org/browse/KEYCLOAK-1076> and attached a diff for the
two affected files, which I've tested locally against master.

   -
   integration/keycloak-as7-subsystem/src/main/java/org/keycloak/subsystem/extension/SecureDeploymentDefinition.java
   -
   integration/keycloak-as7-subsystem/src/main/resources/schema/keycloak_1_0.xsd

Sorry, I can't provide Github PRs due to my employer's contribution
policies.  My hope is that I can get Keycloak accepted in our roadmap, then
I get through our legal department, to begin providing proper Github PRs
for fixes in the future.

Would it be possible to include this small fix for the AS7 adapter in the
upcoming 1.2beta1 drop?  It would be very appreciated as using the XML
configuration, with basic authentication, is the best approach for our apps.

Thanks again,
Guy


On Mon, Mar 2, 2015 at 8:43 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Looks like that property hasn't been added to the sub-system, please
> create a jira
>
> ----- Original Message -----
> > From: "Guy Davis" <guydavis.ca at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 2 March, 2015 11:22:03 PM
> > Subject: [keycloak-user] XML tag name for "enable-basic-auth" in
> keycloak.json
> >
> > Good day,
> >
> > I've been able to enable basic authentication when using a keycloak.json
> file
> > placed into WEB-INF of my test war file.
> >
> > However, in other testing, I have a preference to use the standalone.xml
> tag
> > configuration for the realm and each secured war. I get errors trying to
> > place <enable-basic-auth>true</enable-basic-auth> tag within a
> > <secure-deployment> tag.
> >
> > I'm testing against master built locally within the past few days.
> Looking at
> > org.keycloak.subsystem.extension.SecureDeploymentDefinition it seems like
> > this syntax is correct. This configuration file syntax is failing to
> start
> > JBoss EAP 6.1.0alpha with:
> >
> >
> >
> >
> > Caused by: javax.xml.stream.XMLStreamException: Unknown
> secure-deployment tag
> > enable-basic-auth
> > at
> >
> org.keycloak.subsystem.extension.KeycloakSubsystemParser.readDeployment(KeycloakSubsystemParser.java:108)
> >
> > Thanks in advance,
> > Guy
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/6fbaf829/attachment.html 

From juraci at kroehling.de  Tue Mar 17 12:51:30 2015
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Tue, 17 Mar 2015 17:51:30 +0100
Subject: [keycloak-user] Admin's password override
Message-ID: <55085B92.1050801@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

While it makes sense to ship with a default password for the admin
user on Keycloak distributions, as it's reasonable to think that the
admin is going to explore Keycloak right away, this expectation is not
true for the situation where Keycloak is embedded into another
product. I can imagine that the first time an "admin" will need to log
into Keycloak's admin console when embedded into another product would
be days/weeks after the initial setup.

That said, I'm collecting ideas on how to solve this issue for
Hawkular. The first and most intuitive solution I can think of is to
import an users JSON file on the first boot, which would (in theory, I
haven't tested) override the password for admin. This password would
need to be stored in clear text somewhere in the system, but I believe
the pros/cons are worth on this scenario (as this password will be
valid only until the first login, so, days/weeks "only").

Do you have better ideas? Or feedback on whether the mentioned
approach would/wouldn't work? Or strong arguments against doing that?

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVCFuSAAoJEDnJtskdmzLMAWkH/juBqh3DlgQXPjU5CNubRzvI
yst+2RhbESlMBxtcB+zXKLONbaiGOhdxdoAvg6qIq69WYZyYzYHEOFPMBLdZiN5D
TZnNaGrBfsoJoMPmkNIs4YTJal8Gf3BRXrnRVjfIRI6D8TUpf+yVVEtd6/eGlajX
tjTFWk7RgxmaNqPIaiBQONg1Ycx1GfE2NjSIo0CXcb13xix1Z/T2XzufTj8zGQru
YiToATcX1kM27E3SgUax52pD9CtnQFrfkh7EeZsVciMM8yB/Fw0BAqSVxpBwza9b
a7T5uynnk4AXxm4ZLFiclkqywgRpeeNpuhUngX1+02S8KlialFe+58CtXhjRPYs=
=eea0
-----END PGP SIGNATURE-----

From mposolda at redhat.com  Tue Mar 17 18:01:48 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 17 Mar 2015 23:01:48 +0100
Subject: [keycloak-user] Admin's password override
In-Reply-To: <55085B92.1050801@kroehling.de>
References: <55085B92.1050801@kroehling.de>
Message-ID: <5508A44C.3060707@redhat.com>

Hi Juca,

You can already change the default admin password by override 
KeycloakApplication class and init the default model in 
setupDefaultRealm. See for example: 
https://github.com/keycloak/keycloak/blob/master/project-integrations/aerogear-ups/auth-server/src/main/java/org/aerogear/ups/security/UpsSecurityApplication.java

Theoretically you can do anything you want in overriden class - for 
example save File with random content somewhere to the filesystem and 
set the value of initial admin password to this random content as you 
mentioned.

Marek

On 17.3.2015 17:51, Juraci Paix?o Kr?hling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> While it makes sense to ship with a default password for the admin
> user on Keycloak distributions, as it's reasonable to think that the
> admin is going to explore Keycloak right away, this expectation is not
> true for the situation where Keycloak is embedded into another
> product. I can imagine that the first time an "admin" will need to log
> into Keycloak's admin console when embedded into another product would
> be days/weeks after the initial setup.
>
> That said, I'm collecting ideas on how to solve this issue for
> Hawkular. The first and most intuitive solution I can think of is to
> import an users JSON file on the first boot, which would (in theory, I
> haven't tested) override the password for admin. This password would
> need to be stored in clear text somewhere in the system, but I believe
> the pros/cons are worth on this scenario (as this password will be
> valid only until the first login, so, days/weeks "only").
>
> Do you have better ideas? Or feedback on whether the mentioned
> approach would/wouldn't work? Or strong arguments against doing that?
>
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVCFuSAAoJEDnJtskdmzLMAWkH/juBqh3DlgQXPjU5CNubRzvI
> yst+2RhbESlMBxtcB+zXKLONbaiGOhdxdoAvg6qIq69WYZyYzYHEOFPMBLdZiN5D
> TZnNaGrBfsoJoMPmkNIs4YTJal8Gf3BRXrnRVjfIRI6D8TUpf+yVVEtd6/eGlajX
> tjTFWk7RgxmaNqPIaiBQONg1Ycx1GfE2NjSIo0CXcb13xix1Z/T2XzufTj8zGQru
> YiToATcX1kM27E3SgUax52pD9CtnQFrfkh7EeZsVciMM8yB/Fw0BAqSVxpBwza9b
> a7T5uynnk4AXxm4ZLFiclkqywgRpeeNpuhUngX1+02S8KlialFe+58CtXhjRPYs=
> =eea0
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Wed Mar 18 00:07:49 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 18 Mar 2015 00:07:49 -0400 (EDT)
Subject: [keycloak-user] Admin's password override
In-Reply-To: <55085B92.1050801@kroehling.de>
References: <55085B92.1050801@kroehling.de>
Message-ID: <2038205503.8325529.1426651669739.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 5:51:30 PM
> Subject: [keycloak-user] Admin's password override
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> While it makes sense to ship with a default password for the admin
> user on Keycloak distributions, as it's reasonable to think that the
> admin is going to explore Keycloak right away, this expectation is not
> true for the situation where Keycloak is embedded into another
> product. I can imagine that the first time an "admin" will need to log
> into Keycloak's admin console when embedded into another product would
> be days/weeks after the initial setup.
> 
> That said, I'm collecting ideas on how to solve this issue for
> Hawkular. The first and most intuitive solution I can think of is to
> import an users JSON file on the first boot, which would (in theory, I
> haven't tested) override the password for admin. This password would
> need to be stored in clear text somewhere in the system, but I believe
> the pros/cons are worth on this scenario (as this password will be
> valid only until the first login, so, days/weeks "only").
> 
> Do you have better ideas? Or feedback on whether the mentioned
> approach would/wouldn't work? Or strong arguments against doing that?

Sounds a bit hackish to me ;)

Why not just use the same user for the Hawkular admin console? That way they'll change the password when they login to Hawkular for the first time.

An alternative is that we need to support a way to recover the admin password if it's lost. Would be a script or something that can only be used locally. With that you could just set the Keycloak admin password to something random.

> 
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJVCFuSAAoJEDnJtskdmzLMAWkH/juBqh3DlgQXPjU5CNubRzvI
> yst+2RhbESlMBxtcB+zXKLONbaiGOhdxdoAvg6qIq69WYZyYzYHEOFPMBLdZiN5D
> TZnNaGrBfsoJoMPmkNIs4YTJal8Gf3BRXrnRVjfIRI6D8TUpf+yVVEtd6/eGlajX
> tjTFWk7RgxmaNqPIaiBQONg1Ycx1GfE2NjSIo0CXcb13xix1Z/T2XzufTj8zGQru
> YiToATcX1kM27E3SgUax52pD9CtnQFrfkh7EeZsVciMM8yB/Fw0BAqSVxpBwza9b
> a7T5uynnk4AXxm4ZLFiclkqywgRpeeNpuhUngX1+02S8KlialFe+58CtXhjRPYs=
> =eea0
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From juraci at kroehling.de  Wed Mar 18 04:08:51 2015
From: juraci at kroehling.de (=?windows-1252?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Wed, 18 Mar 2015 09:08:51 +0100
Subject: [keycloak-user] Admin's password override
In-Reply-To: <5508A44C.3060707@redhat.com>
References: <55085B92.1050801@kroehling.de> <5508A44C.3060707@redhat.com>
Message-ID: <55093293.5000003@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/17/2015 11:01 PM, Marek Posolda wrote:
> You can already change the default admin password by override 
> KeycloakApplication class and init the default model in 
> setupDefaultRealm. See for example: 
> https://github.com/keycloak/keycloak/blob/master/project-integrations/aerogear-ups/auth-server/src/main/java/org/aerogear/ups/security/UpsSecurityApplication.java

This
> 
sounds really interesting, I'll check it out in details later.
Thanks for pointing this out!

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVCTKSAAoJEDnJtskdmzLMoSoIAKtxp04oPdI7BZtDA1nUZ4p2
ldgCv6yV1nn2FCXilf3o+G5bSWtUiAAWh111UG5CEtqwetmVK3lM+cIoXZT7jt9R
4rJds8qW1C0EDTfmMocvbMtU6Xb2BvGdZ/caovCtsjwrVnTFVY2VEtZxkUBcb99O
OGFJEe439cvomPL9jEhXdFcrsY2jcdQr69zzBA6D7H8WPgtJ7ErB1Gt+9c6rGpBK
3nrL8NuZXdendb75CrFVLA9WpUKJvo68obnIipHbx5Lu6Jcxe06DvR1khsCQLEfI
Cwo0cPhZmKJpR+opLJNo4BpnwmLncYhIYLLl/nekvDIYP/sv0LuB9FCiwf/suas=
=s9Y3
-----END PGP SIGNATURE-----

From juraci at kroehling.de  Wed Mar 18 04:15:55 2015
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Wed, 18 Mar 2015 09:15:55 +0100
Subject: [keycloak-user] Admin's password override
In-Reply-To: <2038205503.8325529.1426651669739.JavaMail.zimbra@redhat.com>
References: <55085B92.1050801@kroehling.de>
	<2038205503.8325529.1426651669739.JavaMail.zimbra@redhat.com>
Message-ID: <5509343B.3030607@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2015 05:07 AM, Stian Thorgersen wrote:
>> Sounds a bit hackish to me ;)

Indeed :)

>> Why not just use the same user for the Hawkular admin console?
>> That way they'll change the password when they login to Hawkular
>> for the first time.

Each Hawkular user is an "account", that have "tenancy" semantics. So,
there's no notion of "admin" for Hawkular yet, and we are not
convinced we need one. Perhaps that will change in the future, and if
so, this would certainly be an option.

But I'm not sure what you are suggesting: to use the "master" realm as
the realm for Hawkular? Or to create an user on "hawkular" realm and
assign this user as an "admin" on the master realm? Wouldn't it mean
that there would be two users?

>> An alternative is that we need to support a way to recover the
>> admin password if it's lost. Would be a script or something that
>> can only be used locally. With that you could just set the
>> Keycloak admin password to something random.

Agree on the first two parts, but what would be a good way to
accomplish the third part (when to do it, and how to do it)? On first
boot?

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVCTQ7AAoJEDnJtskdmzLMHF0H/0m5fokXt/IgyOd3Bu6+y5i4
BR8hXU0bziKtwHdLOnfgmOKGNd5cxrlvwY07Udo6IAqvuvwgvmoz470l87XEKfW5
GwiRT3HXoSbh+0kZRCBQgJaThH7k0PVbGRM5DzeoL+zsl6U6uqkZ47oLSgrL2dO8
6d0epTcg5PdAyJcFbDGi5SYa/PW6TkPQrR3wsA78IIippDP4FtrUPQzWVRdVaq+E
GITYoVovWgGkuzm/WzaP58YyihxDXyO8t8MDDoyV/QAq5rJjWKbXhN6kM28Jtv02
toizoDyvr4sVW25qCqaHjOYzfEsUYw4KCNugAfYoXrfnNNfzrk93dEh+/2j+SRU=
=J7vu
-----END PGP SIGNATURE-----

From stian at redhat.com  Wed Mar 18 04:31:33 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 18 Mar 2015 04:31:33 -0400 (EDT)
Subject: [keycloak-user] Admin's password override
In-Reply-To: <5509343B.3030607@kroehling.de>
References: <55085B92.1050801@kroehling.de>
	<2038205503.8325529.1426651669739.JavaMail.zimbra@redhat.com>
	<5509343B.3030607@kroehling.de>
Message-ID: <1307889129.8366860.1426667493901.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, March 18, 2015 9:15:55 AM
> Subject: Re: [keycloak-user] Admin's password override
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/18/2015 05:07 AM, Stian Thorgersen wrote:
> >> Sounds a bit hackish to me ;)
> 
> Indeed :)
> 
> >> Why not just use the same user for the Hawkular admin console?
> >> That way they'll change the password when they login to Hawkular
> >> for the first time.
> 
> Each Hawkular user is an "account", that have "tenancy" semantics. So,
> there's no notion of "admin" for Hawkular yet, and we are not
> convinced we need one. Perhaps that will change in the future, and if
> so, this would certainly be an option.
> 
> But I'm not sure what you are suggesting: to use the "master" realm as
> the realm for Hawkular? Or to create an user on "hawkular" realm and
> assign this user as an "admin" on the master realm? Wouldn't it mean
> that there would be two users?

Interesting, who can create a tenant then? Do you not need an admin for that?

> 
> >> An alternative is that we need to support a way to recover the
> >> admin password if it's lost. Would be a script or something that
> >> can only be used locally. With that you could just set the
> >> Keycloak admin password to something random.
> 
> Agree on the first two parts, but what would be a good way to
> accomplish the third part (when to do it, and how to do it)? On first
> boot?

Think this is something we'll need to figure out for KC in either case. We need to be able to provision KC instances in the cloud without default username/passwords I reckon. Also, we do need the recover password option.

Do you reckon that users of Hawkular will use the KC admin console at all? If not then just set the password to something random with the mechanism Marek pointed out.

> 
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJVCTQ7AAoJEDnJtskdmzLMHF0H/0m5fokXt/IgyOd3Bu6+y5i4
> BR8hXU0bziKtwHdLOnfgmOKGNd5cxrlvwY07Udo6IAqvuvwgvmoz470l87XEKfW5
> GwiRT3HXoSbh+0kZRCBQgJaThH7k0PVbGRM5DzeoL+zsl6U6uqkZ47oLSgrL2dO8
> 6d0epTcg5PdAyJcFbDGi5SYa/PW6TkPQrR3wsA78IIippDP4FtrUPQzWVRdVaq+E
> GITYoVovWgGkuzm/WzaP58YyihxDXyO8t8MDDoyV/QAq5rJjWKbXhN6kM28Jtv02
> toizoDyvr4sVW25qCqaHjOYzfEsUYw4KCNugAfYoXrfnNNfzrk93dEh+/2j+SRU=
> =J7vu
> -----END PGP SIGNATURE-----
> 


From kalinga at leapset.com  Wed Mar 18 05:00:46 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Wed, 18 Mar 2015 14:30:46 +0530 (IST)
Subject: [keycloak-user] Tomcat adapter for keycloak
In-Reply-To: <815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<1426578732.697118522@apps.rackspace.com> 
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com> 
	<1426584326.304931416@apps.rackspace.com> 
	<1426584378.44864838@apps.rackspace.com> 
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com> 
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com> 
	<1426587790.632621088@apps.rackspace.com> 
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
Message-ID: <1426669246.859226667@apps.rackspace.com>


I am in the process of trying out a few adapters supported by keycloak.
Tried the tomcat adapter but im a getting a continuous redirect on the browser.
 
I did the following;
1/ Installed the adapter on tomcat
2/ Installed all the libraries.
3/ Changed catalina.jar to add an authentication type called KEYCLOAK
4/ Added the context.xml to the client in META-INF
 
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/sample" debug="0" privileged="true">
    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
</Context>
 
5/ Added the keycloak.json
{
"realm": "demo",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "customer-portal",
"public-client": true,
"use-resource-role-mappings": true
}
 
6/ Changed web.xml
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>sample</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>user</role-name>
    </security-role>
    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>demo</realm-name>
    </login-config>
</web-app>
 
The client app successfully redirects to the server url (keycloak) and I can login entering the creds. and it redirects back to the client, however the client goes into a loop.
Should I do a change in the client to extract some details and save it in the session? Or will be the adapter handle this for me
 
Kalinga
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150318/8410b711/attachment.html 

From juraci at kroehling.de  Wed Mar 18 05:07:07 2015
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Wed, 18 Mar 2015 10:07:07 +0100
Subject: [keycloak-user] Admin's password override
In-Reply-To: <1307889129.8366860.1426667493901.JavaMail.zimbra@redhat.com>
References: <55085B92.1050801@kroehling.de>
	<2038205503.8325529.1426651669739.JavaMail.zimbra@redhat.com>
	<5509343B.3030607@kroehling.de>
	<1307889129.8366860.1426667493901.JavaMail.zimbra@redhat.com>
Message-ID: <5509403B.5090108@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2015 09:31 AM, Stian Thorgersen wrote:
>> Interesting, who can create a tenant then? Do you not need an
>> admin for that?

Self-registration is active for the "Hawkular" realm and we decided to
perform authorizations on our side. So, each user on the realm is
considered a tenant in our side (not 100% true, but it's a good
approximation, I can send you more details if you are interested).

>> Do you reckon that users of Hawkular will use the KC admin
>> console at all? If not then just set the password to something
>> random with the mechanism Marek pointed out.

Hawkular users will not have access to the "admin console". Nothing
forbids, of course, a system administrator with access to the KC
"admin" account to have a Hawkular account though. But those are
independent: an admin on "master" realm is not a privileged user on
"hawkular" realm. This *may* change in the future, though, if/when we
end up having an admin console on Hawkular.

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVCUA7AAoJEDnJtskdmzLMvr4H/24+3CHM6HXw/BjMWx5gFzCj
vYgtJYsUEM9bzxHDUcgFcLdS/0Y9TbVpoT2XB8VZC0ZimIMb7DgNuTKBEWdbYri3
1rZxCDeWEbm03Dyy8zuF3iddjTqjP3FwTrEIhQu4A6a6py3xffwIicwISFFYr7UG
gUoGy/VOp7ZHEfCarvfnJYYjgXZXJgIzsoRaYkIRf+zfIpw2/H2zYzIBnJxMI1x4
5ciPQMYDRO8Dei3nwRU7lE47MHF4oWkm+d89Qc7pucOkcOpbjo0A3l9ctSOEXur+
ZkkhYFNgIO31AwT7audQF4owLiALrclN0gPTHpMB4hK0D5dY/q7692sKbMd/hCg=
=4DOJ
-----END PGP SIGNATURE-----

From mposolda at redhat.com  Wed Mar 18 07:20:28 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 18 Mar 2015 12:20:28 +0100
Subject: [keycloak-user] Tomcat adapter for keycloak
In-Reply-To: <1426669246.859226667@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
	<1426587790.632621088@apps.rackspace.com>
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
	<1426669246.859226667@apps.rackspace.com>
Message-ID: <55095F7C.6030007@redhat.com>

For Tomcat adapter, you don't need KEYCLOAK authentication type in 
web.xml, but BASIC should be sufficient. Does it work with BASIC and 
without your step 3 (Changing catalina.jar) ?

Marek

On 18.3.2015 10:00, Kalinga Dissanayake wrote:
>
> I am in the process of trying out a few adapters supported by keycloak.
>
> Tried the tomcat adapter but im a getting a continuous redirect on the 
> browser.
>
> I did the following;
>
> 1/ Installed the adapter on tomcat
>
> 2/ Installed all the libraries.
>
> 3/ Changed catalina.jar to add an authentication type called KEYCLOAK
>
> 4/ Added the context.xml to the client in META-INF
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context path="/sample" debug="0" privileged="true">
>     <Valve 
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
> </Context>
>
> 5/ Added the keycloak.json
>
> {
> "realm": "demo",
> "realm-public-key": 
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB",
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "customer-portal",
> "public-client": true,
> "use-resource-role-mappings": true
> }
>
> 6/ Changed web.xml
>
> <!DOCTYPE web-app PUBLIC
>  "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
>  "http://java.sun.com/dtd/web-app_2_3.dtd" >
>
> <web-app>
>   <display-name>Archetype Created Web Application</display-name>
>
>     <security-constraint>
>         <web-resource-collection>
> <web-resource-name>sample</web-resource-name>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>user</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <security-role>
>         <role-name>user</role-name>
>     </security-role>
>     <login-config>
>         <auth-method>KEYCLOAK</auth-method>
>         <realm-name>demo</realm-name>
>     </login-config>
> </web-app>
>
> The client app successfully redirects to the server url (keycloak) and 
> I can login entering the creds. and it redirects back to the client, 
> however the client goes into a loop.
>
> Should I do a change in the client to extract some details and save it 
> in the session? Or will be the adapter handle this for me
>
> Kalinga
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150318/f47272f2/attachment-0001.html 

From kalinga at leapset.com  Wed Mar 18 07:41:27 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Wed, 18 Mar 2015 17:11:27 +0530 (IST)
Subject: [keycloak-user] Tomcat adapter for keycloak
In-Reply-To: <55095F7C.6030007@redhat.com>
References: <1426499335.4721402@apps.rackspace.com>  
	<1426578732.697118522@apps.rackspace.com>  
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>  
	<1426584326.304931416@apps.rackspace.com>  
	<1426584378.44864838@apps.rackspace.com>  
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>  
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>  
	<1426587790.632621088@apps.rackspace.com>  
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com> 
	<1426669246.859226667@apps.rackspace.com> <55095F7C.6030007@redhat.com>
Message-ID: <1426678887.29496266@apps.rackspace.com>


It didnt. Thats why i did the change to the catalina.jar file.
Managed to come up with this [ http://blog-ungarida.rhcloud.com/keycloak-tomcat-adapter/ ]( http://blog-ungarida.rhcloud.com/keycloak-tomcat-adapter/ )
Thats why I did this change to catalina.jar.
 
Kalinga

-----Original Message-----
From: "Marek Posolda" <mposolda at redhat.com>
Sent: Wednesday, March 18, 2015 4:50pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>, keycloak-user at lists.jboss.org, "Stian Thorgersen" <stian at redhat.com>
Subject: Re: [keycloak-user] Tomcat adapter for keycloak



For Tomcat adapter, you don't need KEYCLOAK authentication type in web.xml, but BASIC should be sufficient. Does it work with BASIC and without your step 3 (Changing catalina.jar) ?

 Marek

 On 18.3.2015 10:00, Kalinga Dissanayake wrote:
I am in the process of trying out a few adapters supported by keycloak.
Tried the tomcat adapter but im a getting a continuous redirect on the browser.
 
I did the following;
1/ Installed the adapter on tomcat
2/ Installed all the libraries.
3/ Changed catalina.jar to add an authentication type called KEYCLOAK
4/ Added the context.xml to the client in META-INF
 
<?xml version="1.0" encoding="UTF-8"?>
 <Context path="/sample" debug="0" privileged="true">
     <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
 </Context>
 
5/ Added the keycloak.json
{
 "realm": "demo",
 "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB",
 "auth-server-url": [ "http://localhost:8080/auth" ]( http://localhost:8080/auth ),
 "ssl-required": "external",
 "resource": "customer-portal",
 "public-client": true,
 "use-resource-role-mappings": true
 }
 
6/ Changed web.xml
<!DOCTYPE web-app PUBLIC
  "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  [ "http://java.sun.com/dtd/web-app_2_3.dtd" ]( http://java.sun.com/dtd/web-app_2_3.dtd ) >

 <web-app>
   <display-name>Archetype Created Web Application</display-name>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>sample</web-resource-name>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>user</role-name>
         </auth-constraint>
     </security-constraint>
     <security-role>
         <role-name>user</role-name>
     </security-role>
     <login-config>
         <auth-method>KEYCLOAK</auth-method>
         <realm-name>demo</realm-name>
     </login-config>
 </web-app>
 
The client app successfully redirects to the server url (keycloak) and I can login entering the creds. and it redirects back to the client, however the client goes into a loop.
Should I do a change in the client to extract some details and save it in the session? Or will be the adapter handle this for me
 
Kalinga
 


_______________________________________________keycloak-user mailing list[ keycloak-user at lists.jboss.org ]( mailto:keycloak-user at lists.jboss.org )[ https://lists.jboss.org/mailman/listinfo/keycloak-user ]( https://lists.jboss.org/mailman/listinfo/keycloak-user )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150318/9edbd91e/attachment.html 

From bburke at redhat.com  Wed Mar 18 09:13:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 18 Mar 2015 09:13:00 -0400
Subject: [keycloak-user] Tomcat adapter for keycloak
In-Reply-To: <1426678887.29496266@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<1426578732.697118522@apps.rackspace.com>
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
	<1426587790.632621088@apps.rackspace.com>
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
	<1426669246.859226667@apps.rackspace.com>
	<55095F7C.6030007@redhat.com>
	<1426678887.29496266@apps.rackspace.com>
Message-ID: <550979DC.4060808@redhat.com>

What is the Tomcat version?  Do you happen to have a reproducable bundle 
you could send me?  If not, no worries.

On 3/18/2015 7:41 AM, Kalinga Dissanayake wrote:
> It didnt. Thats why i did the change to the catalina.jar file.
>
> Managed to come up with this
> http://blog-ungarida.rhcloud.com/keycloak-tomcat-adapter/
>
> Thats why I did this change to catalina.jar.
>
> Kalinga
>
> -----Original Message-----
> From: "Marek Posolda" <mposolda at redhat.com>
> Sent: Wednesday, March 18, 2015 4:50pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>,
> keycloak-user at lists.jboss.org, "Stian Thorgersen" <stian at redhat.com>
> Subject: Re: [keycloak-user] Tomcat adapter for keycloak
>
> For Tomcat adapter, you don't need KEYCLOAK authentication type in
> web.xml, but BASIC should be sufficient. Does it work with BASIC and
> without your step 3 (Changing catalina.jar) ?
>
> Marek
>
> On 18.3.2015 10:00, Kalinga Dissanayake wrote:
>
>     I am in the process of trying out a few adapters supported by keycloak.
>
>     Tried the tomcat adapter but im a getting a continuous redirect on
>     the browser.
>
>     I did the following;
>
>     1/ Installed the adapter on tomcat
>
>     2/ Installed all the libraries.
>
>     3/ Changed catalina.jar to add an authentication type called KEYCLOAK
>
>     4/ Added the context.xml to the client in META-INF
>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <Context path="/sample" debug="0" privileged="true">
>          <Valve
>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
>     </Context>
>
>     5/ Added the keycloak.json
>
>     {
>     "realm": "demo",
>     "realm-public-key":
>     "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB",
>     "auth-server-url": "http://localhost:8080/auth",
>     "ssl-required": "external",
>     "resource": "customer-portal",
>     "public-client": true,
>     "use-resource-role-mappings": true
>     }
>
>     6/ Changed web.xml
>
>     <!DOCTYPE web-app PUBLIC
>       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
>     "http://java.sun.com/dtd/web-app_2_3.dtd" >
>
>     <web-app>
>        <display-name>Archetype Created Web Application</display-name>
>
>          <security-constraint>
>              <web-resource-collection>
>                  <web-resource-name>sample</web-resource-name>
>                  <url-pattern>/*</url-pattern>
>              </web-resource-collection>
>              <auth-constraint>
>                  <role-name>user</role-name>
>              </auth-constraint>
>          </security-constraint>
>          <security-role>
>              <role-name>user</role-name>
>          </security-role>
>          <login-config>
>              <auth-method>KEYCLOAK</auth-method>
>              <realm-name>demo</realm-name>
>          </login-config>
>     </web-app>
>
>     The client app successfully redirects to the server url (keycloak)
>     and I can login entering the creds. and it redirects back to the
>     client, however the client goes into a loop.
>
>     Should I do a change in the client to extract some details and save
>     it in the session? Or will be the adapter handle this for me
>
>     Kalinga
>
>
>
>     _______________________________________________ keycloak-user
>     mailing list keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Thu Mar 19 02:00:14 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Thu, 19 Mar 2015 11:30:14 +0530
Subject: [keycloak-user] Using KeyCloak Proxy with Saml/OpenId-Connect
	Protocols
Message-ID: <CAPj1eSy-m3bFLcW=m-02n6c4tWyomOFg6oFzPFAwWTAb7+mg3w@mail.gmail.com>

Hi,

I have been trying to use the KeyCloak proxy to authorize my client
application.

In the application configurations, I have the option of setting the 'Client
Protocol' to be either 'Saml' or 'OpenId-connect'. Although I have set it
to both the options in my tests, I received the same response. It included
17 headers, which had KEYCLOAK_ACCESS_TOKEN, KEYCLOAK_SUBJECT,
KEYCLOAK_USERNAME among others. No other useful information were included.

My question is, what is the difference I am supposed to expect in the
responses between Saml and OpenId-Connect protocols? If I get a valid Saml
response (XML), where is it exactly located?


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/4435f5e5/attachment.html 

From bburke at redhat.com  Thu Mar 19 08:41:45 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Mar 2015 08:41:45 -0400
Subject: [keycloak-user] Using KeyCloak Proxy with Saml/OpenId-Connect
 Protocols
In-Reply-To: <CAPj1eSy-m3bFLcW=m-02n6c4tWyomOFg6oFzPFAwWTAb7+mg3w@mail.gmail.com>
References: <CAPj1eSy-m3bFLcW=m-02n6c4tWyomOFg6oFzPFAwWTAb7+mg3w@mail.gmail.com>
Message-ID: <550AC409.3010706@redhat.com>

The proxy can only do openid connect. There are a number of saml proxies 
out there already for Apache HTTPD.

On 3/19/2015 2:00 AM, Lohitha Chiranjeewa wrote:
> Hi,
>
> I have been trying to use the KeyCloak proxy to authorize my client
> application.
>
> In the application configurations, I have the option of setting the
> 'Client Protocol' to be either 'Saml' or 'OpenId-connect'. Although I
> have set it to both the options in my tests, I received the same
> response. It included 17 headers, which had KEYCLOAK_ACCESS_TOKEN,
> KEYCLOAK_SUBJECT, KEYCLOAK_USERNAME among others. No other useful
> information were included.
>
> My question is, what is the difference I am supposed to expect in the
> responses between Saml and OpenId-Connect protocols? If I get a valid
> Saml response (XML), where is it exactly located?
>
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Thu Mar 19 12:00:07 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Thu, 19 Mar 2015 21:30:07 +0530
Subject: [keycloak-user] Using KeyCloak Proxy with Saml/OpenId-Connect
	Protocols
In-Reply-To: <550AC409.3010706@redhat.com>
References: <CAPj1eSy-m3bFLcW=m-02n6c4tWyomOFg6oFzPFAwWTAb7+mg3w@mail.gmail.com>
	<550AC409.3010706@redhat.com>
Message-ID: <CAPj1eSyjSXx+MrKfJPeZ3Lwj0vdO4QCsNNxJ4CW5TA5pdh24MQ@mail.gmail.com>

Thanks for the reply.

As a follow-up question, so if I am to use a client app which doesn't have
a recommended adapter (such as a PHP client) with KeyCloak, is there a
straight forward way I can integrate Saml?

Thanks.
The proxy can only do openid connect. There are a number of saml proxies
out there already for Apache HTTPD.

On 3/19/2015 2:00 AM, Lohitha Chiranjeewa wrote:
> Hi,
>
> I have been trying to use the KeyCloak proxy to authorize my client
> application.
>
> In the application configurations, I have the option of setting the
> 'Client Protocol' to be either 'Saml' or 'OpenId-connect'. Although I
> have set it to both the options in my tests, I received the same
> response. It included 17 headers, which had KEYCLOAK_ACCESS_TOKEN,
> KEYCLOAK_SUBJECT, KEYCLOAK_USERNAME among others. No other useful
> information were included.
>
> My question is, what is the difference I am supposed to expect in the
> responses between Saml and OpenId-Connect protocols? If I get a valid
> Saml response (XML), where is it exactly located?
>
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/72c66fde/attachment-0001.html 

From ah at magick.nu  Thu Mar 19 14:58:58 2015
From: ah at magick.nu (Anton Hughes)
Date: Thu, 19 Mar 2015 19:58:58 +0100
Subject: [keycloak-user] Migrating custom user database to Keycloak
Message-ID: <CAMOUzMB4Kh3+RknJWH+fWYduTrA90e+8wRv-=NnjrbHK2Z7rww@mail.gmail.com>

Hello

Im currently investigating using Keycloak as a solution to manage users, as
well as authentication and authorization.

Currently, we have a jboss Errai application, and have a relational
database of users and their encrypted password.

Is there any tutorials, or advice, on how we would migrate our users to the
Keycloak IDM?

Thanks and regards
Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/eba1819c/attachment.html 

From mposolda at redhat.com  Thu Mar 19 15:03:54 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 19 Mar 2015 20:03:54 +0100
Subject: [keycloak-user] Migrating custom user database to Keycloak
In-Reply-To: <CAMOUzMB4Kh3+RknJWH+fWYduTrA90e+8wRv-=NnjrbHK2Z7rww@mail.gmail.com>
References: <CAMOUzMB4Kh3+RknJWH+fWYduTrA90e+8wRv-=NnjrbHK2Z7rww@mail.gmail.com>
Message-ID: <550B1D9A.6010901@redhat.com>

Hi,

it will be best if you write custom FederationProvider and point it to 
your database. See 
http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/user_federation.html 
and examples in appliance-dist (Subdirectory examples/providers)

Marek

On 19.3.2015 19:58, Anton Hughes wrote:
>
> Hello
>
> Im currently investigating using Keycloak as a solution to manage 
> users, as well as authentication and authorization.
>
> Currently, we have a jboss Errai application, and have a relational 
> database of users and their encrypted password.
>
> Is there any tutorials, or advice, on how we would migrate our users 
> to the Keycloak IDM?
>
> Thanks and regards
> Anton
> ******
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/28a2340c/attachment.html 

From ah at magick.nu  Thu Mar 19 16:09:06 2015
From: ah at magick.nu (Anton Hughes)
Date: Thu, 19 Mar 2015 21:09:06 +0100
Subject: [keycloak-user] Migrating custom user database to Keycloak
In-Reply-To: <550B1D9A.6010901@redhat.com>
References: <CAMOUzMB4Kh3+RknJWH+fWYduTrA90e+8wRv-=NnjrbHK2Z7rww@mail.gmail.com>
	<550B1D9A.6010901@redhat.com>
Message-ID: <CAMOUzMDTA5j8+0MB=ghq-ZZHDP3MXsfAUuBdX1MHqEYCHnvpYA@mail.gmail.com>

Thank you Marek

To check that I understand this approach correctly, is the following a
correct summary of how a federation provider works?


   1. existing user tries to login via Keycloak
   2. Keycloak checks if the user exists in the keycloak IDM. If user is
   not there then use federation provider
   3. the provider will get the user by email address or username, and
   return the User object.
   4. This user object can then be mapped and saved into keycloak.
   5. Next time user tries to login user is retrieved from keycloak idm

Question - where is the federated provider deployed? Is it in our app, or
installed into Keycloak? Or something else?

Thanks

On Thu, Mar 19, 2015 at 8:03 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> it will be best if you write custom FederationProvider and point it to
> your database. See
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/user_federation.html
> and examples in appliance-dist (Subdirectory examples/providers)
>
> Marek
>
>
> On 19.3.2015 19:58, Anton Hughes wrote:
>
>
> Hello
>
>  Im currently investigating using Keycloak as a solution to manage users,
> as well as authentication and authorization.
>
>  Currently, we have a jboss Errai application, and have a relational
> database of users and their encrypted password.
>
>  Is there any tutorials, or advice, on how we would migrate our users to
> the Keycloak IDM?
>
>  Thanks and regards
> Anton
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 








*Anton HughesCo-founderah at magick.nu <ah at magick.nu>www.magick.nu
<http://www.magick.nu>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/5e612a03/attachment.html 

From adisari06 at yahoo.com  Thu Mar 19 18:52:56 2015
From: adisari06 at yahoo.com (Adil Arif)
Date: Thu, 19 Mar 2015 22:52:56 +0000 (UTC)
Subject: [keycloak-user] Compiled binaries
Message-ID: <172645297.980001.1426805576187.JavaMail.yahoo@mail.yahoo.com>

Hello,

I am learning to hack on Keycloak. I am able to pull down the master code and compile it with Maven. However, I am unable to find where the compiled binaries are placed for keycloak-appliance-dist-all-******.zip or keycloak-war-dist-all-*****.zip after running `mvn package`. Thank you!

Adil Arif

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150319/201b9a1b/attachment.html 

From stian at redhat.com  Fri Mar 20 00:22:32 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 20 Mar 2015 00:22:32 -0400 (EDT)
Subject: [keycloak-user] Compiled binaries
In-Reply-To: <172645297.980001.1426805576187.JavaMail.yahoo@mail.yahoo.com>
References: <172645297.980001.1426805576187.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1642059357.152853.1426825352523.JavaMail.zimbra@redhat.com>

mvn clean install -Pdistribution and it'll be in keycloak/distribution/appliance-dist/target



----- Original Message -----
> From: "Adil Arif" <adisari06 at yahoo.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 19 March, 2015 11:52:56 PM
> Subject: [keycloak-user] Compiled binaries
> 
> Hello,
> 
> 
> 
> 
> I am learning to hack on Keycloak. I am able to pull down the master code and
> compile it with Maven. However, I am unable to find where the compiled
> binaries are placed for keycloak-appliance-dist-all-******.zip or
> keycloak-war-dist-all-*****.zip after running `mvn package`. Thank you!
> 
> Adil Arif
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Mar 20 03:58:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Mar 2015 08:58:26 +0100
Subject: [keycloak-user] Migrating custom user database to Keycloak
In-Reply-To: <CAMOUzMDTA5j8+0MB=ghq-ZZHDP3MXsfAUuBdX1MHqEYCHnvpYA@mail.gmail.com>
References: <CAMOUzMB4Kh3+RknJWH+fWYduTrA90e+8wRv-=NnjrbHK2Z7rww@mail.gmail.com>
	<550B1D9A.6010901@redhat.com>
	<CAMOUzMDTA5j8+0MB=ghq-ZZHDP3MXsfAUuBdX1MHqEYCHnvpYA@mail.gmail.com>
Message-ID: <550BD322.9030209@redhat.com>

On 19.3.2015 21:09, Anton Hughes wrote:
> Thank you Marek
>
> To check that I understand this approach correctly, is the following a 
> correct summary of how a federation provider works?
>
>  1. existing user tries to login via Keycloak
>  2. Keycloak checks if the user exists in the keycloak IDM. If user is
>     not there then use federation provider
>  3. the provider will get the user by email address or username, and
>     return the User object.
>  4. This user object can then be mapped and saved into keycloak.
>  5. Next time user tries to login user is retrieved from keycloak idm
>
Yes, Keycloak also verified during each authentication (or interaction 
with the UserModel) if user still exists in your backend and it's 
removed from Keycloak DB if not.

Normally user is synced to Keycloak DB after successful login (your step 
4), but you can also sync all your users from your storage at once or 
setup periodic sync.

User password would be verified against your DB, but it is flexible 
enough, so for example if user change his password in Keycloak Account 
mgmt you can either save it to your backend or to keycloak DB etc.
> Question - where is the federated provider deployed? Is it in our app, 
> or installed into Keycloak? Or something else?
Installed into Keycloak. I would suggest to take a look at examples and 
try them out. This will give you more insight.

Marek
>
> Thanks
>
> On Thu, Mar 19, 2015 at 8:03 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     it will be best if you write custom FederationProvider and point
>     it to your database. See
>     http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/user_federation.html
>     and examples in appliance-dist (Subdirectory examples/providers)
>
>     Marek
>
>
>     On 19.3.2015 19:58, Anton Hughes wrote:
>>
>>     Hello
>>
>>     Im currently investigating using Keycloak as a solution to manage
>>     users, as well as authentication and authorization.
>>
>>     Currently, we have a jboss Errai application, and have a
>>     relational database of users and their encrypted password.
>>
>>     Is there any tutorials, or advice, on how we would migrate our
>>     users to the Keycloak IDM?
>>
>>     Thanks and regards
>>     Anton
>>     ******
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> *
>
> *
> *
>
> Anton Hughes
>
> Co-founder
>
> ah at magick.nu <mailto:ah at magick.nu>
>
> www.magick.nu <http://www.magick.nu>
>
> 	
>
> 	
>
> *
>
>
> ****

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150320/a47e9e00/attachment-0001.html 

From kalinga at leapset.com  Fri Mar 20 04:21:29 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Fri, 20 Mar 2015 13:51:29 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<1426578732.697118522@apps.rackspace.com> 
	<1310458791.7846793.1426582533536.JavaMail.zimbra@redhat.com> 
	<1426584326.304931416@apps.rackspace.com> 
	<1426584378.44864838@apps.rackspace.com> 
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com> 
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com> 
	<1426587790.632621088@apps.rackspace.com> 
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
Message-ID: <1426839689.055925538@apps.rackspace.com>


Stian,
As per your previous email I should use the endpoint  /{realm}/protocols/openid-connect/token
However, I am using version 1.1.0.Final of keycloak. Seems like this is the production ready release available, however this does not have the above endpoint [ /{realm}/protocols/openid-connect/token]
Instead Version 1.1.0 Final has this end point which seems to be doing the same functionality;
/realms/demo/protocol/openid-connect/access/codes
 
So I have a few  questions regarding the above;
1/ Is the /access/codes api endpoint same as /token endpoint. Where the latter is planned to released in a future version?  I compared the js adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api endpoint while 1.2.0.Beta uses /token
2/ Similarly  /{realm}/protocols/openid-connect/auth api end point has been changed. What is the mapping endpoint for this in 1.1.0 version? Are there are other apis signatures that are planned to be changed in the future?
3/ If I am using keycloak for an application which I am planning to roll out to production soon, which version would u recommend?
4/ The above apis are for openid-connect. What are the endpoints available if the authorization type is saml?
 
Extract from previous email <<Stian>>
> > * Configure adapter using keycloak.json
> > * Implement client side of OAuth2 Authorization Code Grant
> > 1. Generate a state variable and store in a cookie or session
> > 2. Redirect to
> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > uuid>&redirect_uri=<callback uri>
> > 3. Once the user has logged-in it's redirected back to <callback uri> with
> > a code query param
> > 4. Use the code query param to obtain a token by posting to
> > /{realm}/protocols/openid-connect/token the form-data should be
> > grant_type=authorization_code&code=<code> you also need to include a http
> > basic authorization header with client id and secret
 
Thanks.
 
Kalinga


-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Tuesday, March 17, 2015 3:55pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +



Source code for all adapters is in:

https://github.com/keycloak/keycloak/tree/master/integration

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 11:23:10 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Thanks Stian. :) Let me first go thru the resources I have on the website.
> The java source code of the adapter also must be present somewhere for me to
> have a look I guess?
> 
> Kalinga
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:14pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> If you have any more questions feel free to ask, anyone contributing code
> gets extra questions answered ;)
> 
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > There is no hints regarding adapter logic, but what you'll need is:
> > 
> > * Configure adapter using keycloak.json
> > * Implement client side of OAuth2 Authorization Code Grant
> > 1. Generate a state variable and store in a cookie or session
> > 2. Redirect to
> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > uuid>&redirect_uri=<callback uri>
> > 3. Once the user has logged-in it's redirected back to <callback uri> with
> > a code query param
> > 4. Use the code query param to obtain a token by posting to
> > /{realm}/protocols/openid-connect/token the form-data should be
> > grant_type=authorization_code&code=<code> you also need to include a http
> > basic authorization header with client id and secret
> > 
> > Once you've done that you should have a token available to the application.
> > Then you have to deal with:
> > 
> > * Refreshing token when expired
> > * Handle logout events from Keycloak
> > * Clustering issues
> > * If you want to support creating rest endpoints in PHP you also need to
> > support verifying the bearer token included in authorization header, this
> > can be done by checking the jws signature using the realm public key
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > * I can get a php application in place
> > > 
> > > Kalinga
> > > 
> > > -----Original Message-----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Sent: Tuesday, March 17, 2015 2:55pm
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again.
> > > I need to go thru most documentation to get the hang of it. Will do.
> > > I would love to contribute if u can get a php application in place, is it
> > > possible for you to direct me to documentation where there are hints
> > > regarding the adapter logic?
> > > 
> > > Kalinga
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Tuesday, March 17, 2015 2:25pm
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Bill Burke" <bburke at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again for your quick feedbacks.
> > > > 
> > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > regularly.
> > > > 
> > > > I went through the document for the adapters;
> > > > 
> > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > 
> > > > 
> > > > 
> > > > So lets say I need a php application to be deployed using keycloak as
> > > > my
> > > > SSO
> > > > manager application.
> > > > 
> > > > So my basic requirement is that user should have the ability to signin
> > > > via
> > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > it
> > > > must be in the works)
> > > 
> > > We don't have a PHP adapter, and there's no immediate plans to create
> > > one.
> > > You could use:
> > > 
> > > * JavaScript adapter
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > * Proxy
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > 
> > > Alternatively have a look on Google for instructions on using OAuth2
> > > and/or
> > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > other
> > > OpenID Connect client libraries with Keycloak.
> > > 
> > > If you're willing to contribute a PHP adapter then let me know and I can
> > > give
> > > you more details on what would be required and some hints to get you
> > > started.
> > > 
> > > > 
> > > > 
> > > > 
> > > > Is there a guideline that I should follow if I am to do it manually?
> > > > Basically what I should to do replicate what an adapter does (if I dont
> > > > want
> > > > to use any adapters or my apps are mobile based or deployed on
> > > > containers
> > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > 
> > > > 
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Bill Burke" <bburke at redhat.com>
> > > > Sent: Monday, March 16, 2015 7:46pm
> > > > To: keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Minimally you need to import username. Probably email too if you want
> > > > to use any of our email-based features. With UserFederationProvider you
> > > > can delegate to the third-party storage for other user
> > > > attributes/metadata.
> > > > 
> > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > We don't currently have a way to plugin your own authentication
> > > > > mechanism,
> > > > > but this is something we'll be adding.
> > > > > 
> > > > > You have two choices when it comes to users, you can either use our
> > > > > user
> > > > > federation provider mechanism to sync between Keycloak and your
> > > > > current
> > > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > > case
> > > > > you have an option on overriding how passwords are verified (either
> > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > With
> > > > > the
> > > > > above authentication mechanism we'll most likely also make the
> > > > > verification of passwords pluggable which would support different
> > > > > hash
> > > > > algorithms.
> > > > > 
> > > > > ----- Original Message -----
> > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > >> To: keycloak-user at lists.jboss.org
> > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > >> and
> > > > >> +
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Guys,
> > > > >> 
> > > > >> I need to understand the capability of keycloak with my requirement
> > > > >> and
> > > > >> to
> > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > >> requirement
> > > > >> is
> > > > >> to
> > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > >> migrate
> > > > >> my
> > > > >> existing users. My main concerns;
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 1/ Customize authentication method.
> > > > >> 
> > > > >> I need to authenticate users similar to what we currently use in our
> > > > >> production system. In our system, users are identified by username,
> > > > >> password
> > > > >> and the pin.
> > > > >> 
> > > > >> For instance;
> > > > >> 
> > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > >> 
> > > > >> User should enter all three to login to the system.
> > > > >> 
> > > > >> I went through the codebase and I saw that the Authentication
> > > > >> Manager
> > > > >> (which
> > > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > > >> customize the frontend with ease, however, in order to support the
> > > > >> pin
> > > > >> in
> > > > >> the backend seems like I have to customize the AuthenticationManager
> > > > >> class
> > > > >> (no direct SPIs).
> > > > >> 
> > > > >> Although there is a link here;
> > > > >> 
> > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > >> 
> > > > >> I cant seem to find anything here which matches the current code
> > > > >> base
> > > > >> (to
> > > > >> via
> > > > >> a new authentication method via spis) and the example has been
> > > > >> removed.
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 2/ Customize password hashes.
> > > > >> 
> > > > >> We have our own algorithm used to store password hashes. What should
> > > > >> I
> > > > >> do
> > > > >> to
> > > > >> add this to keycloak?
> > > > >> 
> > > > >> I do not know the current passwords of the users already in our
> > > > >> system,
> > > > >> so
> > > > >> when doing the migration i need keyclock to support the current
> > > > >> algorithm
> > > > >> we
> > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Any other issues I might face?
> > > > >> 
> > > > >> I feel key cloak is the right choice if the above two questions are
> > > > >> answered.
> > > > >> Please let me know.
> > > > >> 
> > > > >> _______________________________________________
> > > > >> keycloak-user mailing list
> > > > >> keycloak-user at lists.jboss.org
> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > > --
> > > > Bill Burke
> > > > JBoss, a division of Red Hat
> > > > http://bill.burkecentral.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150320/24a36215/attachment-0001.html 

From stian at redhat.com  Fri Mar 20 04:42:37 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 20 Mar 2015 04:42:37 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1426839689.055925538@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<1426584326.304931416@apps.rackspace.com>
	<1426584378.44864838@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
	<1426587790.632621088@apps.rackspace.com>
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
	<1426839689.055925538@apps.rackspace.com>
Message-ID: <1061166737.536251.1426840957138.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 20 March, 2015 9:21:29 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Stian,
> As per your previous email I should use the endpoint
> /{realm}/protocols/openid-connect/token
> However, I am using version 1.1.0.Final of keycloak. Seems like this is the
> production ready release available, however this does not have the above
> endpoint [ /{realm}/protocols/openid-connect/token]
> Instead Version 1.1.0 Final has this end point which seems to be doing the
> same functionality;
> /realms/demo/protocol/openid-connect/access/codes

Yes, sorry for the confusion.

>  
> So I have a few  questions regarding the above;
> 1/ Is the /access/codes api endpoint same as /token endpoint. Where the
> latter is planned to released in a future version?  I compared the js
> adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api
> endpoint while 1.2.0.Beta uses /token

It's equivalent and hasn't been removed yet, just deprecated so will still work in 1.2.0.Beta1, but will be removed in a future release.

In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh, /grants/access) these don't require grant_type param. These are now deprecated and we've introduce the single endpoint (/token) that requires grant_type. This is so comply with the OpenID Connect spec.

> 2/ Similarly  /{realm}/protocols/openid-connect/auth api end point has been
> changed. What is the mapping endpoint for this in 1.1.0 version? Are there
> are other apis signatures that are planned to be changed in the future?

Nothing planned

> 3/ If I am using keycloak for an application which I am planning to roll out
> to production soon, which version would u recommend?

1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only back-port fixes to 1.1.x if we find critical security issues.

> 4/ The above apis are for openid-connect. What are the endpoints available if
> the authorization type is saml?

I don't have this off hand, but have a look at the SAML examples and you should find that out easily. Currently we only provide adapters for OpenID Connect.

>  
> Extract from previous email <<Stian>>
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
>  
> Thanks.
>  
> Kalinga
> 
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:55pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Source code for all adapters is in:
> 
> https://github.com/keycloak/keycloak/tree/master/integration
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 11:23:10 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > Thanks Stian. :) Let me first go thru the resources I have on the website.
> > The java source code of the adapter also must be present somewhere for me
> > to
> > have a look I guess?
> > 
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 3:14pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > If you have any more questions feel free to ask, anyone contributing code
> > gets extra questions answered ;)
> > 
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > There is no hints regarding adapter logic, but what you'll need is:
> > > 
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
> > > 
> > > Once you've done that you should have a token available to the
> > > application.
> > > Then you have to deal with:
> > > 
> > > * Refreshing token when expired
> > > * Handle logout events from Keycloak
> > > * Clustering issues
> > > * If you want to support creating rest endpoints in PHP you also need to
> > > support verifying the bearer token included in authorization header, this
> > > can be done by checking the jws signature using the realm public key
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > * I can get a php application in place
> > > > 
> > > > Kalinga
> > > > 
> > > > -----Original Message-----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Sent: Tuesday, March 17, 2015 2:55pm
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again.
> > > > I need to go thru most documentation to get the hang of it. Will do.
> > > > I would love to contribute if u can get a php application in place, is
> > > > it
> > > > possible for you to direct me to documentation where there are hints
> > > > regarding the adapter logic?
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > Sent: Tuesday, March 17, 2015 2:25pm
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > To: "Bill Burke" <bburke at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Thanks again for your quick feedbacks.
> > > > > 
> > > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > > regularly.
> > > > > 
> > > > > I went through the document for the adapters;
> > > > > 
> > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > > 
> > > > > 
> > > > > 
> > > > > So lets say I need a php application to be deployed using keycloak as
> > > > > my
> > > > > SSO
> > > > > manager application.
> > > > > 
> > > > > So my basic requirement is that user should have the ability to
> > > > > signin
> > > > > via
> > > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > > it
> > > > > must be in the works)
> > > > 
> > > > We don't have a PHP adapter, and there's no immediate plans to create
> > > > one.
> > > > You could use:
> > > > 
> > > > * JavaScript adapter
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > > * Proxy
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > > 
> > > > Alternatively have a look on Google for instructions on using OAuth2
> > > > and/or
> > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > > other
> > > > OpenID Connect client libraries with Keycloak.
> > > > 
> > > > If you're willing to contribute a PHP adapter then let me know and I
> > > > can
> > > > give
> > > > you more details on what would be required and some hints to get you
> > > > started.
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Is there a guideline that I should follow if I am to do it manually?
> > > > > Basically what I should to do replicate what an adapter does (if I
> > > > > dont
> > > > > want
> > > > > to use any adapters or my apps are mobile based or deployed on
> > > > > containers
> > > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > > 
> > > > > 
> > > > > 
> > > > > Kalinga
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > Sent: Monday, March 16, 2015 7:46pm
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Minimally you need to import username. Probably email too if you want
> > > > > to use any of our email-based features. With UserFederationProvider
> > > > > you
> > > > > can delegate to the third-party storage for other user
> > > > > attributes/metadata.
> > > > > 
> > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > > We don't currently have a way to plugin your own authentication
> > > > > > mechanism,
> > > > > > but this is something we'll be adding.
> > > > > > 
> > > > > > You have two choices when it comes to users, you can either use our
> > > > > > user
> > > > > > federation provider mechanism to sync between Keycloak and your
> > > > > > current
> > > > > > db. Or you can migrate the users fully to the Keycloak db. In
> > > > > > either
> > > > > > case
> > > > > > you have an option on overriding how passwords are verified (either
> > > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > > With
> > > > > > the
> > > > > > above authentication mechanism we'll most likely also make the
> > > > > > verification of passwords pluggable which would support different
> > > > > > hash
> > > > > > algorithms.
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > >> To: keycloak-user at lists.jboss.org
> > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > > >> and
> > > > > >> +
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Guys,
> > > > > >> 
> > > > > >> I need to understand the capability of keycloak with my
> > > > > >> requirement
> > > > > >> and
> > > > > >> to
> > > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > > >> requirement
> > > > > >> is
> > > > > >> to
> > > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > > >> migrate
> > > > > >> my
> > > > > >> existing users. My main concerns;
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 1/ Customize authentication method.
> > > > > >> 
> > > > > >> I need to authenticate users similar to what we currently use in
> > > > > >> our
> > > > > >> production system. In our system, users are identified by
> > > > > >> username,
> > > > > >> password
> > > > > >> and the pin.
> > > > > >> 
> > > > > >> For instance;
> > > > > >> 
> > > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > > >> 
> > > > > >> User should enter all three to login to the system.
> > > > > >> 
> > > > > >> I went through the codebase and I saw that the Authentication
> > > > > >> Manager
> > > > > >> (which
> > > > > >> is a concrete class) does all the work inside keycloak. I managed
> > > > > >> to
> > > > > >> customize the frontend with ease, however, in order to support the
> > > > > >> pin
> > > > > >> in
> > > > > >> the backend seems like I have to customize the
> > > > > >> AuthenticationManager
> > > > > >> class
> > > > > >> (no direct SPIs).
> > > > > >> 
> > > > > >> Although there is a link here;
> > > > > >> 
> > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > > >> 
> > > > > >> I cant seem to find anything here which matches the current code
> > > > > >> base
> > > > > >> (to
> > > > > >> via
> > > > > >> a new authentication method via spis) and the example has been
> > > > > >> removed.
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 2/ Customize password hashes.
> > > > > >> 
> > > > > >> We have our own algorithm used to store password hashes. What
> > > > > >> should
> > > > > >> I
> > > > > >> do
> > > > > >> to
> > > > > >> add this to keycloak?
> > > > > >> 
> > > > > >> I do not know the current passwords of the users already in our
> > > > > >> system,
> > > > > >> so
> > > > > >> when doing the migration i need keyclock to support the current
> > > > > >> algorithm
> > > > > >> we
> > > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Any other issues I might face?
> > > > > >> 
> > > > > >> I feel key cloak is the right choice if the above two questions
> > > > > >> are
> > > > > >> answered.
> > > > > >> Please let me know.
> > > > > >> 
> > > > > >> _______________________________________________
> > > > > >> keycloak-user mailing list
> > > > > >> keycloak-user at lists.jboss.org
> > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > 
> > > > > --
> > > > > Bill Burke
> > > > > JBoss, a division of Red Hat
> > > > > http://bill.burkecentral.com
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >

From stephenrussett at gmail.com  Sun Mar 22 16:10:22 2015
From: stephenrussett at gmail.com (Stephen Russett)
Date: Sun, 22 Mar 2015 16:10:22 -0400
Subject: [keycloak-user] Multiple Identity Support?
Message-ID: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>

Hi

Is there support for handling multiple identities for a single user? ?If so, is there a video or write up explaining how this is handled?

Example use case:

You have your user profile (with multiple Identities) that is associated with KC. ?KC is connected to three systems. ?When you log into System 1, you use Identity A, and when you log into System 2, you use Identity B, and When you log into System 3, you use Identity C.
The different identities are due to the need for the user wanting to share specific information depending on the system they are logging into.
This openID connect video has a great intro that outlines the use case for multiple identities:?https://www.youtube.com/watch?v=Kb56GzQ2pSk

Thanks.
Stephen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150322/f5ec1403/attachment.html 

From stian at redhat.com  Mon Mar 23 01:49:31 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 23 Mar 2015 01:49:31 -0400 (EDT)
Subject: [keycloak-user] Multiple Identity Support?
In-Reply-To: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>
References: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>
Message-ID: <379189764.2306642.1427089770994.JavaMail.zimbra@redhat.com>

Yes, in 1.2.0.Beta1 which will be released soon we'll have support for protocol mappers. Protocol mappers allow you to define exactly what attributes go into the access token and id token for each application.

----- Original Message -----
> From: "Stephen Russett" <stephenrussett at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Sunday, 22 March, 2015 9:10:22 PM
> Subject: [keycloak-user] Multiple Identity Support?
> 
> Hi
> 
> Is there support for handling multiple identities for a single user? If so,
> is there a video or write up explaining how this is handled?
> 
> Example use case:
> 
> You have your user profile (with multiple Identities) that is associated with
> KC. KC is connected to three systems. When you log into System 1, you use
> Identity A, and when you log into System 2, you use Identity B, and When you
> log into System 3, you use Identity C.
> The different identities are due to the need for the user wanting to share
> specific information depending on the system they are logging into.
> This openID connect video has a great intro that outlines the use case for
> multiple identities: https://www.youtube.com/watch?v=Kb56GzQ2pSk
> 
> Thanks.
> Stephen
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kalinga at leapset.com  Mon Mar 23 03:23:40 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Mon, 23 Mar 2015 12:53:40 +0530 (IST)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1061166737.536251.1426840957138.JavaMail.zimbra@redhat.com>
References: <1426499335.4721402@apps.rackspace.com> 
	<1426584326.304931416@apps.rackspace.com> 
	<1426584378.44864838@apps.rackspace.com> 
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com> 
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com> 
	<1426587790.632621088@apps.rackspace.com> 
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com> 
	<1426839689.055925538@apps.rackspace.com> 
	<1061166737.536251.1426840957138.JavaMail.zimbra@redhat.com>
Message-ID: <1427095420.1845287@apps.rackspace.com>


Stian,
 
Thanks for clarifying. A couple of more questions and my sincere apologies for troubling u guys amidst all the work.
I could not get the saml endpoints token endpoints but the openid connect protocol works fine now.
 
Extract from previous email
--------------------------------
> > > * Refreshing token when expired
> > > * Handle logout events from Keycloak
> > > * Clustering issues
> > > * If you want to support creating rest endpoints in PHP you also need to
> > > support verifying the bearer token included in authorization header, this
> > > can be done by checking the jws signature using the realm public key
 
* Handle logout events from Keycloak
Are there any specific events I should listen to for this purpose? I saw that the js adapter somehow handles this via the iframe but is there any way for me to support me in the php backend or any other app?
Basically let me explain the scenario.
 I have a php app and a tomcat applicaton that call keycloak for auth. I logout from the tomcat application and I need the php app user to force logout... What are the events i should listen to? Is there any document which contains these details?
 
* Clustering issues
Are there are clustering issues with the adapters I should be aware of? or Is it simply the clustering on the server end you are referring to?
 
Thanks. Appreciate ur feedback...please let me know any concerns/factors I should be aware regarding the above two points.
 
Kalinga
 

-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Friday, March 20, 2015 2:12pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +




----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 20 March, 2015 9:21:29 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Stian,
> As per your previous email I should use the endpoint
> /{realm}/protocols/openid-connect/token
> However, I am using version 1.1.0.Final of keycloak. Seems like this is the
> production ready release available, however this does not have the above
> endpoint [ /{realm}/protocols/openid-connect/token]
> Instead Version 1.1.0 Final has this end point which seems to be doing the
> same functionality;
> /realms/demo/protocol/openid-connect/access/codes

Yes, sorry for the confusion.

> 
> So I have a few questions regarding the above;
> 1/ Is the /access/codes api endpoint same as /token endpoint. Where the
> latter is planned to released in a future version? I compared the js
> adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api
> endpoint while 1.2.0.Beta uses /token

It's equivalent and hasn't been removed yet, just deprecated so will still work in 1.2.0.Beta1, but will be removed in a future release.

In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh, /grants/access) these don't require grant_type param. These are now deprecated and we've introduce the single endpoint (/token) that requires grant_type. This is so comply with the OpenID Connect spec.

> 2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been
> changed. What is the mapping endpoint for this in 1.1.0 version? Are there
> are other apis signatures that are planned to be changed in the future?

Nothing planned

> 3/ If I am using keycloak for an application which I am planning to roll out
> to production soon, which version would u recommend?

1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only back-port fixes to 1.1.x if we find critical security issues.

> 4/ The above apis are for openid-connect. What are the endpoints available if
> the authorization type is saml?

I don't have this off hand, but have a look at the SAML examples and you should find that out easily. Currently we only provide adapters for OpenID Connect.

> 
> Extract from previous email <<Stian>>
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
> 
> Thanks.
> 
> Kalinga
> 
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:55pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Source code for all adapters is in:
> 
> https://github.com/keycloak/keycloak/tree/master/integration
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 11:23:10 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > Thanks Stian. :) Let me first go thru the resources I have on the website.
> > The java source code of the adapter also must be present somewhere for me
> > to
> > have a look I guess?
> > 
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 3:14pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > If you have any more questions feel free to ask, anyone contributing code
> > gets extra questions answered ;)
> > 
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > There is no hints regarding adapter logic, but what you'll need is:
> > > 
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
> > > 
> > > Once you've done that you should have a token available to the
> > > application.
> > > Then you have to deal with:
> > > 
> > > * Refreshing token when expired
> > > * Handle logout events from Keycloak
> > > * Clustering issues
> > > * If you want to support creating rest endpoints in PHP you also need to
> > > support verifying the bearer token included in authorization header, this
> > > can be done by checking the jws signature using the realm public key
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > * I can get a php application in place
> > > > 
> > > > Kalinga
> > > > 
> > > > -----Original Message-----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Sent: Tuesday, March 17, 2015 2:55pm
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again.
> > > > I need to go thru most documentation to get the hang of it. Will do.
> > > > I would love to contribute if u can get a php application in place, is
> > > > it
> > > > possible for you to direct me to documentation where there are hints
> > > > regarding the adapter logic?
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > Sent: Tuesday, March 17, 2015 2:25pm
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > To: "Bill Burke" <bburke at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Thanks again for your quick feedbacks.
> > > > > 
> > > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > > regularly.
> > > > > 
> > > > > I went through the document for the adapters;
> > > > > 
> > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > > 
> > > > > 
> > > > > 
> > > > > So lets say I need a php application to be deployed using keycloak as
> > > > > my
> > > > > SSO
> > > > > manager application.
> > > > > 
> > > > > So my basic requirement is that user should have the ability to
> > > > > signin
> > > > > via
> > > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > > it
> > > > > must be in the works)
> > > > 
> > > > We don't have a PHP adapter, and there's no immediate plans to create
> > > > one.
> > > > You could use:
> > > > 
> > > > * JavaScript adapter
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > > * Proxy
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > > 
> > > > Alternatively have a look on Google for instructions on using OAuth2
> > > > and/or
> > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > > other
> > > > OpenID Connect client libraries with Keycloak.
> > > > 
> > > > If you're willing to contribute a PHP adapter then let me know and I
> > > > can
> > > > give
> > > > you more details on what would be required and some hints to get you
> > > > started.
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Is there a guideline that I should follow if I am to do it manually?
> > > > > Basically what I should to do replicate what an adapter does (if I
> > > > > dont
> > > > > want
> > > > > to use any adapters or my apps are mobile based or deployed on
> > > > > containers
> > > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > > 
> > > > > 
> > > > > 
> > > > > Kalinga
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > Sent: Monday, March 16, 2015 7:46pm
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Minimally you need to import username. Probably email too if you want
> > > > > to use any of our email-based features. With UserFederationProvider
> > > > > you
> > > > > can delegate to the third-party storage for other user
> > > > > attributes/metadata.
> > > > > 
> > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > > We don't currently have a way to plugin your own authentication
> > > > > > mechanism,
> > > > > > but this is something we'll be adding.
> > > > > > 
> > > > > > You have two choices when it comes to users, you can either use our
> > > > > > user
> > > > > > federation provider mechanism to sync between Keycloak and your
> > > > > > current
> > > > > > db. Or you can migrate the users fully to the Keycloak db. In
> > > > > > either
> > > > > > case
> > > > > > you have an option on overriding how passwords are verified (either
> > > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > > With
> > > > > > the
> > > > > > above authentication mechanism we'll most likely also make the
> > > > > > verification of passwords pluggable which would support different
> > > > > > hash
> > > > > > algorithms.
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > >> To: keycloak-user at lists.jboss.org
> > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > > >> and
> > > > > >> +
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Guys,
> > > > > >> 
> > > > > >> I need to understand the capability of keycloak with my
> > > > > >> requirement
> > > > > >> and
> > > > > >> to
> > > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > > >> requirement
> > > > > >> is
> > > > > >> to
> > > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > > >> migrate
> > > > > >> my
> > > > > >> existing users. My main concerns;
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 1/ Customize authentication method.
> > > > > >> 
> > > > > >> I need to authenticate users similar to what we currently use in
> > > > > >> our
> > > > > >> production system. In our system, users are identified by
> > > > > >> username,
> > > > > >> password
> > > > > >> and the pin.
> > > > > >> 
> > > > > >> For instance;
> > > > > >> 
> > > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > > >> 
> > > > > >> User should enter all three to login to the system.
> > > > > >> 
> > > > > >> I went through the codebase and I saw that the Authentication
> > > > > >> Manager
> > > > > >> (which
> > > > > >> is a concrete class) does all the work inside keycloak. I managed
> > > > > >> to
> > > > > >> customize the frontend with ease, however, in order to support the
> > > > > >> pin
> > > > > >> in
> > > > > >> the backend seems like I have to customize the
> > > > > >> AuthenticationManager
> > > > > >> class
> > > > > >> (no direct SPIs).
> > > > > >> 
> > > > > >> Although there is a link here;
> > > > > >> 
> > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > > >> 
> > > > > >> I cant seem to find anything here which matches the current code
> > > > > >> base
> > > > > >> (to
> > > > > >> via
> > > > > >> a new authentication method via spis) and the example has been
> > > > > >> removed.
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 2/ Customize password hashes.
> > > > > >> 
> > > > > >> We have our own algorithm used to store password hashes. What
> > > > > >> should
> > > > > >> I
> > > > > >> do
> > > > > >> to
> > > > > >> add this to keycloak?
> > > > > >> 
> > > > > >> I do not know the current passwords of the users already in our
> > > > > >> system,
> > > > > >> so
> > > > > >> when doing the migration i need keyclock to support the current
> > > > > >> algorithm
> > > > > >> we
> > > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Any other issues I might face?
> > > > > >> 
> > > > > >> I feel key cloak is the right choice if the above two questions
> > > > > >> are
> > > > > >> answered.
> > > > > >> Please let me know.
> > > > > >> 
> > > > > >> _______________________________________________
> > > > > >> keycloak-user mailing list
> > > > > >> keycloak-user at lists.jboss.org
> > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > 
> > > > > --
> > > > > Bill Burke
> > > > > JBoss, a division of Red Hat
> > > > > http://bill.burkecentral.com
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/424b4657/attachment-0001.html 

From stian at redhat.com  Mon Mar 23 03:35:17 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 23 Mar 2015 03:35:17 -0400 (EDT)
Subject: [keycloak-user] Customization of authentication mechanism and +
In-Reply-To: <1427095420.1845287@apps.rackspace.com>
References: <1426499335.4721402@apps.rackspace.com>
	<2078082943.7862174.1426585311801.JavaMail.zimbra@redhat.com>
	<677074152.7862458.1426585462878.JavaMail.zimbra@redhat.com>
	<1426587790.632621088@apps.rackspace.com>
	<815431022.7873125.1426587935971.JavaMail.zimbra@redhat.com>
	<1426839689.055925538@apps.rackspace.com>
	<1061166737.536251.1426840957138.JavaMail.zimbra@redhat.com>
	<1427095420.1845287@apps.rackspace.com>
Message-ID: <514933962.2333888.1427096117603.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 23 March, 2015 8:23:40 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Stian,
>  
> Thanks for clarifying. A couple of more questions and my sincere apologies
> for troubling u guys amidst all the work.
> I could not get the saml endpoints token endpoints but the openid connect
> protocol works fine now.
>  
> Extract from previous email
> --------------------------------
> > > > * Refreshing token when expired
> > > > * Handle logout events from Keycloak
> > > > * Clustering issues
> > > > * If you want to support creating rest endpoints in PHP you also need
> > > > to
> > > > support verifying the bearer token included in authorization header,
> > > > this
> > > > can be done by checking the jws signature using the realm public key
>  
> * Handle logout events from Keycloak
> Are there any specific events I should listen to for this purpose? I saw that
> the js adapter somehow handles this via the iframe but is there any way for
> me to support me in the php backend or any other app?
> Basically let me explain the scenario.
>  I have a php app and a tomcat applicaton that call keycloak for auth. I
>  logout from the tomcat application and I need the php app user to force
>  logout... What are the events i should listen to? Is there any document
>  which contains these details?

An application can expose an endpoint (admin url of application) that Keycloak can invoke to push logouts not-before updates and to check availability (used for KC to know what nodes in a cluster is available). It's pretty simple Keycloak posts a signed json document to trigger some action in the adapter. See https://github.com/keycloak/keycloak/blob/b4e0a1e6f563296e401680b3d0b2e99d0ce6fc2c/integration/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java#L44 on how the Java adapters handle this. It's important to check the signature so you know the request is initiated by Keycloak.

>  
> * Clustering issues
> Are there are clustering issues with the adapters I should be aware of? or Is
> it simply the clustering on the server end you are referring to?

Depends on how the adapter is implemented, you can find more details on our existing adapters and clustering at http://blog.keycloak.org/2015/03/keycloak-clustering-part-2-clustering.html and http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html

>  
> Thanks. Appreciate ur feedback...please let me know any concerns/factors I
> should be aware regarding the above two points.
>  
> Kalinga
>  
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Friday, March 20, 2015 2:12pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 20 March, 2015 9:21:29 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > Stian,
> > As per your previous email I should use the endpoint
> > /{realm}/protocols/openid-connect/token
> > However, I am using version 1.1.0.Final of keycloak. Seems like this is the
> > production ready release available, however this does not have the above
> > endpoint [ /{realm}/protocols/openid-connect/token]
> > Instead Version 1.1.0 Final has this end point which seems to be doing the
> > same functionality;
> > /realms/demo/protocol/openid-connect/access/codes
> 
> Yes, sorry for the confusion.
> 
> > 
> > So I have a few questions regarding the above;
> > 1/ Is the /access/codes api endpoint same as /token endpoint. Where the
> > latter is planned to released in a future version? I compared the js
> > adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api
> > endpoint while 1.2.0.Beta uses /token
> 
> It's equivalent and hasn't been removed yet, just deprecated so will still
> work in 1.2.0.Beta1, but will be removed in a future release.
> 
> In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh,
> /grants/access) these don't require grant_type param. These are now
> deprecated and we've introduce the single endpoint (/token) that requires
> grant_type. This is so comply with the OpenID Connect spec.
> 
> > 2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been
> > changed. What is the mapping endpoint for this in 1.1.0 version? Are there
> > are other apis signatures that are planned to be changed in the future?
> 
> Nothing planned
> 
> > 3/ If I am using keycloak for an application which I am planning to roll
> > out
> > to production soon, which version would u recommend?
> 
> 1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only
> back-port fixes to 1.1.x if we find critical security issues.
> 
> > 4/ The above apis are for openid-connect. What are the endpoints available
> > if
> > the authorization type is saml?
> 
> I don't have this off hand, but have a look at the SAML examples and you
> should find that out easily. Currently we only provide adapters for OpenID
> Connect.
> 
> > 
> > Extract from previous email <<Stian>>
> > > > * Configure adapter using keycloak.json
> > > > * Implement client side of OAuth2 Authorization Code Grant
> > > > 1. Generate a state variable and store in a cookie or session
> > > > 2. Redirect to
> > > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > > uuid>&redirect_uri=<callback uri>
> > > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > > with
> > > > a code query param
> > > > 4. Use the code query param to obtain a token by posting to
> > > > /{realm}/protocols/openid-connect/token the form-data should be
> > > > grant_type=authorization_code&code=<code> you also need to include a
> > > > http
> > > > basic authorization header with client id and secret
> > 
> > Thanks.
> > 
> > Kalinga
> > 
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 3:55pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Source code for all adapters is in:
> > 
> > https://github.com/keycloak/keycloak/tree/master/integration
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 11:23:10 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > Thanks Stian. :) Let me first go thru the resources I have on the
> > > website.
> > > The java source code of the adapter also must be present somewhere for me
> > > to
> > > have a look I guess?
> > > 
> > > Kalinga
> > > 
> > > -----Original Message-----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Tuesday, March 17, 2015 3:14pm
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > If you have any more questions feel free to ask, anyone contributing code
> > > gets extra questions answered ;)
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > There is no hints regarding adapter logic, but what you'll need is:
> > > > 
> > > > * Configure adapter using keycloak.json
> > > > * Implement client side of OAuth2 Authorization Code Grant
> > > > 1. Generate a state variable and store in a cookie or session
> > > > 2. Redirect to
> > > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > > uuid>&redirect_uri=<callback uri>
> > > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > > with
> > > > a code query param
> > > > 4. Use the code query param to obtain a token by posting to
> > > > /{realm}/protocols/openid-connect/token the form-data should be
> > > > grant_type=authorization_code&code=<code> you also need to include a
> > > > http
> > > > basic authorization header with client id and secret
> > > > 
> > > > Once you've done that you should have a token available to the
> > > > application.
> > > > Then you have to deal with:
> > > > 
> > > > * Refreshing token when expired
> > > > * Handle logout events from Keycloak
> > > > * Clustering issues
> > > > * If you want to support creating rest endpoints in PHP you also need
> > > > to
> > > > support verifying the bearer token included in authorization header,
> > > > this
> > > > can be done by checking the jws signature using the realm public key
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > * I can get a php application in place
> > > > > 
> > > > > Kalinga
> > > > > 
> > > > > -----Original Message-----
> > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > Sent: Tuesday, March 17, 2015 2:55pm
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Thanks again.
> > > > > I need to go thru most documentation to get the hang of it. Will do.
> > > > > I would love to contribute if u can get a php application in place,
> > > > > is
> > > > > it
> > > > > possible for you to direct me to documentation where there are hints
> > > > > regarding the adapter logic?
> > > > > 
> > > > > Kalinga
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > > Sent: Tuesday, March 17, 2015 2:25pm
> > > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > > To: "Bill Burke" <bburke at redhat.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > > mechanism
> > > > > > and
> > > > > > +
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Thanks again for your quick feedbacks.
> > > > > > 
> > > > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > > > regularly.
> > > > > > 
> > > > > > I went through the document for the adapters;
> > > > > > 
> > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > So lets say I need a php application to be deployed using keycloak
> > > > > > as
> > > > > > my
> > > > > > SSO
> > > > > > manager application.
> > > > > > 
> > > > > > So my basic requirement is that user should have the ability to
> > > > > > signin
> > > > > > via
> > > > > > keycloak. I see that there are no dedicated adapters for php (I
> > > > > > guess
> > > > > > it
> > > > > > must be in the works)
> > > > > 
> > > > > We don't have a PHP adapter, and there's no immediate plans to create
> > > > > one.
> > > > > You could use:
> > > > > 
> > > > > * JavaScript adapter
> > > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > > > * Proxy
> > > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > > > 
> > > > > Alternatively have a look on Google for instructions on using OAuth2
> > > > > and/or
> > > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have
> > > > > a
> > > > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > > > other
> > > > > OpenID Connect client libraries with Keycloak.
> > > > > 
> > > > > If you're willing to contribute a PHP adapter then let me know and I
> > > > > can
> > > > > give
> > > > > you more details on what would be required and some hints to get you
> > > > > started.
> > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Is there a guideline that I should follow if I am to do it
> > > > > > manually?
> > > > > > Basically what I should to do replicate what an adapter does (if I
> > > > > > dont
> > > > > > want
> > > > > > to use any adapters or my apps are mobile based or deployed on
> > > > > > containers
> > > > > > hat keycloak does not have adapters for). Hope my question is
> > > > > > clear.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Kalinga
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > > Sent: Monday, March 16, 2015 7:46pm
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > > mechanism
> > > > > > and
> > > > > > +
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Minimally you need to import username. Probably email too if you
> > > > > > want
> > > > > > to use any of our email-based features. With UserFederationProvider
> > > > > > you
> > > > > > can delegate to the third-party storage for other user
> > > > > > attributes/metadata.
> > > > > > 
> > > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > > > We don't currently have a way to plugin your own authentication
> > > > > > > mechanism,
> > > > > > > but this is something we'll be adding.
> > > > > > > 
> > > > > > > You have two choices when it comes to users, you can either use
> > > > > > > our
> > > > > > > user
> > > > > > > federation provider mechanism to sync between Keycloak and your
> > > > > > > current
> > > > > > > db. Or you can migrate the users fully to the Keycloak db. In
> > > > > > > either
> > > > > > > case
> > > > > > > you have an option on overriding how passwords are verified
> > > > > > > (either
> > > > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > > > With
> > > > > > > the
> > > > > > > above authentication mechanism we'll most likely also make the
> > > > > > > verification of passwords pluggable which would support different
> > > > > > > hash
> > > > > > > algorithms.
> > > > > > > 
> > > > > > > ----- Original Message -----
> > > > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > > >> To: keycloak-user at lists.jboss.org
> > > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > > > >> Subject: [keycloak-user] Customization of authentication
> > > > > > >> mechanism
> > > > > > >> and
> > > > > > >> +
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 
> > > > > > >> Guys,
> > > > > > >> 
> > > > > > >> I need to understand the capability of keycloak with my
> > > > > > >> requirement
> > > > > > >> and
> > > > > > >> to
> > > > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > > > >> requirement
> > > > > > >> is
> > > > > > >> to
> > > > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > > > >> migrate
> > > > > > >> my
> > > > > > >> existing users. My main concerns;
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 1/ Customize authentication method.
> > > > > > >> 
> > > > > > >> I need to authenticate users similar to what we currently use in
> > > > > > >> our
> > > > > > >> production system. In our system, users are identified by
> > > > > > >> username,
> > > > > > >> password
> > > > > > >> and the pin.
> > > > > > >> 
> > > > > > >> For instance;
> > > > > > >> 
> > > > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > > > >> 
> > > > > > >> User should enter all three to login to the system.
> > > > > > >> 
> > > > > > >> I went through the codebase and I saw that the Authentication
> > > > > > >> Manager
> > > > > > >> (which
> > > > > > >> is a concrete class) does all the work inside keycloak. I
> > > > > > >> managed
> > > > > > >> to
> > > > > > >> customize the frontend with ease, however, in order to support
> > > > > > >> the
> > > > > > >> pin
> > > > > > >> in
> > > > > > >> the backend seems like I have to customize the
> > > > > > >> AuthenticationManager
> > > > > > >> class
> > > > > > >> (no direct SPIs).
> > > > > > >> 
> > > > > > >> Although there is a link here;
> > > > > > >> 
> > > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > > > >> 
> > > > > > >> I cant seem to find anything here which matches the current code
> > > > > > >> base
> > > > > > >> (to
> > > > > > >> via
> > > > > > >> a new authentication method via spis) and the example has been
> > > > > > >> removed.
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 2/ Customize password hashes.
> > > > > > >> 
> > > > > > >> We have our own algorithm used to store password hashes. What
> > > > > > >> should
> > > > > > >> I
> > > > > > >> do
> > > > > > >> to
> > > > > > >> add this to keycloak?
> > > > > > >> 
> > > > > > >> I do not know the current passwords of the users already in our
> > > > > > >> system,
> > > > > > >> so
> > > > > > >> when doing the migration i need keyclock to support the current
> > > > > > >> algorithm
> > > > > > >> we
> > > > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > > > >> 
> > > > > > >> 
> > > > > > >> 
> > > > > > >> Any other issues I might face?
> > > > > > >> 
> > > > > > >> I feel key cloak is the right choice if the above two questions
> > > > > > >> are
> > > > > > >> answered.
> > > > > > >> Please let me know.
> > > > > > >> 
> > > > > > >> _______________________________________________
> > > > > > >> keycloak-user mailing list
> > > > > > >> keycloak-user at lists.jboss.org
> > > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > 
> > > > > > 
> > > > > > --
> > > > > > Bill Burke
> > > > > > JBoss, a division of Red Hat
> > > > > > http://bill.burkecentral.com
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >

From bburke at redhat.com  Mon Mar 23 10:02:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Mar 2015 10:02:00 -0400
Subject: [keycloak-user] Multiple Identity Support?
In-Reply-To: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>
References: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>
Message-ID: <55101CD8.2010402@redhat.com>

Just doesn't work that way in Keycloak...instead, each "System" is 
granted its own specific token.  This token can be tailored to the 
system to include/exclude the user information, roles, etc. you want. 
This "tailoring" is limited in 1.1.x, but next release we have many more 
capabilities to format the token/saml doc the System receives.

On 3/22/2015 4:10 PM, Stephen Russett wrote:
> Hi
>
> Is there support for handling multiple identities for a single user?  If
> so, is there a video or write up explaining how this is handled?
>
> Example use case:
>
> You have your user profile (with multiple Identities) that is associated
> with KC.  KC is connected to three systems.  When you log into System 1,
> you use Identity A, and when you log into System 2, you use Identity B,
> and When you log into System 3, you use Identity C.
> The different identities are due to the need for the user wanting to
> share specific information depending on the system they are logging into.
> This openID connect video has a great intro that outlines the use case
> for multiple identities: https://www.youtube.com/watch?v=Kb56GzQ2pSk
>
> Thanks.
> Stephen
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thorsten315 at gmx.de  Mon Mar 23 10:14:06 2015
From: thorsten315 at gmx.de (Thorsten)
Date: Mon, 23 Mar 2015 15:14:06 +0100
Subject: [keycloak-user] Limit Google authentication by domain?
Message-ID: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>

Hi,

is there a way to limit the Google authentication to only work for users
that have a Google account in a specific Google app domain? Right now it
seems that anybody with a Google+ account can login once you enable it.

Is there an out-of-the box way to get this done though configuration and if
not what would be the simplest way to implement this?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/ed0c9f6d/attachment.html 

From bburke at redhat.com  Mon Mar 23 10:19:55 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Mar 2015 10:19:55 -0400
Subject: [keycloak-user] Limit Google authentication by domain?
In-Reply-To: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
References: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
Message-ID: <5510210B.3010306@redhat.com>

We don't support this.  Our "social" module contains our Google adapter.

On 3/23/2015 10:14 AM, Thorsten wrote:
> Hi,
>
> is there a way to limit the Google authentication to only work for users
> that have a Google account in a specific Google app domain? Right now it
> seems that anybody with a Google+ account can login once you enable it.
>
> Is there an out-of-the box way to get this done though configuration and
> if not what would be the simplest way to implement this?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alexgv99 at gmail.com  Mon Mar 23 10:34:26 2015
From: alexgv99 at gmail.com (=?UTF-8?Q?Alex_Gouv=C3=AAa_Vasconcelos?=)
Date: Mon, 23 Mar 2015 11:34:26 -0300
Subject: [keycloak-user] (no subject)
Message-ID: <CAGGeCYP4UXk87mXn9TRU8r3kidra4yxBxSEBjnDLGPuOpRmxhA@mail.gmail.com>

Cordialmente.
Alex Gouv?a Vasconcelos
mailto:alexgv99 at gmail.com
MSN: alexgv99 at hotmail.com
http://about.me/alexgv99
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/c7452553/attachment.html 

From guydavis.ca at gmail.com  Mon Mar 23 10:44:56 2015
From: guydavis.ca at gmail.com (Guy Davis)
Date: Mon, 23 Mar 2015 08:44:56 -0600
Subject: [keycloak-user] Relative host possible in redirect URI when using
	Keycloak appliance?
Message-ID: <CAAgmn1pvVMHKgC0eoej7WG5wuBct5XByhFVBiH4udTi_KY2=hQ@mail.gmail.com>

Good day,

A few weeks ago, I was deploying auth-server.war inside a JBoss 6.1.0alpha
instance and using relative URIs for redirects on my registered
applications.  For example, a single redirect uri of '/hello-world/*' meant
that I could access our app from:

   - http://localhost:8080/hello-world/
   - https://localhost:8443/hello-world/
   - http://[workstation]:8080/hello-world/
   - https://[workstation]:8443/hello-world/

This was very convenient as we deploy the JBoss container on site for
customer use via automated installer, so trying to minimize the local
configurations required is important.

However, as per recent exchanges with Stian, I am now running a separate
Keycloak appliance instance (Wildfly 8.2), port-shifted by 100, along-side
our old JBoss instance.

This seems to require that I add 4 separate redirect_uris (above) in order
for things to work.  As well, the latter two require knowledge of the
target machine's hostname.

I'm wondering if there is a way to use relative host URI, but keep the port
for application redirect_uri.  Or perhaps a hostname placeholder?  Possible
example:

   - http://${jboss.host.name}:8080/hello-world/

Any sort of placeholder for the current host-name would simplify the
current post-install configuration required.

Thanks,
Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/575641e7/attachment.html 

From alexgv99 at gmail.com  Mon Mar 23 10:55:07 2015
From: alexgv99 at gmail.com (=?UTF-8?Q?Alex_Gouv=C3=AAa_Vasconcelos?=)
Date: Mon, 23 Mar 2015 11:55:07 -0300
Subject: [keycloak-user] Application Management
Message-ID: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>

Hi all...

We started using keycloack a few weeks ago, trying a SSO solution for our
company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which allow
them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do something
similar to that, was giving realm-management rights to the application
admin. This was not what we were trying to do, because those rights allow
the admin of app1 give permission to users of app2.

We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future plans.
If not, is there any help we could count on to implement ourselves?

[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html

?Best regards.
Alex Gouv?a Vasconcelos
mailto:alexgv99 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/223842da/attachment.html 

From bburke at redhat.com  Mon Mar 23 11:06:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Mar 2015 11:06:00 -0400
Subject: [keycloak-user] Application Management
In-Reply-To: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>
References: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>
Message-ID: <55102BD8.2000402@redhat.com>

So, you have an "application admin", and you want this admin to only be 
able to add permissions for that app for a specific user?  You'll have 
to submit a JIRA for that.  Our queue is very large right now, so I 
can't promise much.

On 3/23/2015 10:55 AM, Alex Gouv?a Vasconcelos wrote:
> Hi all...
>
> We started using keycloack a few weeks ago, trying a SSO solution for
> our company. We used to use a proprietary system for
> authentication/authorization and our users have a console admin which
> allow them to manage users and roles per application.
> We tried doing that in keycloack but the only way we found to do
> something similar to that, was giving realm-management rights to the
> application admin. This was not what we were trying to do, because those
> rights allow the admin of app1 give permission to users of app2.
>
> We found another user of this forum with a similar question in february
> archives... [1] but the answer did not specify if this is in future
> plans. If not, is there any help we could count on to implement ourselves?
>
> [1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
>
> ?Best regards.
> Alex Gouv?a Vasconcelos
> mailto:alexgv99 at gmail.com <mailto:alexgv99 at gmail.com>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thorsten315 at gmx.de  Mon Mar 23 12:11:12 2015
From: thorsten315 at gmx.de (Thorsten)
Date: Mon, 23 Mar 2015 17:11:12 +0100
Subject: [keycloak-user] Limit Google authentication by domain?
In-Reply-To: <5510210B.3010306@redhat.com>
References: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
	<5510210B.3010306@redhat.com>
Message-ID: <CAMNcrz7nqnHKDJHzXc6+LC=qEUVbXzNpuE8ze4+F_QWN0Baixg@mail.gmail.com>

Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
codebase) and modified a few lines (incl. ID and NAME). I also adjusted the
"services" entry to match the new class name.
Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
adapter jar to the /opt/jboss/keycloak/standalone/configuration/providers/
directory.

But when I start the docker container and enable Social Login I don't see
my social module name in the "Add provider..." pulldown list.

Is there anything else I need to do in order to add my social provider to
register?

Thanks

2015-03-23 15:19 GMT+01:00 Bill Burke <bburke at redhat.com>:

> We don't support this.  Our "social" module contains our Google adapter.
>
> On 3/23/2015 10:14 AM, Thorsten wrote:
> > Hi,
> >
> > is there a way to limit the Google authentication to only work for users
> > that have a Google account in a specific Google app domain? Right now it
> > seems that anybody with a Google+ account can login once you enable it.
> >
> > Is there an out-of-the box way to get this done though configuration and
> > if not what would be the simplest way to implement this?
> >
> > Thanks
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/feef3a82/attachment.html 

From alexgv99 at gmail.com  Mon Mar 23 16:31:17 2015
From: alexgv99 at gmail.com (=?UTF-8?Q?Alex_Gouv=C3=AAa_Vasconcelos?=)
Date: Mon, 23 Mar 2015 17:31:17 -0300
Subject: [keycloak-user] Application Management
In-Reply-To: <55102BD8.2000402@redhat.com>
References: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>
	<55102BD8.2000402@redhat.com>
Message-ID: <CAGGeCYOgW9QbatYecWiEhpbj0tT13OYY8JpODV_VFEFxEwFhxg@mail.gmail.com>

We found a Jira about the same issue we talked about [1]. We are available
to help implementing that feature, but we barely know about the keycloak
implementation.

Our current idea is to create the app-admin role when the application is
created in the realm. We would display a widget in the Application > <app
name> > Roles > <role name> screen to allow the app-admin to assign the
given role to users.

As for the schema, we're not sure how to store the "app-admin" information.
We provisionally thought about a boolean field stating whether the role is
the admin role of the app associated, but input here would be very welcome.

In short, if someone could provide some guidance on this sort of issues,
we're more than happy to provide some code.




[1] https://issues.jboss.org/browse/KEYCLOAK-1032
<https://www.google.com/url?q=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-1032&sa=D&sntz=1&usg=AFQjCNEK2x-tAD1jkyPxJsedeAGDWKI7BA>

Cordialmente.
Alex Gouv?a Vasconcelos
mailto:alexgv99 at gmail.com
MSN: alexgv99 at hotmail.com
http://about.me/alexgv99


2015-03-23 12:06 GMT-03:00 Bill Burke <bburke at redhat.com>:

> So, you have an "application admin", and you want this admin to only be
> able to add permissions for that app for a specific user?  You'll have
> to submit a JIRA for that.  Our queue is very large right now, so I
> can't promise much.
>
> On 3/23/2015 10:55 AM, Alex Gouv?a Vasconcelos wrote:
> > Hi all...
> >
> > We started using keycloack a few weeks ago, trying a SSO solution for
> > our company. We used to use a proprietary system for
> > authentication/authorization and our users have a console admin which
> > allow them to manage users and roles per application.
> > We tried doing that in keycloack but the only way we found to do
> > something similar to that, was giving realm-management rights to the
> > application admin. This was not what we were trying to do, because those
> > rights allow the admin of app1 give permission to users of app2.
> >
> > We found another user of this forum with a similar question in february
> > archives... [1] but the answer did not specify if this is in future
> > plans. If not, is there any help we could count on to implement
> ourselves?
> >
> > [1]
> http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
> >
> > ?Best regards.
> > Alex Gouv?a Vasconcelos
> > mailto:alexgv99 at gmail.com <mailto:alexgv99 at gmail.com>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150323/2eb1849b/attachment-0001.html 

From prabhalar at yahoo.com  Mon Mar 23 20:50:39 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Tue, 24 Mar 2015 00:50:39 +0000 (UTC)
Subject: [keycloak-user] Application Management
In-Reply-To: <CAGGeCYOgW9QbatYecWiEhpbj0tT13OYY8JpODV_VFEFxEwFhxg@mail.gmail.com>
References: <CAGGeCYOgW9QbatYecWiEhpbj0tT13OYY8JpODV_VFEFxEwFhxg@mail.gmail.com>
Message-ID: <1925478353.35434.1427158239845.JavaMail.yahoo@mail.yahoo.com>

+1. Glad that you?are willing to pitch in. May I?request?that an API?be provided to add users to this role dynamically?
Regards,Raghu
     From: Alex Gouv?a Vasconcelos <alexgv99 at gmail.com>
 To: Bill Burke <bburke at redhat.com> 
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>; Thiago Addevico Presa <thiago.addevico at gmail.com> 
 Sent: Monday, March 23, 2015 4:31 PM
 Subject: Re: [keycloak-user] Application Management
   
We found a Jira about the same issue we talked about [1]. We are available to help implementing that feature, but we barely know about the keycloak implementation.?
Our current idea is to create the app-admin role when the application is created in the realm. We would display a widget in the Application > <app name> > Roles > <role name> screen to allow the app-admin to assign the given role to users.
As for the schema, we're not sure how to store the "app-admin" information. We provisionally thought about a boolean field stating whether the role is the admin role of the app associated, but input here would be very welcome.
In short, if someone could provide some guidance on this sort of issues, we're more than happy to provide some code.



[1]?https://issues.jboss.org/browse/KEYCLOAK-1032
Cordialmente.Alex Gouv?a Vasconcelosmailto:alexgv99 at gmail.com
MSN: alexgv99 at hotmail.com
http://about.me/alexgv99

2015-03-23 12:06 GMT-03:00 Bill Burke <bburke at redhat.com>:



So, you have an "application admin", and you want this admin to only be
able to add permissions for that app for a specific user?? You'll have
to submit a JIRA for that.? Our queue is very large right now, so I
can't promise much.

On 3/23/2015 10:55 AM, Alex Gouv?a Vasconcelos wrote:
> Hi all...
>
> We started using keycloack a few weeks ago, trying a SSO solution for
> our company. We used to use a proprietary system for
> authentication/authorization and our users have a console admin which
> allow them to manage users and roles per application.
> We tried doing that in keycloack but the only way we found to do
> something similar to that, was giving realm-management rights to the
> application admin. This was not what we were trying to do, because those
> rights allow the admin of app1 give permission to users of app2.
>
> We found another user of this forum with a similar question in february
> archives... [1] but the answer did not specify if this is in future
> plans. If not, is there any help we could count on to implement ourselves?
>
> [1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
>
> ?Best regards.
> Alex Gouv?a Vasconcelos
> mailto:alexgv99 at gmail.com <mailto:alexgv99 at gmail.com>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/52554e21/attachment.html 

From stian at redhat.com  Tue Mar 24 01:55:01 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Mar 2015 01:55:01 -0400 (EDT)
Subject: [keycloak-user] Application Management
In-Reply-To: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>
References: <CAGGeCYNipymtEwG3MAS=Mo+=N7TCrmJyfS9N+nPFKAyNVEosNw@mail.gmail.com>
Message-ID: <603978786.3572282.1427176501794.JavaMail.zimbra@redhat.com>

I had an idea a while back that is a simple way to achieve what you're asking for. The idea would be to only allow an admin to grant roles that the admin has access to.

Basically:
* A user with admin (super user) role can grant any roles (we would need to add a per-realm super user role)
* A user with the role manage-users and some roles on app1 can only grant other users the roles on app1
* A user with the role manage-users and some roles on app2 can only grant other users the roles on app2

This is something we should add in either case (to prevent users granting themselves more access). Would it solve your problems? 

----- Original Message -----
> From: "Alex Gouv?a Vasconcelos" <alexgv99 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 23 March, 2015 3:55:07 PM
> Subject: [keycloak-user] Application Management
> 
> Hi all...
> 
> We started using keycloack a few weeks ago, trying a SSO solution for our
> company. We used to use a proprietary system for
> authentication/authorization and our users have a console admin which allow
> them to manage users and roles per application.
> We tried doing that in keycloack but the only way we found to do something
> similar to that, was giving realm-management rights to the application
> admin. This was not what we were trying to do, because those rights allow
> the admin of app1 give permission to users of app2.
> 
> We found another user of this forum with a similar question in february
> archives... [1] but the answer did not specify if this is in future plans.
> If not, is there any help we could count on to implement ourselves?
> 
> [1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
> 
> ?Best regards.
> Alex Gouv?a Vasconcelos
> mailto: alexgv99 at gmail.com
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Mar 24 02:09:21 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Mar 2015 02:09:21 -0400 (EDT)
Subject: [keycloak-user] Limit Google authentication by domain?
In-Reply-To: <CAMNcrz7nqnHKDJHzXc6+LC=qEUVbXzNpuE8ze4+F_QWN0Baixg@mail.gmail.com>
References: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
	<5510210B.3010306@redhat.com>
	<CAMNcrz7nqnHKDJHzXc6+LC=qEUVbXzNpuE8ze4+F_QWN0Baixg@mail.gmail.com>
Message-ID: <1936235934.3578600.1427177361531.JavaMail.zimbra@redhat.com>

Not sure why it's not working, you can enable debug for org.keycloak.services.DefaultKeycloakSessionFactory and org.keycloak.provider.ProviderManager that may provide some option.

Alternatively, if you try with master (build from github) or wait until 1.2.0.Beta1 is released you can configure your own OpenID Connect provider which would let you add the hd param to the authorization url.

----- Original Message -----
> From: "Thorsten" <thorsten315 at gmx.de>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 23 March, 2015 5:11:12 PM
> Subject: Re: [keycloak-user] Limit Google authentication by domain?
> 
> Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
> codebase) and modified a few lines (incl. ID and NAME). I also adjusted the
> "services" entry to match the new class name.
> Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
> adapter jar to the /opt/jboss/keycloak/standalone/configuration/providers/
> directory.
> 
> But when I start the docker container and enable Social Login I don't see my
> social module name in the "Add provider..." pulldown list.
> 
> Is there anything else I need to do in order to add my social provider to
> register?
> 
> Thanks
> 
> 2015-03-23 15:19 GMT+01:00 Bill Burke < bburke at redhat.com > :
> 
> 
> We don't support this. Our "social" module contains our Google adapter.
> 
> On 3/23/2015 10:14 AM, Thorsten wrote:
> > Hi,
> > 
> > is there a way to limit the Google authentication to only work for users
> > that have a Google account in a specific Google app domain? Right now it
> > seems that anybody with a Google+ account can login once you enable it.
> > 
> > Is there an out-of-the box way to get this done though configuration and
> > if not what would be the simplest way to implement this?
> > 
> > Thanks
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Mar 24 02:19:17 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Mar 2015 02:19:17 -0400 (EDT)
Subject: [keycloak-user] Relative host possible in redirect URI when
 using	Keycloak appliance?
In-Reply-To: <CAAgmn1pvVMHKgC0eoej7WG5wuBct5XByhFVBiH4udTi_KY2=hQ@mail.gmail.com>
References: <CAAgmn1pvVMHKgC0eoej7WG5wuBct5XByhFVBiH4udTi_KY2=hQ@mail.gmail.com>
Message-ID: <253288078.3582116.1427177957535.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Guy Davis" <guydavis.ca at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 23 March, 2015 3:44:56 PM
> Subject: [keycloak-user] Relative host possible in redirect URI when using	Keycloak appliance?
> 
> Good day,
> 
> A few weeks ago, I was deploying auth-server.war inside a JBoss 6.1.0alpha
> instance and using relative URIs for redirects on my registered
> applications. For example, a single redirect uri of '/hello-world/*' meant
> that I could access our app from:
> 
> 
>     * http://localhost:8080/hello-world/
>     * https://localhost:8443/hello-world/
>     * http://[workstation]:8080/hello-world/
>     * https://[workstation]:8443/hello-world/
> 
> This was very convenient as we deploy the JBoss container on site for
> customer use via automated installer, so trying to minimize the local
> configurations required is important.
> 
> However, as per recent exchanges with Stian, I am now running a separate
> Keycloak appliance instance (Wildfly 8.2), port-shifted by 100, along-side
> our old JBoss instance.
> 
> This seems to require that I add 4 separate redirect_uris (above) in order
> for things to work. As well, the latter two require knowledge of the target
> machine's hostname.
> 
> I'm wondering if there is a way to use relative host URI, but keep the port
> for application redirect_uri. Or perhaps a hostname placeholder? Possible
> example:
> 
> 
>     * http://${ jboss.host.name }:8080/hello-world/
> 
> Any sort of placeholder for the current host-name would simplify the current
> post-install configuration required.

We don't have anything atm that'll let you do that. You could use a proxy to put both the app and Keycloak on the same domain/port, but that might be more setup than you'd like.

If you're using an automated installer you can have it do the job for you though. Use Keycloak's export facility to export the realm and all applications to a json file. Then have your installer modify the redirect-uri for the application directly in the json file, before you import it again into a freshly installed Keycloak server. I'd suggest for an automated installation that'd be good approach in either case.

> 
> Thanks,
> Guy
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From thiago.addevico at gmail.com  Tue Mar 24 08:41:16 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 24 Mar 2015 09:41:16 -0300
Subject: [keycloak-user] Application Management
Message-ID: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>

Hi there,

I'm Alex's coworker and I'll be working on this too.

We were just discussing your idea, and it seems to fit our requirements.

As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.

We are currently thinking if we could mimic this structure for
applications. What do you think?

> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.

> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)

> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1

> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2

>

> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/b65f65e4/attachment-0001.html 

From stian at redhat.com  Tue Mar 24 08:44:58 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Mar 2015 08:44:58 -0400 (EDT)
Subject: [keycloak-user] Application Management
In-Reply-To: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
Message-ID: <235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Thiago Presa" <thiago.addevico at gmail.com>
> To: stian at redhat.com
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 24 March, 2015 1:41:16 PM
> Subject: Re: [keycloak-user] Application Management
> 
> Hi there,
> 
> I'm Alex's coworker and I'll be working on this too.
> 
> We were just discussing your idea, and it seems to fit our requirements.
> 
> As far as we have seen, keycloak already has a realm-admin concept.
> Whenever a realm "R" is created, it creates a R-realm application with
> a bunch of default roles (manage-users, manage-roles, etc.) into the
> realm master.
> 
> We are currently thinking if we could mimic this structure for
> applications. What do you think?

It's already messy with the way I modelled it and adding the same for applications would be even worse. I don't see why that's needed though if we'd add what I proposed.

> 
> > I had an idea a while back that is a simple way to achieve what you're
> > asking for. Th> e idea would be to only allow an admin to grant roles that
> > the admin has access to.
> 
> > Basically:> * A user with admin (super user) role can grant any roles (we
> > would need to add a per-> realm super user role)
> 
> > * A user with the role manage-users and some roles on app1 can only grant
> > other users > the roles on app1
> 
> > * A user with the role manage-users and some roles on app2 can only grant
> > other users > the roles on app2
> 
> >
> 
> > This is something we should add in either case (to prevent users granting
> themselves more access). Would it solve your problems?
> 

From kalc04 at gmail.com  Tue Mar 24 10:30:40 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 24 Mar 2015 20:00:40 +0530
Subject: [keycloak-user] User Entitlements/Attributes
Message-ID: <CAPj1eSxOih+60MMSYuZ3o3kqrEZ+x5f7OUc+G2PKHvtGVU7JLw@mail.gmail.com>

Hi,

I had a look at the code + documentation, but couldn't find support for
user entitlements or attributes. For example, I have a use called "John",
who is an (1) Admin of my system. He can (2) View Reports and (3) Create
Reports.

If I am to store all three of the above against the user (or 2 and 3
against the user role), what approach should I take? Is there a current
feature in KeyCloak through which I can achieve this?


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/a6fb045b/attachment.html 

From bburke at redhat.com  Tue Mar 24 10:47:57 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 24 Mar 2015 10:47:57 -0400
Subject: [keycloak-user] User Entitlements/Attributes
In-Reply-To: <CAPj1eSxOih+60MMSYuZ3o3kqrEZ+x5f7OUc+G2PKHvtGVU7JLw@mail.gmail.com>
References: <CAPj1eSxOih+60MMSYuZ3o3kqrEZ+x5f7OUc+G2PKHvtGVU7JLw@mail.gmail.com>
Message-ID: <5511791D.50505@redhat.com>

Everything is role based for user permissions.  we have the concept of a 
"composite role" where you can associate other roles with the composite.


On 3/24/2015 10:30 AM, Lohitha Chiranjeewa wrote:
> Hi,
>
> I had a look at the code + documentation, but couldn't find support for
> user entitlements or attributes. For example, I have a use called
> "John", who is an (1) Admin of my system. He can (2) View Reports and
> (3) Create Reports.
>
> If I am to store all three of the above against the user (or 2 and 3
> against the user role), what approach should I take? Is there a current
> feature in KeyCloak through which I can achieve this?
>
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thorsten315 at gmx.de  Tue Mar 24 11:02:25 2015
From: thorsten315 at gmx.de (Thorsten)
Date: Tue, 24 Mar 2015 16:02:25 +0100
Subject: [keycloak-user] Limit Google authentication by domain?
In-Reply-To: <1936235934.3578600.1427177361531.JavaMail.zimbra@redhat.com>
References: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
	<5510210B.3010306@redhat.com>
	<CAMNcrz7nqnHKDJHzXc6+LC=qEUVbXzNpuE8ze4+F_QWN0Baixg@mail.gmail.com>
	<1936235934.3578600.1427177361531.JavaMail.zimbra@redhat.com>
Message-ID: <CAMNcrz71Y5J-uhMrppm_neZ4PGgegosSAstuGYXJ4Ej4SM5VPw@mail.gmail.com>

I built master from github and used the appliance distribution with a
docker image. I can create a new relam and setup a custom OpenID connect
provider but when I go to realm login I run into the following exception:

14:51:24,683 ERROR [io.undertow.request] (default task-24) UT005023:
Exception handling request to
/auth/realms/test/broker/google_hd_test/login: java.lang.RuntimeException:
request path: /auth/realms/test/broker/google_hd_test/login
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_65]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_65]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        ... 28 more
Caused by: java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
        at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.<clinit>(AbstractOAuth2IdentityProvider.java:60)
        at
org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:44)
        at
org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:33)
        at
org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:438)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:126)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_65]
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_65]
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_65]
        at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_65]
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.10.Final.jar:]
        ... 39 more
Caused by: java.lang.ClassNotFoundException:
org.jboss.resteasy.logging.Logger from [Module
"org.keycloak.keycloak-broker-oidc:main" from local module loader @5f5cc764
(finder: local module finder @4426a725 (roots:
/opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/base))]
        at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
[jboss-modules.jar:1.3.3.Final]
        ... 54 more


2015-03-24 7:09 GMT+01:00 Stian Thorgersen <stian at redhat.com>:

> Not sure why it's not working, you can enable debug for
> org.keycloak.services.DefaultKeycloakSessionFactory and
> org.keycloak.provider.ProviderManager that may provide some option.
>
> Alternatively, if you try with master (build from github) or wait until
> 1.2.0.Beta1 is released you can configure your own OpenID Connect provider
> which would let you add the hd param to the authorization url.
>
> ----- Original Message -----
> > From: "Thorsten" <thorsten315 at gmx.de>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 23 March, 2015 5:11:12 PM
> > Subject: Re: [keycloak-user] Limit Google authentication by domain?
> >
> > Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
> > codebase) and modified a few lines (incl. ID and NAME). I also adjusted
> the
> > "services" entry to match the new class name.
> > Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
> > adapter jar to the
> /opt/jboss/keycloak/standalone/configuration/providers/
> > directory.
> >
> > But when I start the docker container and enable Social Login I don't
> see my
> > social module name in the "Add provider..." pulldown list.
> >
> > Is there anything else I need to do in order to add my social provider to
> > register?
> >
> > Thanks
> >
> > 2015-03-23 15:19 GMT+01:00 Bill Burke < bburke at redhat.com > :
> >
> >
> > We don't support this. Our "social" module contains our Google adapter.
> >
> > On 3/23/2015 10:14 AM, Thorsten wrote:
> > > Hi,
> > >
> > > is there a way to limit the Google authentication to only work for
> users
> > > that have a Google account in a specific Google app domain? Right now
> it
> > > seems that anybody with a Google+ account can login once you enable it.
> > >
> > > Is there an out-of-the box way to get this done though configuration
> and
> > > if not what would be the simplest way to implement this?
> > >
> > > Thanks
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/98f5b399/attachment-0001.html 

From stian at redhat.com  Tue Mar 24 13:16:58 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Mar 2015 13:16:58 -0400 (EDT)
Subject: [keycloak-user] Limit Google authentication by domain?
In-Reply-To: <CAMNcrz71Y5J-uhMrppm_neZ4PGgegosSAstuGYXJ4Ej4SM5VPw@mail.gmail.com>
References: <CAMNcrz5v9c5H5ODO2imeEzbdjxgCHkdQ72kg+z52P42ELAPRBQ@mail.gmail.com>
	<5510210B.3010306@redhat.com>
	<CAMNcrz7nqnHKDJHzXc6+LC=qEUVbXzNpuE8ze4+F_QWN0Baixg@mail.gmail.com>
	<1936235934.3578600.1427177361531.JavaMail.zimbra@redhat.com>
	<CAMNcrz71Y5J-uhMrppm_neZ4PGgegosSAstuGYXJ4Ej4SM5VPw@mail.gmail.com>
Message-ID: <742149352.4159151.1427217418165.JavaMail.zimbra@redhat.com>

Please jira and I'll look at it tomorrow

----- Original Message -----
> From: "Thorsten" <thorsten315 at gmx.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 24 March, 2015 4:02:25 PM
> Subject: Re: [keycloak-user] Limit Google authentication by domain?
> 
> I built master from github and used the appliance distribution with a
> docker image. I can create a new relam and setup a custom OpenID connect
> provider but when I go to realm login I run into the following exception:
> 
> 14:51:24,683 ERROR [io.undertow.request] (default task-24) UT005023:
> Exception handling request to
> /auth/realms/test/broker/google_hd_test/login: java.lang.RuntimeException:
> request path: /auth/realms/test/broker/google_hd_test/login
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_65]
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_65]
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         ... 28 more
> Caused by: java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
>         at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.<clinit>(AbstractOAuth2IdentityProvider.java:60)
>         at
> org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:44)
>         at
> org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:33)
>         at
> org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:438)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:126)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_65]
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_65]
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_65]
>         at java.lang.reflect.Method.invoke(Method.java:606)
> [rt.jar:1.7.0_65]
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         ... 39 more
> Caused by: java.lang.ClassNotFoundException:
> org.jboss.resteasy.logging.Logger from [Module
> "org.keycloak.keycloak-broker-oidc:main" from local module loader @5f5cc764
> (finder: local module finder @4426a725 (roots:
> /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/base))]
>         at
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
> [jboss-modules.jar:1.3.3.Final]
>         ... 54 more
> 
> 
> 2015-03-24 7:09 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> 
> > Not sure why it's not working, you can enable debug for
> > org.keycloak.services.DefaultKeycloakSessionFactory and
> > org.keycloak.provider.ProviderManager that may provide some option.
> >
> > Alternatively, if you try with master (build from github) or wait until
> > 1.2.0.Beta1 is released you can configure your own OpenID Connect provider
> > which would let you add the hd param to the authorization url.
> >
> > ----- Original Message -----
> > > From: "Thorsten" <thorsten315 at gmx.de>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 23 March, 2015 5:11:12 PM
> > > Subject: Re: [keycloak-user] Limit Google authentication by domain?
> > >
> > > Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
> > > codebase) and modified a few lines (incl. ID and NAME). I also adjusted
> > the
> > > "services" entry to match the new class name.
> > > Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
> > > adapter jar to the
> > /opt/jboss/keycloak/standalone/configuration/providers/
> > > directory.
> > >
> > > But when I start the docker container and enable Social Login I don't
> > see my
> > > social module name in the "Add provider..." pulldown list.
> > >
> > > Is there anything else I need to do in order to add my social provider to
> > > register?
> > >
> > > Thanks
> > >
> > > 2015-03-23 15:19 GMT+01:00 Bill Burke < bburke at redhat.com > :
> > >
> > >
> > > We don't support this. Our "social" module contains our Google adapter.
> > >
> > > On 3/23/2015 10:14 AM, Thorsten wrote:
> > > > Hi,
> > > >
> > > > is there a way to limit the Google authentication to only work for
> > users
> > > > that have a Google account in a specific Google app domain? Right now
> > it
> > > > seems that anybody with a Google+ account can login once you enable it.
> > > >
> > > > Is there an out-of-the box way to get this done though configuration
> > and
> > > > if not what would be the simplest way to implement this?
> > > >
> > > > Thanks
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From thiago.addevico at gmail.com  Tue Mar 24 13:33:36 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Tue, 24 Mar 2015 14:33:36 -0300
Subject: [keycloak-user] Application Management
In-Reply-To: <235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
Message-ID: <CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>

OK, agreed. We thought this out of consistency, but if that's not a good
design we surely can consider a better one.

On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > To: stian at redhat.com
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> > Subject: Re: [keycloak-user] Application Management
> >
> > Hi there,
> >
> > I'm Alex's coworker and I'll be working on this too.
> >
> > We were just discussing your idea, and it seems to fit our requirements.
> >
> > As far as we have seen, keycloak already has a realm-admin concept.
> > Whenever a realm "R" is created, it creates a R-realm application with
> > a bunch of default roles (manage-users, manage-roles, etc.) into the
> > realm master.
> >
> > We are currently thinking if we could mimic this structure for
> > applications. What do you think?
>
> It's already messy with the way I modelled it and adding the same for
> applications would be even worse. I don't see why that's needed though if
> we'd add what I proposed.
>
> >
> > > I had an idea a while back that is a simple way to achieve what you're
> > > asking for. Th> e idea would be to only allow an admin to grant roles
> that
> > > the admin has access to.
> >
> > > Basically:> * A user with admin (super user) role can grant any roles
> (we
> > > would need to add a per-> realm super user role)
> >
> > > * A user with the role manage-users and some roles on app1 can only
> grant
> > > other users > the roles on app1
> >
> > > * A user with the role manage-users and some roles on app2 can only
> grant
> > > other users > the roles on app2
> >
> > >
> >
> > > This is something we should add in either case (to prevent users
> granting
> > themselves more access). Would it solve your problems?
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/93a0b7a7/attachment.html 

From n.preusker at gmail.com  Wed Mar 25 04:43:32 2015
From: n.preusker at gmail.com (Nils Preusker)
Date: Wed, 25 Mar 2015 09:43:32 +0100
Subject: [keycloak-user] User Activation
Message-ID: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>

Hi,

I'm wondering whether there is a way to set up user activation so that

* we create a new user via the admin API
* the account has no credentials (password) and is inactive
* the user receives an e-mail when the account is created
* when the user logs in for the first time (following a link in the
e-mail), he is prompted to set up his password and the account is activated

So far I have only been able to get this to work with an initial "default"
password followed by a prompt to re-set it. I also didn't find a way to
notify a user of the new account via e-mail. Am I missing something?

Cheers,
Nils
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150325/47a1ad8f/attachment.html 

From stian at redhat.com  Wed Mar 25 04:49:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 25 Mar 2015 04:49:14 -0400 (EDT)
Subject: [keycloak-user] User Activation
In-Reply-To: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
References: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
Message-ID: <1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>

Create a user in admin account, set the users email, click on credentials and there's an option to send a password reset email.

----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 9:43:32 AM
> Subject: [keycloak-user] User Activation
> 
> Hi,
> 
> I'm wondering whether there is a way to set up user activation so that
> 
> * we create a new user via the admin API
> * the account has no credentials (password) and is inactive
> * the user receives an e-mail when the account is created
> * when the user logs in for the first time (following a link in the e-mail),
> he is prompted to set up his password and the account is activated
> 
> So far I have only been able to get this to work with an initial "default"
> password followed by a prompt to re-set it. I also didn't find a way to
> notify a user of the new account via e-mail. Am I missing something?
> 
> Cheers,
> Nils
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kalinga at leapset.com  Wed Mar 25 06:44:34 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Wed, 25 Mar 2015 16:14:34 +0530 (IST)
Subject: [keycloak-user] Theme based on application
In-Reply-To: <1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>
References: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
	<1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>
Message-ID: <1427280274.585427068@apps.rackspace.com>


Guys,
Is it possible to customize the theme based on the application.
Basically i have one realm configured with four applications. I need different ui for each application. Is it possible to do this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150325/44e037ca/attachment-0001.html 

From stian at redhat.com  Wed Mar 25 07:47:03 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 25 Mar 2015 07:47:03 -0400 (EDT)
Subject: [keycloak-user] Theme based on application
In-Reply-To: <1427280274.585427068@apps.rackspace.com>
References: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
	<1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>
	<1427280274.585427068@apps.rackspace.com>
Message-ID: <1213936416.4879234.1427284023785.JavaMail.zimbra@redhat.com>

No, we don't support that. Not sure if that makes sense either as it's SSO login, not login to individual applications.

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 11:44:34 AM
> Subject: [keycloak-user] Theme based on application
> 
> 
> 
> Guys,
> 
> Is it possible to customize the theme based on the application.
> 
> Basically i have one realm configured with four applications. I need
> different ui for each application. Is it possible to do this?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From n.preusker at gmail.com  Wed Mar 25 10:09:56 2015
From: n.preusker at gmail.com (Nils Preusker)
Date: Wed, 25 Mar 2015 15:09:56 +0100
Subject: [keycloak-user] Fwd:  User Activation
In-Reply-To: <CA+HCLu99=BQT_s+kLyqmnYhbAEym_tViDodtEQA8Hu3Q41y3TQ@mail.gmail.com>
References: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
	<1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>
	<CA+HCLu99=BQT_s+kLyqmnYhbAEym_tViDodtEQA8Hu3Q41y3TQ@mail.gmail.com>
Message-ID: <CA+HCLu_-RPATe_aRTMy27y3UAzJpxQ=Uq64iVX7E_JAM_oF4mg@mail.gmail.com>

---------- Forwarded message ----------
From: Nils Preusker <n.preusker at gmail.com>
Date: Wed, Mar 25, 2015 at 3:04 PM
Subject: Re: [keycloak-user] User Activation
To: Stian Thorgersen <stian at redhat.com>


Hey Stian,

thanks for your reply! That works, however we have a couple of issues with
the suggested flow:

* if I'm not mistaken the e-mail template is the same one that is used for
the "forgot password" link, this is not ideal in our case because it would
be the first e-mail (first contact) that new users in our system would
get...
* when I follow the flow that you suggested I always get redirected to the
account page (/auth/realms/{realm}/account) after creating a password and I
wasn't able to figure out why (I would have expected to be redirected to
the default redirect URL, so to my application)

Cheers!
Nils




On Wed, Mar 25, 2015 at 9:49 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Create a user in admin account, set the users email, click on credentials
> and there's an option to send a password reset email.
>
> ----- Original Message -----
> > From: "Nils Preusker" <n.preusker at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 25 March, 2015 9:43:32 AM
> > Subject: [keycloak-user] User Activation
> >
> > Hi,
> >
> > I'm wondering whether there is a way to set up user activation so that
> >
> > * we create a new user via the admin API
> > * the account has no credentials (password) and is inactive
> > * the user receives an e-mail when the account is created
> > * when the user logs in for the first time (following a link in the
> e-mail),
> > he is prompted to set up his password and the account is activated
> >
> > So far I have only been able to get this to work with an initial
> "default"
> > password followed by a prompt to re-set it. I also didn't find a way to
> > notify a user of the new account via e-mail. Am I missing something?
> >
> > Cheers,
> > Nils
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150325/44cfcb3e/attachment.html 

From stian at redhat.com  Wed Mar 25 10:13:29 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 25 Mar 2015 10:13:29 -0400 (EDT)
Subject: [keycloak-user] Fwd:  User Activation
In-Reply-To: <CA+HCLu_-RPATe_aRTMy27y3UAzJpxQ=Uq64iVX7E_JAM_oF4mg@mail.gmail.com>
References: <CA+HCLu9srv51oxuO_ZSkC5UZdYpFxsptQN2EFKVrpQw2rNZnKw@mail.gmail.com>
	<1328170198.4762640.1427273354155.JavaMail.zimbra@redhat.com>
	<CA+HCLu99=BQT_s+kLyqmnYhbAEym_tViDodtEQA8Hu3Q41y3TQ@mail.gmail.com>
	<CA+HCLu_-RPATe_aRTMy27y3UAzJpxQ=Uq64iVX7E_JAM_oF4mg@mail.gmail.com>
Message-ID: <8620272.5011130.1427292809496.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Sent: Wednesday, 25 March, 2015 3:04:59 PM
> Subject: Re: [keycloak-user] User Activation
> 
> Hey Stian,
> 
> thanks for your reply! That works, however we have a couple of issues with
> the suggested flow:
> 
> * if I'm not mistaken the e-mail template is the same one that is used for
> the "forgot password" link, this is not ideal in our case because it would
> be the first e-mail (first contact) that new users in our system would
> get...

I agree that's less than ideal, but it's how it works atm as it's just a way for an admin to initiate the reset password flow. Create a JIRA and we can fix it when/if we get time.

> * when I follow the flow that you suggested I always get redirected to the
> account page (/auth/realms/{realm}/account) after creating a password and I
> wasn't able to figure out why (I would have expected to be redirected to
> the default redirect URL, so to my application)

It doesn't know what app to use as you're initiating this flow from the admin console. If it's done by clicking reset password during login it's done as part of the login flow from your app so it knows what app to redirect to. 

One option would be to provide an option in the admin console to select where to redirect the user to. However, it can't login the user as part of the flow as the app is required to check the state variable, which it can't as it didn't initiate the flow.

> Cheers!
> Nils
> 
> 
> 
> 
> On Wed, Mar 25, 2015 at 9:49 AM, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> Create a user in admin account, set the users email, click on credentials and
> there's an option to send a password reset email.
> 
> ----- Original Message -----
> > From: "Nils Preusker" < n.preusker at gmail.com >
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 25 March, 2015 9:43:32 AM
> > Subject: [keycloak-user] User Activation
> > 
> > Hi,
> > 
> > I'm wondering whether there is a way to set up user activation so that
> > 
> > * we create a new user via the admin API
> > * the account has no credentials (password) and is inactive
> > * the user receives an e-mail when the account is created
> > * when the user logs in for the first time (following a link in the
> > e-mail),
> > he is prompted to set up his password and the account is activated
> > 
> > So far I have only been able to get this to work with an initial "default"
> > password followed by a prompt to re-set it. I also didn't find a way to
> > notify a user of the new account via e-mail. Am I missing something?
> > 
> > Cheers,
> > Nils
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stephenrussett at gmail.com  Thu Mar 26 10:43:10 2015
From: stephenrussett at gmail.com (Stephen Russett)
Date: Thu, 26 Mar 2015 10:43:10 -0400
Subject: [keycloak-user] Multiple Identity Support?
In-Reply-To: <379189764.2306642.1427089770994.JavaMail.zimbra@redhat.com>
References: <etPan.550f21ae.6b8b4567.7c4@Stephens-MacBook-Air.local>
	<379189764.2306642.1427089770994.JavaMail.zimbra@redhat.com>
Message-ID: <etPan.55141afe.643c9869.330c@Stephens-Air>

Great! Is there any diagrams or documents that show how this will work?

Will there be a way to group attributes in a hierarchy? ?Example
{Identity1 => { Atribute1.1 => ?xxxxxxxxx?,
			Atribute1.2 => ?xxxxxxxxx?,
			Atribute1.3 => ?xxxxxxxxx?,
			},
Identity2 => {Atribute2.1 => ?xxxxxxxxx?,
			Atribute2.2 => ?xxxxxxxxx?,
			Atribute2.3 => ?xxxxxxxxx?,
			}
}

From this you would be able to tell the protocol mappers to use attributes from IdentityX, and you would be able to group these attributes in the UI so you are not have to create N number of fields with labels and system names such as: application1.FirstName, application2.FirstName, application3.FirstName.

Thanks


From:?Stian Thorgersen <stian at redhat.com>
Reply:?Stian Thorgersen <stian at redhat.com>>
Date:?March 23, 2015 at 1:49:33 AM
To:?Stephen Russett <stephenrussett at gmail.com>>
Cc:?keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>>
Subject:? Re: [keycloak-user] Multiple Identity Support?  

Yes, in 1.2.0.Beta1 which will be released soon we'll have support for protocol mappers. Protocol mappers allow you to define exactly what attributes go into the access token and id token for each application.  

----- Original Message -----  
> From: "Stephen Russett" <stephenrussett at gmail.com>  
> To: keycloak-user at lists.jboss.org  
> Sent: Sunday, 22 March, 2015 9:10:22 PM  
> Subject: [keycloak-user] Multiple Identity Support?  
>  
> Hi  
>  
> Is there support for handling multiple identities for a single user? If so,  
> is there a video or write up explaining how this is handled?  
>  
> Example use case:  
>  
> You have your user profile (with multiple Identities) that is associated with  
> KC. KC is connected to three systems. When you log into System 1, you use  
> Identity A, and when you log into System 2, you use Identity B, and When you  
> log into System 3, you use Identity C.  
> The different identities are due to the need for the user wanting to share  
> specific information depending on the system they are logging into.  
> This openID connect video has a great intro that outlines the use case for  
> multiple identities: https://www.youtube.com/watch?v=Kb56GzQ2pSk  
>  
> Thanks.  
> Stephen  
>  
>  
>  
> _______________________________________________  
> keycloak-user mailing list  
> keycloak-user at lists.jboss.org  
> https://lists.jboss.org/mailman/listinfo/keycloak-user  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150326/578f1eb5/attachment.html 

From thiago.addevico at gmail.com  Thu Mar 26 15:10:07 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Thu, 26 Mar 2015 16:10:07 -0300
Subject: [keycloak-user] Application Management
In-Reply-To: <CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
	<CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
Message-ID: <CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>

So I've spent the last couple of days playing with the source. :-)

The current authorization mechanism is based on Realm/RealmApp i.e.
whenever an API resource is called, check if the User has the required
Right (manage, any, view) in the resource's Realm/RealmApp.

Consider, for example, the URI
/admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What
I was trying to do is to create a permission for {app-name} so that this
API call wouldn't require any Realm/RealmApp right.

The problem I see is that this API call trigger many methods (i.e.
AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
RealmAdminResource#getApplicationsById, and so on...), and at those methods
there is not enough information to figure out whether this is:

1- An app-specific call and thus should be authorized even without realm
authorization, or;
2- Not app-specific call and this should be properly authorized by
Realm/RealmApp.

Even in the case of (1), the information on which app should I check for
authorization is not available.

So it seems to me that this resource-loading mechanisms pressuposes an
authorization mechanism that checks only against the realm for permission,
and changing this seems daunting to me.

Do you guys have any idea on a more local change I could make to achieve
the intended behavior?

On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <thiago.addevico at gmail.com>
wrote:

> OK, agreed. We thought this out of consistency, but if that's not a good
> design we surely can consider a better one.
>
> On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Thiago Presa" <thiago.addevico at gmail.com>
>> > To: stian at redhat.com
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
>> > Subject: Re: [keycloak-user] Application Management
>> >
>> > Hi there,
>> >
>> > I'm Alex's coworker and I'll be working on this too.
>> >
>> > We were just discussing your idea, and it seems to fit our requirements.
>> >
>> > As far as we have seen, keycloak already has a realm-admin concept.
>> > Whenever a realm "R" is created, it creates a R-realm application with
>> > a bunch of default roles (manage-users, manage-roles, etc.) into the
>> > realm master.
>> >
>> > We are currently thinking if we could mimic this structure for
>> > applications. What do you think?
>>
>> It's already messy with the way I modelled it and adding the same for
>> applications would be even worse. I don't see why that's needed though if
>> we'd add what I proposed.
>>
>> >
>> > > I had an idea a while back that is a simple way to achieve what you're
>> > > asking for. Th> e idea would be to only allow an admin to grant roles
>> that
>> > > the admin has access to.
>> >
>> > > Basically:> * A user with admin (super user) role can grant any roles
>> (we
>> > > would need to add a per-> realm super user role)
>> >
>> > > * A user with the role manage-users and some roles on app1 can only
>> grant
>> > > other users > the roles on app1
>> >
>> > > * A user with the role manage-users and some roles on app2 can only
>> grant
>> > > other users > the roles on app2
>> >
>> > >
>> >
>> > > This is something we should add in either case (to prevent users
>> granting
>> > themselves more access). Would it solve your problems?
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150326/26bc3cc1/attachment-0001.html 

From leonardo.zanivan at gmail.com  Thu Mar 26 18:44:21 2015
From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan)
Date: Thu, 26 Mar 2015 22:44:21 +0000
Subject: [keycloak-user] Application Management
In-Reply-To: <CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
	<CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
	<CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
Message-ID: <CA+sftsC=88i_vJUQXnjTdOKORGAJ2TEpamhD0AVbpsSo7+6rLg@mail.gmail.com>

It would be nice if KeyCloak could share applications across realms in a
SaaS multi-tenant approach. Currently we need to use REST API to syncronize
app definitions.

On Thu, Mar 26, 2015 at 4:10 PM Thiago Presa <thiago.addevico at gmail.com>
wrote:

> So I've spent the last couple of days playing with the source. :-)
>
> The current authorization mechanism is based on Realm/RealmApp i.e.
> whenever an API resource is called, check if the User has the required
> Right (manage, any, view) in the resource's Realm/RealmApp.
>
> Consider, for example, the URI
> /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What
> I was trying to do is to create a permission for {app-name} so that this
> API call wouldn't require any Realm/RealmApp right.
>
> The problem I see is that this API call trigger many methods (i.e.
> AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
> RealmAdminResource#getApplicationsById, and so on...), and at those methods
> there is not enough information to figure out whether this is:
>
> 1- An app-specific call and thus should be authorized even without realm
> authorization, or;
> 2- Not app-specific call and this should be properly authorized by
> Realm/RealmApp.
>
> Even in the case of (1), the information on which app should I check for
> authorization is not available.
>
> So it seems to me that this resource-loading mechanisms pressuposes an
> authorization mechanism that checks only against the realm for permission,
> and changing this seems daunting to me.
>
> Do you guys have any idea on a more local change I could make to achieve
> the intended behavior?
>
> On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <thiago.addevico at gmail.com>
> wrote:
>
>> OK, agreed. We thought this out of consistency, but if that's not a good
>> design we surely can consider a better one.
>>
>> On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com>
>> wrote:
>>
>>>
>>>
>>> ----- Original Message -----
>>> > From: "Thiago Presa" <thiago.addevico at gmail.com>
>>> > To: stian at redhat.com
>>> > Cc: keycloak-user at lists.jboss.org
>>> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
>>> > Subject: Re: [keycloak-user] Application Management
>>> >
>>> > Hi there,
>>> >
>>> > I'm Alex's coworker and I'll be working on this too.
>>> >
>>> > We were just discussing your idea, and it seems to fit our
>>> requirements.
>>> >
>>> > As far as we have seen, keycloak already has a realm-admin concept.
>>> > Whenever a realm "R" is created, it creates a R-realm application with
>>> > a bunch of default roles (manage-users, manage-roles, etc.) into the
>>> > realm master.
>>> >
>>> > We are currently thinking if we could mimic this structure for
>>> > applications. What do you think?
>>>
>>> It's already messy with the way I modelled it and adding the same for
>>> applications would be even worse. I don't see why that's needed though if
>>> we'd add what I proposed.
>>>
>>> >
>>> > > I had an idea a while back that is a simple way to achieve what
>>> you're
>>> > > asking for. Th> e idea would be to only allow an admin to grant
>>> roles that
>>> > > the admin has access to.
>>> >
>>> > > Basically:> * A user with admin (super user) role can grant any
>>> roles (we
>>> > > would need to add a per-> realm super user role)
>>> >
>>> > > * A user with the role manage-users and some roles on app1 can only
>>> grant
>>> > > other users > the roles on app1
>>> >
>>> > > * A user with the role manage-users and some roles on app2 can only
>>> grant
>>> > > other users > the roles on app2
>>> >
>>> > >
>>> >
>>> > > This is something we should add in either case (to prevent users
>>> granting
>>> > themselves more access). Would it solve your problems?
>>> >
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150326/9bfe9f49/attachment.html 

From stian at redhat.com  Fri Mar 27 00:58:41 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 27 Mar 2015 00:58:41 -0400 (EDT)
Subject: [keycloak-user] Application Management
In-Reply-To: <CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
	<CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
	<CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
Message-ID: <596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com>

Well, yes.. I told you it was a bit rubbish and would need some re-design to implement more fine grained permissions. Doing that is a relatively big task and is not a high priority for us ATM.

I'm a bit confused by this email as I proposed a simple solution that would resolve your requirements. If an admin can only grant permissions that admin has access to all you have to do is to create an admin that can only access roles for certain applications and your problem should be solved. That's a simple solution that we can add soon.  

----- Original Message -----
> From: "Thiago Presa" <thiago.addevico at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 26 March, 2015 8:10:07 PM
> Subject: Re: [keycloak-user] Application Management
> 
> So I've spent the last couple of days playing with the source. :-)
> 
> The current authorization mechanism is based on Realm/RealmApp i.e.
> whenever an API resource is called, check if the User has the required
> Right (manage, any, view) in the resource's Realm/RealmApp.
> 
> Consider, for example, the URI
> /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What
> I was trying to do is to create a permission for {app-name} so that this
> API call wouldn't require any Realm/RealmApp right.
> 
> The problem I see is that this API call trigger many methods (i.e.
> AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
> RealmAdminResource#getApplicationsById, and so on...), and at those methods
> there is not enough information to figure out whether this is:
> 
> 1- An app-specific call and thus should be authorized even without realm
> authorization, or;
> 2- Not app-specific call and this should be properly authorized by
> Realm/RealmApp.
> 
> Even in the case of (1), the information on which app should I check for
> authorization is not available.
> 
> So it seems to me that this resource-loading mechanisms pressuposes an
> authorization mechanism that checks only against the realm for permission,
> and changing this seems daunting to me.
> 
> Do you guys have any idea on a more local change I could make to achieve
> the intended behavior?
> 
> On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <thiago.addevico at gmail.com>
> wrote:
> 
> > OK, agreed. We thought this out of consistency, but if that's not a good
> > design we surely can consider a better one.
> >
> > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> >
> >>
> >>
> >> ----- Original Message -----
> >> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> >> > To: stian at redhat.com
> >> > Cc: keycloak-user at lists.jboss.org
> >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> >> > Subject: Re: [keycloak-user] Application Management
> >> >
> >> > Hi there,
> >> >
> >> > I'm Alex's coworker and I'll be working on this too.
> >> >
> >> > We were just discussing your idea, and it seems to fit our requirements.
> >> >
> >> > As far as we have seen, keycloak already has a realm-admin concept.
> >> > Whenever a realm "R" is created, it creates a R-realm application with
> >> > a bunch of default roles (manage-users, manage-roles, etc.) into the
> >> > realm master.
> >> >
> >> > We are currently thinking if we could mimic this structure for
> >> > applications. What do you think?
> >>
> >> It's already messy with the way I modelled it and adding the same for
> >> applications would be even worse. I don't see why that's needed though if
> >> we'd add what I proposed.
> >>
> >> >
> >> > > I had an idea a while back that is a simple way to achieve what you're
> >> > > asking for. Th> e idea would be to only allow an admin to grant roles
> >> that
> >> > > the admin has access to.
> >> >
> >> > > Basically:> * A user with admin (super user) role can grant any roles
> >> (we
> >> > > would need to add a per-> realm super user role)
> >> >
> >> > > * A user with the role manage-users and some roles on app1 can only
> >> grant
> >> > > other users > the roles on app1
> >> >
> >> > > * A user with the role manage-users and some roles on app2 can only
> >> grant
> >> > > other users > the roles on app2
> >> >
> >> > >
> >> >
> >> > > This is something we should add in either case (to prevent users
> >> granting
> >> > themselves more access). Would it solve your problems?
> >> >
> >>
> >
> >
> 

From thiago.addevico at gmail.com  Fri Mar 27 09:01:56 2015
From: thiago.addevico at gmail.com (Thiago Presa)
Date: Fri, 27 Mar 2015 10:01:56 -0300
Subject: [keycloak-user] Application Management
In-Reply-To: <596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
	<CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
	<CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
	<596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com>
Message-ID: <CAHDpToX0-FbxM_QmHHtDRjNa+A5Fs4+msnR_=U0u-Ug6Ktiyow@mail.gmail.com>

Ah, yes, I didn't understand your proposal properly. Wouldn't giving
manage-users to app-admins wouldn't cause trouble, since app-admins could
create and modify user accounts?

On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Well, yes.. I told you it was a bit rubbish and would need some re-design
> to implement more fine grained permissions. Doing that is a relatively big
> task and is not a high priority for us ATM.
>
> I'm a bit confused by this email as I proposed a simple solution that
> would resolve your requirements. If an admin can only grant permissions
> that admin has access to all you have to do is to create an admin that can
> only access roles for certain applications and your problem should be
> solved. That's a simple solution that we can add soon.
>
> ----- Original Message -----
> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 26 March, 2015 8:10:07 PM
> > Subject: Re: [keycloak-user] Application Management
> >
> > So I've spent the last couple of days playing with the source. :-)
> >
> > The current authorization mechanism is based on Realm/RealmApp i.e.
> > whenever an API resource is called, check if the User has the required
> > Right (manage, any, view) in the resource's Realm/RealmApp.
> >
> > Consider, for example, the URI
> > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}.
> What
> > I was trying to do is to create a permission for {app-name} so that this
> > API call wouldn't require any Realm/RealmApp right.
> >
> > The problem I see is that this API call trigger many methods (i.e.
> > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
> > RealmAdminResource#getApplicationsById, and so on...), and at those
> methods
> > there is not enough information to figure out whether this is:
> >
> > 1- An app-specific call and thus should be authorized even without realm
> > authorization, or;
> > 2- Not app-specific call and this should be properly authorized by
> > Realm/RealmApp.
> >
> > Even in the case of (1), the information on which app should I check for
> > authorization is not available.
> >
> > So it seems to me that this resource-loading mechanisms pressuposes an
> > authorization mechanism that checks only against the realm for
> permission,
> > and changing this seems daunting to me.
> >
> > Do you guys have any idea on a more local change I could make to achieve
> > the intended behavior?
> >
> > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <thiago.addevico at gmail.com
> >
> > wrote:
> >
> > > OK, agreed. We thought this out of consistency, but if that's not a
> good
> > > design we surely can consider a better one.
> > >
> > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > >
> > >>
> > >>
> > >> ----- Original Message -----
> > >> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > >> > To: stian at redhat.com
> > >> > Cc: keycloak-user at lists.jboss.org
> > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> > >> > Subject: Re: [keycloak-user] Application Management
> > >> >
> > >> > Hi there,
> > >> >
> > >> > I'm Alex's coworker and I'll be working on this too.
> > >> >
> > >> > We were just discussing your idea, and it seems to fit our
> requirements.
> > >> >
> > >> > As far as we have seen, keycloak already has a realm-admin concept.
> > >> > Whenever a realm "R" is created, it creates a R-realm application
> with
> > >> > a bunch of default roles (manage-users, manage-roles, etc.) into the
> > >> > realm master.
> > >> >
> > >> > We are currently thinking if we could mimic this structure for
> > >> > applications. What do you think?
> > >>
> > >> It's already messy with the way I modelled it and adding the same for
> > >> applications would be even worse. I don't see why that's needed
> though if
> > >> we'd add what I proposed.
> > >>
> > >> >
> > >> > > I had an idea a while back that is a simple way to achieve what
> you're
> > >> > > asking for. Th> e idea would be to only allow an admin to grant
> roles
> > >> that
> > >> > > the admin has access to.
> > >> >
> > >> > > Basically:> * A user with admin (super user) role can grant any
> roles
> > >> (we
> > >> > > would need to add a per-> realm super user role)
> > >> >
> > >> > > * A user with the role manage-users and some roles on app1 can
> only
> > >> grant
> > >> > > other users > the roles on app1
> > >> >
> > >> > > * A user with the role manage-users and some roles on app2 can
> only
> > >> grant
> > >> > > other users > the roles on app2
> > >> >
> > >> > >
> > >> >
> > >> > > This is something we should add in either case (to prevent users
> > >> granting
> > >> > themselves more access). Would it solve your problems?
> > >> >
> > >>
> > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150327/7578839c/attachment-0001.html 

From stian at redhat.com  Fri Mar 27 09:51:04 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 27 Mar 2015 09:51:04 -0400 (EDT)
Subject: [keycloak-user] Application Management
In-Reply-To: <CAHDpToX0-FbxM_QmHHtDRjNa+A5Fs4+msnR_=U0u-Ug6Ktiyow@mail.gmail.com>
References: <CAHDpToU94_F930cgJjNFtWe7wyEuJx_cHo1+bGL0enaUNAJxNw@mail.gmail.com>
	<235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>
	<CAHDpToUsdDRdHo2pPBaQTVSZuKy7ewEC1SREK0x0wLDX=pnxgQ@mail.gmail.com>
	<CAHDpToUx-k3FyXc2QVY_AwG3UjwCzrUdr=7KxzdUzshx_BpvaQ@mail.gmail.com>
	<596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com>
	<CAHDpToX0-FbxM_QmHHtDRjNa+A5Fs4+msnR_=U0u-Ug6Ktiyow@mail.gmail.com>
Message-ID: <1915332308.6796315.1427464264502.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Thiago Presa" <thiago.addevico at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 27 March, 2015 2:01:56 PM
> Subject: Re: [keycloak-user] Application Management
> 
> Ah, yes, I didn't understand your proposal properly. Wouldn't giving
> manage-users to app-admins wouldn't cause trouble, since app-admins could
> create and modify user accounts?

Whether or not it's causing trouble depends on your requirements, but yes, they could create and modify user accounts, but not grant more privileges. 

If you need to go beyond this one alternative is to wrap the admin endpoints in your own application. We've just got so much on our plate at the moment that we can't provide this level of control on permissions.

> 
> On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Well, yes.. I told you it was a bit rubbish and would need some re-design
> > to implement more fine grained permissions. Doing that is a relatively big
> > task and is not a high priority for us ATM.
> >
> > I'm a bit confused by this email as I proposed a simple solution that
> > would resolve your requirements. If an admin can only grant permissions
> > that admin has access to all you have to do is to create an admin that can
> > only access roles for certain applications and your problem should be
> > solved. That's a simple solution that we can add soon.
> >
> > ----- Original Message -----
> > > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 26 March, 2015 8:10:07 PM
> > > Subject: Re: [keycloak-user] Application Management
> > >
> > > So I've spent the last couple of days playing with the source. :-)
> > >
> > > The current authorization mechanism is based on Realm/RealmApp i.e.
> > > whenever an API resource is called, check if the User has the required
> > > Right (manage, any, view) in the resource's Realm/RealmApp.
> > >
> > > Consider, for example, the URI
> > > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}.
> > What
> > > I was trying to do is to create a permission for {app-name} so that this
> > > API call wouldn't require any Realm/RealmApp right.
> > >
> > > The problem I see is that this API call trigger many methods (i.e.
> > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,
> > > RealmAdminResource#getApplicationsById, and so on...), and at those
> > methods
> > > there is not enough information to figure out whether this is:
> > >
> > > 1- An app-specific call and thus should be authorized even without realm
> > > authorization, or;
> > > 2- Not app-specific call and this should be properly authorized by
> > > Realm/RealmApp.
> > >
> > > Even in the case of (1), the information on which app should I check for
> > > authorization is not available.
> > >
> > > So it seems to me that this resource-loading mechanisms pressuposes an
> > > authorization mechanism that checks only against the realm for
> > permission,
> > > and changing this seems daunting to me.
> > >
> > > Do you guys have any idea on a more local change I could make to achieve
> > > the intended behavior?
> > >
> > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <thiago.addevico at gmail.com
> > >
> > > wrote:
> > >
> > > > OK, agreed. We thought this out of consistency, but if that's not a
> > good
> > > > design we surely can consider a better one.
> > > >
> > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com>
> > > > wrote:
> > > >
> > > >>
> > > >>
> > > >> ----- Original Message -----
> > > >> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > > >> > To: stian at redhat.com
> > > >> > Cc: keycloak-user at lists.jboss.org
> > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> > > >> > Subject: Re: [keycloak-user] Application Management
> > > >> >
> > > >> > Hi there,
> > > >> >
> > > >> > I'm Alex's coworker and I'll be working on this too.
> > > >> >
> > > >> > We were just discussing your idea, and it seems to fit our
> > requirements.
> > > >> >
> > > >> > As far as we have seen, keycloak already has a realm-admin concept.
> > > >> > Whenever a realm "R" is created, it creates a R-realm application
> > with
> > > >> > a bunch of default roles (manage-users, manage-roles, etc.) into the
> > > >> > realm master.
> > > >> >
> > > >> > We are currently thinking if we could mimic this structure for
> > > >> > applications. What do you think?
> > > >>
> > > >> It's already messy with the way I modelled it and adding the same for
> > > >> applications would be even worse. I don't see why that's needed
> > though if
> > > >> we'd add what I proposed.
> > > >>
> > > >> >
> > > >> > > I had an idea a while back that is a simple way to achieve what
> > you're
> > > >> > > asking for. Th> e idea would be to only allow an admin to grant
> > roles
> > > >> that
> > > >> > > the admin has access to.
> > > >> >
> > > >> > > Basically:> * A user with admin (super user) role can grant any
> > roles
> > > >> (we
> > > >> > > would need to add a per-> realm super user role)
> > > >> >
> > > >> > > * A user with the role manage-users and some roles on app1 can
> > only
> > > >> grant
> > > >> > > other users > the roles on app1
> > > >> >
> > > >> > > * A user with the role manage-users and some roles on app2 can
> > only
> > > >> grant
> > > >> > > other users > the roles on app2
> > > >> >
> > > >> > >
> > > >> >
> > > >> > > This is something we should add in either case (to prevent users
> > > >> granting
> > > >> > themselves more access). Would it solve your problems?
> > > >> >
> > > >>
> > > >
> > > >
> > >
> >
> 

From chenkeong.yap at izeno.com  Sat Mar 28 22:08:23 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Sun, 29 Mar 2015 10:08:23 +0800
Subject: [keycloak-user] Keycloak sp filter
In-Reply-To: <54FDE034.50806@redhat.com>
References: <CAC2UnuVDZZT7fbtFC4JcN93yFT2-1VN8dyUm1bfxq61wTrr29Q@mail.gmail.com>
	<54F5D70F.2030309@redhat.com>
	<CAC2UnuXQyc-uB-nzoCxBLT2BFdxNO_3yqH96cgz=ZaK5N_XjLA@mail.gmail.com>
	<54F700B4.7020509@redhat.com>
	<CAC2UnuW-Ze00kB=GUdmSsevFyZjAvDduVCwGm_-Fqt2ZZNzCqg@mail.gmail.com>
	<54F70C21.3030701@redhat.com>
	<CAC2UnuWgF5NM4AHdK-XJcQKv_++U7_XcEHoToajoUOr9R51ryA@mail.gmail.com>
	<54F720F3.90204@redhat.com>
	<CAC2UnuUeFCMze=Rd7pHLNvzPsqE3L9sjGmyCku_4HpdkbLatQw@mail.gmail.com>
	<CAC2UnuXKL8EzPTzM=HCeiEdeA4cvHZcDMc-8KVZ0bMs06rsLiw@mail.gmail.com>
	<54FDE034.50806@redhat.com>
Message-ID: <CAC2UnuU=qk4KxPnN2ix5Lrg0gZKc0uQXLtup-jh3+_YjbhtN0w@mail.gmail.com>

Hi bill,

Please advise when the patch for logout will be released? Can you share
what is with the logout?
On Mar 10, 2015 2:02 AM, "Bill Burke" <bburke at redhat.com> wrote:

> I fixed some bugs around logout in 1.2, master git, but we're not
> releasing this for a few weeks.   I don't know if that is your problem or
> not.  I have not yet been able to take the time to reproduce your problems
> on 1.1 yet.
>
> On 3/8/2015 9:53 PM, Chen Keong Yap wrote:
>
>> hi bill,
>>
>> can you advise regarding the global sign out issue?
>>
>> On Thu, Mar 5, 2015 at 9:29 AM, Chen Keong Yap <chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>> wrote:
>>
>>     hi bill,
>>
>>     Thanks for the solution given and it has resolved the first issue
>>     ( login to the app via pl sp filter but the login session cannot be
>>     seen in keycloak admin console)
>>
>>     However now there are few more issues with single sign out.
>>
>>     a) When i click on the global logout link
>>     (http://localhost:8080/employee/?GLO=true), the page just did a self
>>     refresh and it's not redirected to keycloak login page. I can see
>>     the keycloak session was gone from the keycloak admin console but
>>     the sample employee session still there.
>>
>>     b)  When i click on the local logout link
>>     (http://localhost:8080/employee/?LLO=true), the page just did a self
>>     refresh and it's not redirected to keycloak login page. I can see
>>     the keycloak session still in the keycloak admin console but the
>>     sample employee session still there.
>>
>>     c) When i click on the logout link
>>     (http://localhost:8080/employee/logout.jsp), the page just did a
>>     self refresh and it's not redirected to keycloak login page. I
>>     noticed the keycloak session still in the keycloak admin console but
>>     the sample employee session still there. Just wondering do i need to
>>     implement session.invalidate() in the logout,jsp but how to
>>     invalidate the keycloak session?
>>
>>
>>     On Wed, Mar 4, 2015 at 11:12 PM, Bill Burke <bburke at redhat.com
>>     <mailto:bburke at redhat.com>> wrote:
>>
>>         Ok, I may have diagnosed the problem.  Go to the admin console.
>>         Go to the definition of your application.  Look at the Admin
>>         Url.  Does it have a "/" at the end of the URL?  If not, add a
>>         '/' at the end of this.
>>
>>         i.e.
>>
>>         http://somhere.com/app/
>>
>>         If that solves the issue, let me know and I'll explain what is
>>         going on.  FYI, I ran into the same problem running the SAML
>>         example in the distro and this fixed the problem.
>>
>>
>>
>>
>>         On 3/4/2015 9:07 AM, Chen Keong Yap wrote:
>>
>>             Hi bill,
>>
>>             If i understand from you correctly,
>>             PL SAML SP and keycloak adapters are the same and referring
>>             to below items.
>>
>>             Tomcat 6, 7, 8
>>             Jetty 8, 9
>>             EAP 6.x
>>             Wildfly
>>             Node.js
>>             Browser Javascript adapter.
>>
>>             So far i have tested PL SAML SP filter using the following
>>             libs and it
>>             got the same 2 issues that was mentioned in the previous
>> email.
>>
>>             Picketlink lib : Picketlink 2.70 cr2, picketlink 2.5.3
>>             (commercial)
>>
>>             keycloak lib : keycloak 1.1.0 final, keycloak 1.1.0 beta 2
>>
>>             On Mar 4, 2015 9:44 PM, "Bill Burke" <bburke at redhat.com
>>             <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>                  Our testsuite uses PL SAML SP, not the filter though,
>>             and it works
>>                  fine.  I'd have to recreate the problem using the PL
>>             SAML SP filter.
>>
>>                  On 3/4/2015 8:04 AM, Chen Keong Yap wrote:
>>
>>                      Hi bill,
>>
>>                      Yup. I have configured the app in keycloak admin
>>             console. However i
>>                      encountered 2 issues.
>>
>>                      First issue is that i was able to login to the app
>>             via pl sp
>>                      filter but
>>                      the login session cannot be seen in keycloak admin
>>             console
>>
>>                      Second issue is that global logout was not working
>>             and the
>>                      landing page
>>                      just did a self refresh.
>>
>>                      On Mar 4, 2015 8:55 PM, "Bill Burke"
>>             <bburke at redhat.com <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>> wrote:
>>
>>                           You can still use the PL Filter SP.  Just
>>             configure the
>>                      application
>>                           in the admin console to use SAML.
>>
>>                           On 3/3/2015 11:36 PM, Chen Keong Yap wrote:
>>
>>                               Hi bill,
>>
>>                               the existing adapters cannot support jboss
>>             eap 5.0.2 and
>>                               websphere 8.5
>>                               and we are not allowed to use keycloak
>> proxy.
>>
>>                               can you suggest any other alternative
>>             similar to
>>                      picketlink sp
>>                               filter?
>>
>>                               On Tue, Mar 3, 2015 at 11:45 PM, Bill Burke
>>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>>> wrote:
>>
>>                                    There is no Keycloak SP filter.  We
>>             have various
>>                      adapters
>>                               for different
>>                                    platforms that hook into servlet
>>             security to make
>>                               integration seamless:
>>
>>                                    Tomcat 6, 7, 8
>>                                    Jetty 8, 9
>>                                    EAP 6.x
>>                                    Wildfly
>>                                    Node.js
>>                                    Browser Javascript adapter.
>>
>>                                    On 3/2/2015 10:22 PM, Chen Keong Yap
>>             wrote:
>>                                     > Hi,
>>                                     >
>>                                     > Please share some lights for
>>             implementing
>>                      Keycloak sp
>>                               filter which is
>>                                     > similar to picketlink sp filter.
>>                                     >
>>                                     >
>>
>>             org.picketlink.identity.______federation.web.filters.______
>> SPFilter
>>                                     >
>>                                     >
>>                                     >
>>             _____________________________________________________
>>                                     > keycloak-user mailing list
>>                                     > keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>                                     >
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>                                     >
>>
>>                                    --
>>                                    Bill Burke
>>                                    JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>             _____________________________________________________
>>                                    keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>
>>
>>
>>
>>
>>
>>
>>                           --
>>                           Bill Burke
>>                           JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>                  --
>>                  Bill Burke
>>                  JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>         --
>>         Bill Burke
>>         JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Best Regards,
>>
>> CK Yap
>> Technology Consultant
>>
>> Tel: +65 6100 2788
>> Fax:+65 6233 9376
>>
>> iZeno Pte Ltd
>> 72 Bendemeer Road
>> Luzerne #05-28
>> Singapore 339941
>>
>>
>> This communication contains information which may be confidential or
>> privileged. The information is intended solely for the use of the
>> individual or entity named above. If you are not the intended
>> recipient,be aware that any disclosure, copying, distribution or use of
>> the contents of this information is prohibited.If you have received this
>> communication in error, please notify me by telephone immediately.
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150329/1abe4d4a/attachment-0001.html 

From thorsten315 at gmx.de  Mon Mar 30 06:53:33 2015
From: thorsten315 at gmx.de (Thorsten)
Date: Mon, 30 Mar 2015 12:53:33 +0200
Subject: [keycloak-user] How to map Google groups to a token (e.g. as roles)?
Message-ID: <CAMNcrz6u9x7R-U50v689XoR0zA=eYgHJiBGy9wnBvqCArzTskw@mail.gmail.com>

I was wondering if it is somehow possible to map group memberships Google
hosted domains into Keycloak (e.g. as roles into an idtoken)?

This would be great since we already have been using groups in Google to
perform authorization in some apps so I know how to get them from the
Google API. I am already using the social provider for authentication so I
was wondering what SPI implementation or configuration/customization I'd
need to do in order to get this done.
Any pointers were to start would be very helpful. I am building Keycloak
from github "master".

Thanks

Thorsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150330/ae25866b/attachment.html 

From stian at redhat.com  Mon Mar 30 07:09:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 30 Mar 2015 07:09:14 -0400 (EDT)
Subject: [keycloak-user] How to map Google groups to a token (e.g. as
 roles)?
In-Reply-To: <CAMNcrz6u9x7R-U50v689XoR0zA=eYgHJiBGy9wnBvqCArzTskw@mail.gmail.com>
References: <CAMNcrz6u9x7R-U50v689XoR0zA=eYgHJiBGy9wnBvqCArzTskw@mail.gmail.com>
Message-ID: <1006989900.8215522.1427713754041.JavaMail.zimbra@redhat.com>

It's not yet possible, but we plan to support this in a future release by allowing mapping claims from external tokens

----- Original Message -----
> From: "Thorsten" <thorsten315 at gmx.de>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 30 March, 2015 12:53:33 PM
> Subject: [keycloak-user] How to map Google groups to a token (e.g. as roles)?
> 
> I was wondering if it is somehow possible to map group memberships Google
> hosted domains into Keycloak (e.g. as roles into an idtoken)?
> 
> This would be great since we already have been using groups in Google to
> perform authorization in some apps so I know how to get them from the Google
> API. I am already using the social provider for authentication so I was
> wondering what SPI implementation or configuration/customization I'd need to
> do in order to get this done.
> Any pointers were to start would be very helpful. I am building Keycloak from
> github "master".
> 
> Thanks
> 
> Thorsten
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Henk.Laracker at planonsoftware.com  Mon Mar 30 09:45:26 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Mon, 30 Mar 2015 15:45:26 +0200
Subject: [keycloak-user] ERROR: failed verification of token
Message-ID: <D13F2016.1AD3F%henk.laracker@planonsoftware.com>

Hi,

I have tomcat with the key cloak library?s installed onder the domain https://cust001-accdev.planoncloud.com
Keycloak itself is installed on open shift-online http://keycloak-ciwwa.rhcloud.com/auth/

When I go to my application the redirect works fine, I can log in and I?m pointing back to my original url. On that moment, a exception is shown in the catalina.log


==> planon/logs/catalina.out <==

Mar 30, 2015 1:07:47 PM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode

ERROR: failed verification of token

I had I quick look at the code, but I have no clue how to solve this. The keycloak.json is pointing to the right server with the correct keys.
Any Idea?s ?

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150330/34429e43/attachment.html 

From chenkeong.yap at izeno.com  Mon Mar 30 10:05:32 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Mon, 30 Mar 2015 22:05:32 +0800
Subject: [keycloak-user] Keycloak session attribute
Message-ID: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>

Hi,

I was trying to set a session attribute using custom filter and retrieve it
from login.ftl with no success and the session attribute value is null. Any
advice?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150330/ba27a842/attachment.html 

From stian at redhat.com  Mon Mar 30 10:10:25 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 30 Mar 2015 10:10:25 -0400 (EDT)
Subject: [keycloak-user] Keycloak session attribute
In-Reply-To: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
References: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
Message-ID: <592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>

HTTP session? Keycloak doesn't use HTTP sessions. Nor do we currently provide access to HTTP request details in templates.

If you explain what you're trying to achieve rather than how you're trying to do it we might be more able to help.

----- Original Message -----
> From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 30 March, 2015 4:05:32 PM
> Subject: [keycloak-user] Keycloak session attribute
> 
> 
> 
> Hi,
> 
> I was trying to set a session attribute using custom filter and retrieve it
> from login.ftl with no success and the session attribute value is null. Any
> advice?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chenkeong.yap at izeno.com  Mon Mar 30 10:19:24 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Mon, 30 Mar 2015 22:19:24 +0800
Subject: [keycloak-user] Keycloak session attribute
In-Reply-To: <592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>
References: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
	<592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>
Message-ID: <CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>

Hi,

Ok. We have a requirement to encrypt userid in keycloak using random key
and send it to a third party server for authentication. The random key must
be stored in a session so that third party server can decrypt the user id.

I just wondering is there any object we can use in keycloak similar to http
session?
On Mar 30, 2015 10:10 PM, "Stian Thorgersen" <stian at redhat.com> wrote:

> HTTP session? Keycloak doesn't use HTTP sessions. Nor do we currently
> provide access to HTTP request details in templates.
>
> If you explain what you're trying to achieve rather than how you're trying
> to do it we might be more able to help.
>
> ----- Original Message -----
> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 30 March, 2015 4:05:32 PM
> > Subject: [keycloak-user] Keycloak session attribute
> >
> >
> >
> > Hi,
> >
> > I was trying to set a session attribute using custom filter and retrieve
> it
> > from login.ftl with no success and the session attribute value is null.
> Any
> > advice?
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150330/91389ab2/attachment.html 

From chenkeong.yap at izeno.com  Mon Mar 30 16:42:21 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 31 Mar 2015 04:42:21 +0800
Subject: [keycloak-user] Keycloak session attribute
In-Reply-To: <CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>
References: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
	<592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>
	<CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>
Message-ID: <CAC2UnuVESBPHvxvKe-b7wcgx0Rw_aLwNuEp5TpLpYqs2kH6jWQ@mail.gmail.com>

Hi stian,

Please advise.
On Mar 30, 2015 10:19 PM, "Chen Keong Yap" <chenkeong.yap at izeno.com> wrote:

> Hi,
>
> Ok. We have a requirement to encrypt userid in keycloak using random key
> and send it to a third party server for authentication. The random key must
> be stored in a session so that third party server can decrypt the user id.
>
> I just wondering is there any object we can use in keycloak similar to
> http session?
> On Mar 30, 2015 10:10 PM, "Stian Thorgersen" <stian at redhat.com> wrote:
>
>> HTTP session? Keycloak doesn't use HTTP sessions. Nor do we currently
>> provide access to HTTP request details in templates.
>>
>> If you explain what you're trying to achieve rather than how you're
>> trying to do it we might be more able to help.
>>
>> ----- Original Message -----
>> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Monday, 30 March, 2015 4:05:32 PM
>> > Subject: [keycloak-user] Keycloak session attribute
>> >
>> >
>> >
>> > Hi,
>> >
>> > I was trying to set a session attribute using custom filter and
>> retrieve it
>> > from login.ftl with no success and the session attribute value is null.
>> Any
>> > advice?
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/44f03de7/attachment-0001.html 

From stian at redhat.com  Tue Mar 31 02:16:58 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 31 Mar 2015 02:16:58 -0400 (EDT)
Subject: [keycloak-user] Keycloak session attribute
In-Reply-To: <CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>
References: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
	<592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>
	<CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>
Message-ID: <461355930.8878803.1427782618579.JavaMail.zimbra@redhat.com>

If all you need is to send userid to a external server just implement a event listener. Not sure why that would require something like a http session

----- Original Message -----
> From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 30 March, 2015 4:19:24 PM
> Subject: Re: [keycloak-user] Keycloak session attribute
> 
> Hi,
> 
> Ok. We have a requirement to encrypt userid in keycloak using random key
> and send it to a third party server for authentication. The random key must
> be stored in a session so that third party server can decrypt the user id.
> 
> I just wondering is there any object we can use in keycloak similar to http
> session?
> On Mar 30, 2015 10:10 PM, "Stian Thorgersen" <stian at redhat.com> wrote:
> 
> > HTTP session? Keycloak doesn't use HTTP sessions. Nor do we currently
> > provide access to HTTP request details in templates.
> >
> > If you explain what you're trying to achieve rather than how you're trying
> > to do it we might be more able to help.
> >
> > ----- Original Message -----
> > > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 30 March, 2015 4:05:32 PM
> > > Subject: [keycloak-user] Keycloak session attribute
> > >
> > >
> > >
> > > Hi,
> > >
> > > I was trying to set a session attribute using custom filter and retrieve
> > it
> > > from login.ftl with no success and the session attribute value is null.
> > Any
> > > advice?
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From chenkeong.yap at izeno.com  Tue Mar 31 02:20:26 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 31 Mar 2015 14:20:26 +0800
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
Message-ID: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>

Hi,

This issue is happened again in the master build.

Can advise which object is causing the issue?

Reference :

https://issues.jboss.org/browse/KEYCLOAK-284
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/ff5a3533/attachment.html 

From chenkeong.yap at izeno.com  Tue Mar 31 02:20:41 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 31 Mar 2015 14:20:41 +0800
Subject: [keycloak-user] Keycloak session attribute
In-Reply-To: <461355930.8878803.1427782618579.JavaMail.zimbra@redhat.com>
References: <CAC2UnuXoTTeyUimNNy9Q7MYhrc8EnezoAhbpux29uFXRrwtoGw@mail.gmail.com>
	<592578733.8390016.1427724625210.JavaMail.zimbra@redhat.com>
	<CAC2UnuXB5DxCCf-UXiTgJfgk7A5nECctj_zcxgY420-dT8gzoA@mail.gmail.com>
	<461355930.8878803.1427782618579.JavaMail.zimbra@redhat.com>
Message-ID: <CAC2UnuWMJrMOL56vP02Mk27DE1Lit7RYwNexMnxCGUPKnc_C=w@mail.gmail.com>

thanks stian.

On Tue, Mar 31, 2015 at 2:16 PM, Stian Thorgersen <stian at redhat.com> wrote:

> If all you need is to send userid to a external server just implement a
> event listener. Not sure why that would require something like a http
> session
>
> ----- Original Message -----
> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 30 March, 2015 4:19:24 PM
> > Subject: Re: [keycloak-user] Keycloak session attribute
> >
> > Hi,
> >
> > Ok. We have a requirement to encrypt userid in keycloak using random key
> > and send it to a third party server for authentication. The random key
> must
> > be stored in a session so that third party server can decrypt the user
> id.
> >
> > I just wondering is there any object we can use in keycloak similar to
> http
> > session?
> > On Mar 30, 2015 10:10 PM, "Stian Thorgersen" <stian at redhat.com> wrote:
> >
> > > HTTP session? Keycloak doesn't use HTTP sessions. Nor do we currently
> > > provide access to HTTP request details in templates.
> > >
> > > If you explain what you're trying to achieve rather than how you're
> trying
> > > to do it we might be more able to help.
> > >
> > > ----- Original Message -----
> > > > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 30 March, 2015 4:05:32 PM
> > > > Subject: [keycloak-user] Keycloak session attribute
> > > >
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I was trying to set a session attribute using custom filter and
> retrieve
> > > it
> > > > from login.ftl with no success and the session attribute value is
> null.
> > > Any
> > > > advice?
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/a7d67307/attachment.html 

From stian at redhat.com  Tue Mar 31 02:33:57 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 31 Mar 2015 02:33:57 -0400 (EDT)
Subject: [keycloak-user] User ID should be used as "user reference"
	not	username
In-Reply-To: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
Message-ID: <236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>

Can you please explain what the problem is? That issue is an enhancement, not a bug.

----- Original Message -----
> From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 31 March, 2015 8:20:26 AM
> Subject: [keycloak-user] User ID should be used as "user reference" not	username
> 
> Hi,
> 
> This issue is happened again in the master build.
> 
> Can advise which object is causing the issue?
> 
> Reference :
> 
> https://issues.jboss.org/browse/KEYCLOAK-284
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kalc04 at gmail.com  Tue Mar 31 02:56:10 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 31 Mar 2015 12:26:10 +0530
Subject: [keycloak-user] API Based Authentication and Access Token Retrieval
Message-ID: <CAPj1eSxtPqh97Yhc27mmnbBAKBiHF-LKAVtrO6nqO-wUwFOJbw@mail.gmail.com>

Hi,

Due to the nature of our set of applications that are authenticated against
KeyCloak, we have a requirement to access KeyCloak APIs outside of SSO
session(s). So the questions are:
1. Seems that all admin APIs are authenticated with the provided
access_token (Bearer). Are there any other authentication mechanisms?
2. If not, is there a way for us to get the access_token without going
through the browser based login flow? (like a single token provider API
which doesn't expect an authorization_code)


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/2a3679e5/attachment.html 

From stian at redhat.com  Tue Mar 31 03:03:49 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 31 Mar 2015 03:03:49 -0400 (EDT)
Subject: [keycloak-user] API Based Authentication and Access Token
 Retrieval
In-Reply-To: <CAPj1eSxtPqh97Yhc27mmnbBAKBiHF-LKAVtrO6nqO-wUwFOJbw@mail.gmail.com>
References: <CAPj1eSxtPqh97Yhc27mmnbBAKBiHF-LKAVtrO6nqO-wUwFOJbw@mail.gmail.com>
Message-ID: <325554071.8896258.1427785429103.JavaMail.zimbra@redhat.com>

If you're invoking the admin APIs from a Java application have a look at the admin client (http://docs.jboss.org/keycloak/docs/1.1.0.Final/javadocs/org/keycloak/admin/client/Keycloak.html). Otherwise you can obtain a token using the direct grant mechanism, have a look at the admin-client example for that.

----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 31 March, 2015 8:56:10 AM
> Subject: [keycloak-user] API Based Authentication and Access Token Retrieval
> 
> Hi,
> 
> Due to the nature of our set of applications that are authenticated against
> KeyCloak, we have a requirement to access KeyCloak APIs outside of SSO
> session(s). So the questions are:
> 1. Seems that all admin APIs are authenticated with the provided access_token
> (Bearer). Are there any other authentication mechanisms?
> 2. If not, is there a way for us to get the access_token without going
> through the browser based login flow? (like a single token provider API
> which doesn't expect an authorization_code)
> 
> 
> Thanks!
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chenkeong.yap at izeno.com  Tue Mar 31 06:50:16 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 31 Mar 2015 18:50:16 +0800
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
In-Reply-To: <236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
Message-ID: <CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>

Hi,

I was using picketlink spfilter for testing and noticed sessionid is
assigned to username. We don't have this problem in keycloak 1.1.0 beta2
and this issue only
appear starting from keycloak 1.1.0 final and in master build. Kindly
advise.

Source :

Principal userPrincipal = (Principal)
session.getAttribute(GeneralConstants.PRINCIPAL_ID);
Welcome to the Employee Tool, <b><%=userPrincipal.getName()%></b>.

Output :

Welcome to the Employee Tool, G-155d13b0-a69d-4721-8187-cd1a16c90f3c.

On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Can you please explain what the problem is? That issue is an enhancement,
> not a bug.
>
> ----- Original Message -----
> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 31 March, 2015 8:20:26 AM
> > Subject: [keycloak-user] User ID should be used as "user reference" not
>      username
> >
> > Hi,
> >
> > This issue is happened again in the master build.
> >
> > Can advise which object is causing the issue?
> >
> > Reference :
> >
> > https://issues.jboss.org/browse/KEYCLOAK-284
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/b30dd833/attachment.html 

From leonardo.zanivan at gmail.com  Tue Mar 31 07:19:51 2015
From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan)
Date: Tue, 31 Mar 2015 11:19:51 +0000
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
In-Reply-To: <CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>
Message-ID: <CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>

Chen,

You could set "principal-attribute" in the adapter config (keycloak.json)
as "preferred_username".
https://issues.jboss.org/browse/KEYCLOAK-810

On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> Hi,
>
> I was using picketlink spfilter for testing and noticed sessionid is
> assigned to username. We don't have this problem in keycloak 1.1.0 beta2
> and this issue only
> appear starting from keycloak 1.1.0 final and in master build. Kindly
> advise.
>
> Source :
>
> Principal userPrincipal = (Principal)
> session.getAttribute(GeneralConstants.PRINCIPAL_ID);
> Welcome to the Employee Tool, <b><%=userPrincipal.getName()%></b>.
>
> Output :
>
> Welcome to the Employee Tool, G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>
>
> On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> Can you please explain what the problem is? That issue is an enhancement,
>> not a bug.
>>
>> ----- Original Message -----
>> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>> > Subject: [keycloak-user] User ID should be used as "user reference"
>> not       username
>> >
>> > Hi,
>> >
>> > This issue is happened again in the master build.
>> >
>> > Can advise which object is causing the issue?
>> >
>> > Reference :
>> >
>> > https://issues.jboss.org/browse/KEYCLOAK-284
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
>
>
>  _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/f53bb033/attachment-0001.html 

From chenkeong.yap at izeno.com  Tue Mar 31 07:42:00 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 31 Mar 2015 19:42:00 +0800
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
In-Reply-To: <CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>
	<CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>
Message-ID: <CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>

Hi leornardo,

My application is running on websphere app server  and the only way to talk
to keycloak is to use picketlink spfilter because we are not allowed to use
keycloak proxy.
On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com>
wrote:

> Chen,
>
> You could set "principal-attribute" in the adapter config (keycloak.json)
> as "preferred_username".
> https://issues.jboss.org/browse/KEYCLOAK-810
>
> On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap <chenkeong.yap at izeno.com>
> wrote:
>
>> Hi,
>>
>> I was using picketlink spfilter for testing and noticed sessionid is
>> assigned to username. We don't have this problem in keycloak 1.1.0 beta2
>> and this issue only
>> appear starting from keycloak 1.1.0 final and in master build. Kindly
>> advise.
>>
>> Source :
>>
>> Principal userPrincipal = (Principal)
>> session.getAttribute(GeneralConstants.PRINCIPAL_ID);
>> Welcome to the Employee Tool, <b><%=userPrincipal.getName()%></b>.
>>
>> Output :
>>
>> Welcome to the Employee Tool, G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>>
>>
>> On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen <stian at redhat.com>
>> wrote:
>>
>>> Can you please explain what the problem is? That issue is an
>>> enhancement, not a bug.
>>>
>>> ----- Original Message -----
>>> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
>>> > To: keycloak-user at lists.jboss.org
>>> > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>>> > Subject: [keycloak-user] User ID should be used as "user reference"
>>> not       username
>>> >
>>> > Hi,
>>> >
>>> > This issue is happened again in the master build.
>>> >
>>> > Can advise which object is causing the issue?
>>> >
>>> > Reference :
>>> >
>>> > https://issues.jboss.org/browse/KEYCLOAK-284
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>
>>
>>  _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/dbde43a7/attachment.html 

From bburke at redhat.com  Tue Mar 31 10:29:07 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 31 Mar 2015 10:29:07 -0400
Subject: [keycloak-user] User ID should be used as "user reference" not
 username
In-Reply-To: <CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>	<CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>
	<CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>
Message-ID: <551AAF33.6050307@redhat.com>

You need to configure PL SP Filter correctly.  PL SP Filter, by default 
asks for the "transient" nameid format which is a temporary randomly 
generated userid that is not stored or associated with the Keycloak 
session.  Other options include:

persistent - randomly generated, but associated with the application
email
unspecified (which Keycloak will send the username instead).



On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
> Hi leornardo,
>
> My application is running on websphere app server  and the only way to
> talk to keycloak is to use picketlink spfilter because we are not
> allowed to use keycloak proxy.
>
> On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
> <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>> wrote:
>
>     Chen,
>
>     You could set "principal-attribute" in the adapter config
>     (keycloak.json) as "preferred_username".
>     https://issues.jboss.org/browse/KEYCLOAK-810
>
>     On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
>     <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>> wrote:
>
>         Hi,
>
>         I was using picketlink spfilter for testing and noticed
>         sessionid is assigned to username. We don't have this problem in
>         keycloak 1.1.0 beta2 and this issue only
>         appear starting from keycloak 1.1.0 final and in master build.
>         Kindly advise.
>
>         Source :
>
>         Principal userPrincipal = (Principal)
>         session.getAttribute(GeneralConstants.PRINCIPAL_ID);
>         Welcome to the Employee Tool, <b><%=userPrincipal.getName()%></b>.
>
>         Output :
>
>         Welcome to the Employee Tool,
>         G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>
>
>         On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
>         <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>
>             Can you please explain what the problem is? That issue is an
>             enhancement, not a bug.
>
>             ----- Original Message -----
>              > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
>             <mailto:chenkeong.yap at izeno.com>>
>              > To: keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>              > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>              > Subject: [keycloak-user] User ID should be used as "user
>             reference" not       username
>              >
>              > Hi,
>              >
>              > This issue is happened again in the master build.
>              >
>              > Can advise which object is causing the issue?
>              >
>              > Reference :
>              >
>              > https://issues.jboss.org/browse/KEYCLOAK-284
>              >
>              >
>              > _______________________________________________
>              > keycloak-user mailing list
>              > keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>              > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>         _________________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Henk.Laracker at planonsoftware.com  Tue Mar 31 11:05:27 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Tue, 31 Mar 2015 17:05:27 +0200
Subject: [keycloak-user] keycloak openshift cartridge
Message-ID: <D1408457.1AE51%henk.laracker@planonsoftware.com>

Hi,

Can someone explain me the difference between the two openshift projects in github.

https://github.com/stianst/openshift-keycloak-cartridge/

https://github.com/keycloak/openshift-keycloak-cartridge

I?m curieus about the status, the official keycloak openshift  cartridge does not show the keycloak interface after deployment, I don?t know what I?m doing wrong.
The openshift cartridge of stianst is working but I have problems connecting to it, it keep getting  a ERROR: failed verification of token in my local tomcat when trying to use it.

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/a821a005/attachment.html 

From stian at redhat.com  Tue Mar 31 13:36:53 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 31 Mar 2015 13:36:53 -0400 (EDT)
Subject: [keycloak-user] keycloak openshift cartridge
In-Reply-To: <D1408457.1AE51%henk.laracker@planonsoftware.com>
References: <D1408457.1AE51%henk.laracker@planonsoftware.com>
Message-ID: <1253396268.9347081.1427823413622.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 31 March, 2015 5:05:27 PM
> Subject: [keycloak-user] keycloak openshift cartridge
> 
> Hi,
> 
> Can someone explain me the difference between the two openshift projects in
> github.
> 
> https://github.com/stianst/openshift-keycloak-cartridge/

That's my personal fork which I often push snapshots to

> 
> https://github.com/keycloak/openshift-keycloak-cartridge

That's the official one and should be working so please give me some more details about your issues

> 
> I?m curieus about the status, the official keycloak openshift cartridge does
> not show the keycloak interface after deployment, I don?t know what I?m
> doing wrong.
> The openshift cartridge of stianst is working but I have problems connecting
> to it, it keep getting a ERROR: failed verification of token in my local
> tomcat when trying to use it.
> 
> 
> 
> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s
> cordialement,
> 
> 
> 
> 
> Henk Laracker
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Henk.Laracker at planonsoftware.com  Tue Mar 31 15:33:56 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Tue, 31 Mar 2015 21:33:56 +0200
Subject: [keycloak-user] keycloak openshift cartridge
In-Reply-To: <1253396268.9347081.1427823413622.JavaMail.zimbra@redhat.com>
References: <D1408457.1AE51%henk.laracker@planonsoftware.com>
	<1253396268.9347081.1427823413622.JavaMail.zimbra@redhat.com>
Message-ID: <D140BE2D.1AE5D%henk.laracker@planonsoftware.com>


On 31/03/15 19:36, "Stian Thorgersen" <stian at redhat.com> wrote:

>
>
>----- Original Message -----
>> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 31 March, 2015 5:05:27 PM
>> Subject: [keycloak-user] keycloak openshift cartridge
>> 
>> Hi,
>> 
>> Can someone explain me the difference between the two openshift
>>projects in
>> github.
>> 
>> https://github.com/stianst/openshift-keycloak-cartridge/
>
>That's my personal fork which I often push snapshots to
>
>> 
>> https://github.com/keycloak/openshift-keycloak-cartridge
>
>That's the official one and should be working so please give me some more
>details about your issues

It is not tagged (branch) for keycloak 1.1, so I don?t now which version I
install of keycloak when I install the master. I don?t like to install the
master because the result can change every time.
The result of installing the master on open shift online is that I first
get a message:

Application creation is taking longer than expected. Please wait a few
minutes, then refresh this page.

After that the application is very short visible but automaticly removed
from openshift.

De second time I try it works
WildFly 8 administrator added.  Please make note of these credentials:

   Username: ************
   Password: ************
   
   run 'rhc port-forward keycloakmaster' to access the web admin area on
port 9990.


The result : http://keycloakmaster-ciwwa.rhcloud.com/ is working fine (
this is the first time after several attempts the last days)

Some suggestion, can you add

Mappings:
    - Frontend: ''
  Backend: ''
  Options: { tohttps: '' }


This will result in automatically redirection to https.

The next step I will try out is to use the new server, I keep you informed
if I get again the message "ERROR: failed verification of token?

Keep up the good work!

>
>> 
>> I?m curieus about the status, the official keycloak openshift cartridge
>>does
>> not show the keycloak interface after deployment, I don?t know what I?m
>> doing wrong.
>> The openshift cartridge of stianst is working but I have problems
>>connecting
>> to it, it keep getting a ERROR: failed verification of token in my local
>> tomcat when trying to use it.
>> 
>> 
>> 
>> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en /
>>Tr?s
>> cordialement,
>> 
>> 
>> 
>> 
>> Henk Laracker
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Henk.Laracker at planonsoftware.com  Tue Mar 31 16:52:32 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Tue, 31 Mar 2015 22:52:32 +0200
Subject: [keycloak-user] keycloak tomcat 7 adapter
Message-ID: <D140D5B0.1AE98%henk.laracker@planonsoftware.com>

Hi,

I?m using the key cloak tomcat 7 adaptor, I created a sample application which works fine with keycloak. I created a jsp page with the following code

   String username = request.getRemoteUser();
   <tr><td>User</td><td><%= username %></td></tr>

 I have logged in with the username : supervisor
So I expect the username to be : supervisor
But the result is :3d5bfb0c-9495-48b8-a11c-2e83097b2f39

What do I do wrong ?

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/737327f5/attachment-0001.html 

From chenkeong.yap at izeno.com  Tue Mar 31 17:06:06 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 1 Apr 2015 05:06:06 +0800
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
In-Reply-To: <551AAF33.6050307@redhat.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>
	<CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>
	<CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>
	<551AAF33.6050307@redhat.com>
Message-ID: <CAC2UnuULzNH7saWYV2cjaBQw4h+gisWzWbsGoi+_O78qGC1RFA@mail.gmail.com>

Hi bill,

Thanks for the reply. For option 1, how can we make the random userid
associated with the keycloak session?

For option 2, how can we implement this?

Please share your ideas. Thanks
On Mar 31, 2015 10:29 PM, "Bill Burke" <bburke at redhat.com> wrote:

> You need to configure PL SP Filter correctly.  PL SP Filter, by default
> asks for the "transient" nameid format which is a temporary randomly
> generated userid that is not stored or associated with the Keycloak
> session.  Other options include:
>
> persistent - randomly generated, but associated with the application
> email
> unspecified (which Keycloak will send the username instead).
>
>
>
> On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
> > Hi leornardo,
> >
> > My application is running on websphere app server  and the only way to
> > talk to keycloak is to use picketlink spfilter because we are not
> > allowed to use keycloak proxy.
> >
> > On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
> > <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>> wrote:
> >
> >     Chen,
> >
> >     You could set "principal-attribute" in the adapter config
> >     (keycloak.json) as "preferred_username".
> >     https://issues.jboss.org/browse/KEYCLOAK-810
> >
> >     On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
> >     <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>> wrote:
> >
> >         Hi,
> >
> >         I was using picketlink spfilter for testing and noticed
> >         sessionid is assigned to username. We don't have this problem in
> >         keycloak 1.1.0 beta2 and this issue only
> >         appear starting from keycloak 1.1.0 final and in master build.
> >         Kindly advise.
> >
> >         Source :
> >
> >         Principal userPrincipal = (Principal)
> >         session.getAttribute(GeneralConstants.PRINCIPAL_ID);
> >         Welcome to the Employee Tool,
> <b><%=userPrincipal.getName()%></b>.
> >
> >         Output :
> >
> >         Welcome to the Employee Tool,
> >         G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
> >
> >
> >         On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
> >         <stian at redhat.com <mailto:stian at redhat.com>> wrote:
> >
> >             Can you please explain what the problem is? That issue is an
> >             enhancement, not a bug.
> >
> >             ----- Original Message -----
> >              > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
> >             <mailto:chenkeong.yap at izeno.com>>
> >              > To: keycloak-user at lists.jboss.org
> >             <mailto:keycloak-user at lists.jboss.org>
> >              > Sent: Tuesday, 31 March, 2015 8:20:26 AM
> >              > Subject: [keycloak-user] User ID should be used as "user
> >             reference" not       username
> >              >
> >              > Hi,
> >              >
> >              > This issue is happened again in the master build.
> >              >
> >              > Can advise which object is causing the issue?
> >              >
> >              > Reference :
> >              >
> >              > https://issues.jboss.org/browse/KEYCLOAK-284
> >              >
> >              >
> >              > _______________________________________________
> >              > keycloak-user mailing list
> >              > keycloak-user at lists.jboss.org
> >             <mailto:keycloak-user at lists.jboss.org>
> >              > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> >
> >         _________________________________________________
> >         keycloak-user mailing list
> >         keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >         https://lists.jboss.org/__mailman/listinfo/keycloak-user
> >         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/ac42bfc9/attachment.html 

From guydavis.ca at gmail.com  Tue Mar 31 17:06:24 2015
From: guydavis.ca at gmail.com (Guy Davis)
Date: Tue, 31 Mar 2015 15:06:24 -0600
Subject: [keycloak-user] keycloak tomcat 7 adapter
In-Reply-To: <D140D5B0.1AE98%henk.laracker@planonsoftware.com>
References: <D140D5B0.1AE98%henk.laracker@planonsoftware.com>
Message-ID: <CAAgmn1pfvo++Yyaf9xXTKFMsW4JKUcQ3rY+hwVhKmrH+QjA6YQ@mail.gmail.com>

Hi Henk,

In your adapter configuration file, probably keycloak.json in your war's
WEB-INF folder, add the following configuration:

"principal-attribute": "preferred_username"


The docs
<http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html_single/#adapter-config>
describes the following choices:  sub, preferred_username, email, name,
nickname, given_name, family_name

Alternatively, if you cast your request.getPrincipal() to KeycloakPrincipal
<http://docs.jboss.org/keycloak/docs/1.1.0.Final/javadocs/org/keycloak/KeycloakPrincipal.html>,
then you should be able to get at the various attributes via the security
context. (I think...)

Hope this helps,
Guy


On Tue, Mar 31, 2015 at 2:52 PM, Henk Laracker <
Henk.Laracker at planonsoftware.com> wrote:

> Hi,
>
> I?m using the key cloak tomcat 7 adaptor, I created a sample application
> which works fine with keycloak. I created a jsp page with the following code
>
>    String username = request.getRemoteUser();
>    <tr><td>User</td><td><%= username %></td></tr>
>
>  I have logged in with the username : supervisor
>
> So I expect the username to be : supervisor
>
> But the result is :3d5bfb0c-9495-48b8-a11c-2e83097b2f39
>
>
> What do I do wrong ?
>
>
> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s
> cordialement,
>
>
> Henk Laracker
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/baff5e1b/attachment.html 

From Thomas.LaPorte at dreamworks.com  Tue Mar 31 17:26:09 2015
From: Thomas.LaPorte at dreamworks.com (Thomas LaPorte)
Date: Tue, 31 Mar 2015 14:26:09 -0700
Subject: [keycloak-user] Help troubleshooting config
Message-ID: <CAN-f4SNKumAtMb-0aMk3cc27ncO4idzGTXPXMVh6u9_A=99p3g@mail.gmail.com>

Greetings. I'm a first-time user of Keycloak, trying to set up a simple
demonstration after the examples, however, I'm having 0% success in getting
my configuration correct enough such that my web resource is protected.

I have reduced my setup all the way down to a basic "HelloWorld.jsp" in a
WAR file that is deployed into the standalone Wildfly server that is also
hosting the Keycloak server.

I am convinced that it is a configuration step being missed somewhere, as I
can always access my URL without intervention from the Keycloak server.

My WAR file consists of the following:

     0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
    68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
     0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
  1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
   491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
   308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/49d5dfd5/attachment.html 

From Thomas.LaPorte at dreamworks.com  Tue Mar 31 17:30:06 2015
From: Thomas.LaPorte at dreamworks.com (Thomas LaPorte)
Date: Tue, 31 Mar 2015 14:30:06 -0700
Subject: [keycloak-user] Help troubleshooting config
In-Reply-To: <CAN-f4SNKumAtMb-0aMk3cc27ncO4idzGTXPXMVh6u9_A=99p3g@mail.gmail.com>
References: <CAN-f4SNKumAtMb-0aMk3cc27ncO4idzGTXPXMVh6u9_A=99p3g@mail.gmail.com>
Message-ID: <CAN-f4SP7toYnQcrGKv5KQKqNqRkO_45z9i10M3KzazgwBTTHRA@mail.gmail.com>

Apologies for cutting off by hitting send prematurely.



On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte <
Thomas.LaPorte at dreamworks.com> wrote:

> Greetings. I'm a first-time user of Keycloak, trying to set up a simple
> demonstration after the examples, however, I'm having 0% success in getting
> my configuration correct enough such that my web resource is protected.
>
> I have reduced my setup all the way down to a basic "HelloWorld.jsp" in a
> WAR file that is deployed into the standalone Wildfly server that is also
> hosting the Keycloak server.
>
> I am convinced that it is a configuration step being missed somewhere, as
> I can always access my URL without intervention from the Keycloak server.
>
> My WAR file consists of the following:
>
>      0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
>     68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
>      0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
>   1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
>    491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
>    308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
>

I have added my application to the demo realm by copying the
customer-portal application stanza, and replacing the "customer-portal"
with my app name:

        {
            "name": "goalkeepers",
            "enabled": true,
            "adminUrl": "/goalkeepers",
            "baseUrl": "/goalkeepers",
            "redirectUris": [
                "/goalkeepers/*"
            ],
            "secret": "password"
        }

At this stage I am just looking for suggestions on how best to troubleshoot
my configuration? What logging properties can I set to enable more
debugging? Or where else can I look for some clues as to the errors in my
configuration?

I fear I am missing something extremely fundamental, but I can't for the
life of me see what it is.

- Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/e889a54a/attachment-0001.html 

From Thomas.LaPorte at dreamworks.com  Tue Mar 31 18:05:32 2015
From: Thomas.LaPorte at dreamworks.com (Thomas LaPorte)
Date: Tue, 31 Mar 2015 15:05:32 -0700
Subject: [keycloak-user] Help troubleshooting config
In-Reply-To: <CAAgmn1q3JFQh-dDuwSbDbM1SrPULYr38jn7DvmVwwdziJ=xuuA@mail.gmail.com>
References: <CAN-f4SNKumAtMb-0aMk3cc27ncO4idzGTXPXMVh6u9_A=99p3g@mail.gmail.com>
	<CAN-f4SP7toYnQcrGKv5KQKqNqRkO_45z9i10M3KzazgwBTTHRA@mail.gmail.com>
	<CAAgmn1q3JFQh-dDuwSbDbM1SrPULYr38jn7DvmVwwdziJ=xuuA@mail.gmail.com>
Message-ID: <CAN-f4SOvW4ZB8dnEmZRnEZNZdcUeT06_V9WAt+t+ZrY350xN4w@mail.gmail.com>

Thanks to a list member for some debug setup help, I'm getting much more
information.

Now I can see (and confirm my suspicion), that something is not right and
my resource is unprotected.

For the example customer-portal app, I see that after the "callback-uri:
..." message, I get a "Sending redirect to login page:..." message.

For my app, it goes directly to "AuthenticatedActionsValve.invoke"

-- Tom

On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis <guydavis.ca at gmail.com> wrote:

> Hi Thomas,
>
> To dial up logging, try adding this to your standalone.xml file in the
> logging subsystem and re-starting your Wildfly instance:
>
>             <logger category="org.keycloak">
>                 <level name="DEBUG"/>
>             </logger>
>
> Then, be sure you have the right configuration in your web.xml of your
> test WAR file.  See the docs here
> <http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html_single/#d4e786>
> for details.
>
> Hope this helps,
> Guy
>
>
> On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte <
> Thomas.LaPorte at dreamworks.com> wrote:
>
>> Apologies for cutting off by hitting send prematurely.
>>
>>
>>
>> On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte <
>> Thomas.LaPorte at dreamworks.com> wrote:
>>
>>> Greetings. I'm a first-time user of Keycloak, trying to set up a simple
>>> demonstration after the examples, however, I'm having 0% success in getting
>>> my configuration correct enough such that my web resource is protected.
>>>
>>> I have reduced my setup all the way down to a basic "HelloWorld.jsp" in
>>> a WAR file that is deployed into the standalone Wildfly server that is also
>>> hosting the Keycloak server.
>>>
>>> I am convinced that it is a configuration step being missed somewhere,
>>> as I can always access my URL without intervention from the Keycloak server.
>>>
>>> My WAR file consists of the following:
>>>
>>>      0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
>>>     68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
>>>      0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
>>>   1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
>>>    491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
>>>    308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
>>>
>>
>> I have added my application to the demo realm by copying the
>> customer-portal application stanza, and replacing the "customer-portal"
>> with my app name:
>>
>>         {
>>             "name": "goalkeepers",
>>             "enabled": true,
>>             "adminUrl": "/goalkeepers",
>>             "baseUrl": "/goalkeepers",
>>             "redirectUris": [
>>                 "/goalkeepers/*"
>>             ],
>>             "secret": "password"
>>         }
>>
>> At this stage I am just looking for suggestions on how best to
>> troubleshoot my configuration? What logging properties can I set to enable
>> more debugging? Or where else can I look for some clues as to the errors in
>> my configuration?
>>
>> I fear I am missing something extremely fundamental, but I can't for the
>> life of me see what it is.
>>
>> - Tom
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150331/ba9a7cb4/attachment.html 

From bburke at redhat.com  Tue Mar 31 20:20:08 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 31 Mar 2015 20:20:08 -0400
Subject: [keycloak-user] User ID should be used as "user reference" not
 username
In-Reply-To: <CAC2UnuULzNH7saWYV2cjaBQw4h+gisWzWbsGoi+_O78qGC1RFA@mail.gmail.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>	<CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>	<CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>	<551AAF33.6050307@redhat.com>
	<CAC2UnuULzNH7saWYV2cjaBQw4h+gisWzWbsGoi+_O78qGC1RFA@mail.gmail.com>
Message-ID: <551B39B8.4090507@redhat.com>

In picketlink.xml, set the NAMEID_FORMAT desired i.e.:

         <Handler
 
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
             <Option Key="NAMEID_FORMAT" 
Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
         </Handler>


urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

For persistent, a user attribute is generated:

saml.persistent.name.id.for.<APPLICATION_NAME> = random UUID



On 3/31/2015 5:06 PM, Chen Keong Yap wrote:
> Hi bill,
>
> Thanks for the reply. For option 1, how can we make the random userid
> associated with the keycloak session?
>
> For option 2, how can we implement this?
>
> Please share your ideas. Thanks
>
> On Mar 31, 2015 10:29 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You need to configure PL SP Filter correctly.  PL SP Filter, by default
>     asks for the "transient" nameid format which is a temporary randomly
>     generated userid that is not stored or associated with the Keycloak
>     session.  Other options include:
>
>     persistent - randomly generated, but associated with the application
>     email
>     unspecified (which Keycloak will send the username instead).
>
>
>
>     On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
>      > Hi leornardo,
>      >
>      > My application is running on websphere app server  and the only
>     way to
>      > talk to keycloak is to use picketlink spfilter because we are not
>      > allowed to use keycloak proxy.
>      >
>      > On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
>      > <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>
>     <mailto:leonardo.zanivan at gmail.com
>     <mailto:leonardo.zanivan at gmail.com>>> wrote:
>      >
>      >     Chen,
>      >
>      >     You could set "principal-attribute" in the adapter config
>      >     (keycloak.json) as "preferred_username".
>      > https://issues.jboss.org/browse/KEYCLOAK-810
>      >
>      >     On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
>      >     <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>     <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>>
>     wrote:
>      >
>      >         Hi,
>      >
>      >         I was using picketlink spfilter for testing and noticed
>      >         sessionid is assigned to username. We don't have this
>     problem in
>      >         keycloak 1.1.0 beta2 and this issue only
>      >         appear starting from keycloak 1.1.0 final and in master
>     build.
>      >         Kindly advise.
>      >
>      >         Source :
>      >
>      >         Principal userPrincipal = (Principal)
>      >         session.getAttribute(GeneralConstants.PRINCIPAL_ID);
>      >         Welcome to the Employee Tool,
>     <b><%=userPrincipal.getName()%></b>.
>      >
>      >         Output :
>      >
>      >         Welcome to the Employee Tool,
>      >         G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>      >
>      >
>      >         On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
>      >         <stian at redhat.com <mailto:stian at redhat.com>
>     <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>      >
>      >             Can you please explain what the problem is? That
>     issue is an
>      >             enhancement, not a bug.
>      >
>      >             ----- Original Message -----
>      >              > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
>     <mailto:chenkeong.yap at izeno.com>
>      >             <mailto:chenkeong.yap at izeno.com
>     <mailto:chenkeong.yap at izeno.com>>>
>      >              > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      >             <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >              > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>      >              > Subject: [keycloak-user] User ID should be used as
>     "user
>      >             reference" not       username
>      >              >
>      >              > Hi,
>      >              >
>      >              > This issue is happened again in the master build.
>      >              >
>      >              > Can advise which object is causing the issue?
>      >              >
>      >              > Reference :
>      >              >
>      >              > https://issues.jboss.org/browse/KEYCLOAK-284
>      >              >
>      >              >
>      >              > _______________________________________________
>      >              > keycloak-user mailing list
>      >              > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      >             <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >              > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>      >
>      >
>      >
>      >
>      >         _________________________________________________
>      >         keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>      >         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Tue Mar 31 22:56:28 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 1 Apr 2015 10:56:28 +0800
Subject: [keycloak-user] User ID should be used as "user reference" not
	username
In-Reply-To: <551B39B8.4090507@redhat.com>
References: <CAC2UnuX_-oGCcr+WEi9hXug0G8LP2PP7Z5ArhOZ5qBds=s4Ppw@mail.gmail.com>
	<236767452.8883429.1427783637115.JavaMail.zimbra@redhat.com>
	<CAC2UnuUBZdi+Nm6EWoJXf4O8pLqZntfJJrdxd7e8S+xbcbq=7Q@mail.gmail.com>
	<CA+sftsD_JXKYsmHPa34qPNS0A0VjFB4Gt6ignPOrn3vGnBLVRw@mail.gmail.com>
	<CAC2UnuVObU6m2YRMM+R-kKc2uBT1KESj1QwW=CGisyzmbHMrxA@mail.gmail.com>
	<551AAF33.6050307@redhat.com>
	<CAC2UnuULzNH7saWYV2cjaBQw4h+gisWzWbsGoi+_O78qGC1RFA@mail.gmail.com>
	<551B39B8.4090507@redhat.com>
Message-ID: <CAC2UnuVpUKnwnU6t_3DBPHrRX5a67d_9A=X1CcDgGM4Zef81bQ@mail.gmail.com>

hi bill,

i've made the change but principal username still showing random userid.
Kindly advise.

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
<IdentityURL>${idp.url::
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml}</IdentityURL>
<ServiceURL>${EMPLOYEE.url::http://localhost:8080/employee/test.jsp}
</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"
/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT"
Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"
/>
</Handlers>
</PicketLink>


On Wed, Apr 1, 2015 at 8:20 AM, Bill Burke <bburke at redhat.com> wrote:

> In picketlink.xml, set the NAMEID_FORMAT desired i.e.:
>
>         <Handler
>
> class="org.picketlink.identity.federation.web.handlers.saml2.
> SAML2AuthenticationHandler">
>             <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:
> SAML:2.0:nameid-format:persistent"/>
>         </Handler>
>
>
> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>
> For persistent, a user attribute is generated:
>
> saml.persistent.name.id.for.<APPLICATION_NAME> = random UUID
>
>
>
> On 3/31/2015 5:06 PM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> Thanks for the reply. For option 1, how can we make the random userid
>> associated with the keycloak session?
>>
>> For option 2, how can we implement this?
>>
>> Please share your ideas. Thanks
>>
>> On Mar 31, 2015 10:29 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     You need to configure PL SP Filter correctly.  PL SP Filter, by
>> default
>>     asks for the "transient" nameid format which is a temporary randomly
>>     generated userid that is not stored or associated with the Keycloak
>>     session.  Other options include:
>>
>>     persistent - randomly generated, but associated with the application
>>     email
>>     unspecified (which Keycloak will send the username instead).
>>
>>
>>
>>     On 3/31/2015 7:42 AM, Chen Keong Yap wrote:
>>      > Hi leornardo,
>>      >
>>      > My application is running on websphere app server  and the only
>>     way to
>>      > talk to keycloak is to use picketlink spfilter because we are not
>>      > allowed to use keycloak proxy.
>>      >
>>      > On Mar 31, 2015 7:19 PM, "Leonardo Loch Zanivan"
>>      > <leonardo.zanivan at gmail.com <mailto:leonardo.zanivan at gmail.com>
>>     <mailto:leonardo.zanivan at gmail.com
>>     <mailto:leonardo.zanivan at gmail.com>>> wrote:
>>      >
>>      >     Chen,
>>      >
>>      >     You could set "principal-attribute" in the adapter config
>>      >     (keycloak.json) as "preferred_username".
>>      > https://issues.jboss.org/browse/KEYCLOAK-810
>>      >
>>      >     On Tue, Mar 31, 2015 at 7:50 AM Chen Keong Yap
>>      >     <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>     <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>>
>>     wrote:
>>      >
>>      >         Hi,
>>      >
>>      >         I was using picketlink spfilter for testing and noticed
>>      >         sessionid is assigned to username. We don't have this
>>     problem in
>>      >         keycloak 1.1.0 beta2 and this issue only
>>      >         appear starting from keycloak 1.1.0 final and in master
>>     build.
>>      >         Kindly advise.
>>      >
>>      >         Source :
>>      >
>>      >         Principal userPrincipal = (Principal)
>>      >         session.getAttribute(GeneralConstants.PRINCIPAL_ID);
>>      >         Welcome to the Employee Tool,
>>     <b><%=userPrincipal.getName()%></b>.
>>      >
>>      >         Output :
>>      >
>>      >         Welcome to the Employee Tool,
>>      >         G-155d13b0-a69d-4721-8187-cd1a16c90f3c.
>>      >
>>      >
>>      >         On Tue, Mar 31, 2015 at 2:33 PM, Stian Thorgersen
>>      >         <stian at redhat.com <mailto:stian at redhat.com>
>>     <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>>      >
>>      >             Can you please explain what the problem is? That
>>     issue is an
>>      >             enhancement, not a bug.
>>      >
>>      >             ----- Original Message -----
>>      >              > From: "Chen Keong Yap" <chenkeong.yap at izeno.com
>>     <mailto:chenkeong.yap at izeno.com>
>>      >             <mailto:chenkeong.yap at izeno.com
>>     <mailto:chenkeong.yap at izeno.com>>>
>>      >              > To: keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >              > Sent: Tuesday, 31 March, 2015 8:20:26 AM
>>      >              > Subject: [keycloak-user] User ID should be used as
>>     "user
>>      >             reference" not       username
>>      >              >
>>      >              > Hi,
>>      >              >
>>      >              > This issue is happened again in the master build.
>>      >              >
>>      >              > Can advise which object is causing the issue?
>>      >              >
>>      >              > Reference :
>>      >              >
>>      >              > https://issues.jboss.org/browse/KEYCLOAK-284
>>      >              >
>>      >              >
>>      >              > _______________________________________________
>>      >              > keycloak-user mailing list
>>      >              > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >              > https://lists.jboss.org/
>> mailman/listinfo/keycloak-user
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >         _________________________________________________
>>      >         keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>      >         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>      >
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/6496ad41/attachment-0001.html