[keycloak-user] Limit Google authentication by domain?

Thorsten thorsten315 at gmx.de
Tue Mar 24 11:02:25 EDT 2015


I built master from github and used the appliance distribution with a
docker image. I can create a new relam and setup a custom OpenID connect
provider but when I go to realm login I run into the following exception:

14:51:24,683 ERROR [io.undertow.request] (default task-24) UT005023:
Exception handling request to
/auth/realms/test/broker/google_hd_test/login: java.lang.RuntimeException:
request path: /auth/realms/test/broker/google_hd_test/login
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_65]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_65]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        ... 28 more
Caused by: java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
        at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.<clinit>(AbstractOAuth2IdentityProvider.java:60)
        at
org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:44)
        at
org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:33)
        at
org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:438)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at
org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:126)
[keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_65]
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_65]
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_65]
        at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_65]
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.10.Final.jar:]
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.10.Final.jar:]
        ... 39 more
Caused by: java.lang.ClassNotFoundException:
org.jboss.resteasy.logging.Logger from [Module
"org.keycloak.keycloak-broker-oidc:main" from local module loader @5f5cc764
(finder: local module finder @4426a725 (roots:
/opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/base))]
        at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
[jboss-modules.jar:1.3.3.Final]
        at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
[jboss-modules.jar:1.3.3.Final]
        ... 54 more


2015-03-24 7:09 GMT+01:00 Stian Thorgersen <stian at redhat.com>:

> Not sure why it's not working, you can enable debug for
> org.keycloak.services.DefaultKeycloakSessionFactory and
> org.keycloak.provider.ProviderManager that may provide some option.
>
> Alternatively, if you try with master (build from github) or wait until
> 1.2.0.Beta1 is released you can configure your own OpenID Connect provider
> which would let you add the hd param to the authorization url.
>
> ----- Original Message -----
> > From: "Thorsten" <thorsten315 at gmx.de>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 23 March, 2015 5:11:12 PM
> > Subject: Re: [keycloak-user] Limit Google authentication by domain?
> >
> > Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
> > codebase) and modified a few lines (incl. ID and NAME). I also adjusted
> the
> > "services" entry to match the new class name.
> > Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
> > adapter jar to the
> /opt/jboss/keycloak/standalone/configuration/providers/
> > directory.
> >
> > But when I start the docker container and enable Social Login I don't
> see my
> > social module name in the "Add provider..." pulldown list.
> >
> > Is there anything else I need to do in order to add my social provider to
> > register?
> >
> > Thanks
> >
> > 2015-03-23 15:19 GMT+01:00 Bill Burke < bburke at redhat.com > :
> >
> >
> > We don't support this. Our "social" module contains our Google adapter.
> >
> > On 3/23/2015 10:14 AM, Thorsten wrote:
> > > Hi,
> > >
> > > is there a way to limit the Google authentication to only work for
> users
> > > that have a Google account in a specific Google app domain? Right now
> it
> > > seems that anybody with a Google+ account can login once you enable it.
> > >
> > > Is there an out-of-the box way to get this done though configuration
> and
> > > if not what would be the simplest way to implement this?
> > >
> > > Thanks
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/98f5b399/attachment-0001.html 


More information about the keycloak-user mailing list