From alex_orl1079 at yahoo.it  Sun Nov  1 11:18:57 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Sun, 1 Nov 2015 16:18:57 +0000 (UTC)
Subject: [keycloak-user] setting log level
References: <908979050.697883.1446394737577.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <908979050.697883.1446394737577.JavaMail.yahoo@mail.yahoo.com>

I'm trying to setting the log level on keycloak.Opening the wildfly admin console... or editing wildfly standalone.xml and adding a new category:
category= my.userfederation.providerlevel= debug
Nothing happens.My user federation provider is installed as module. What am i missing?Thanks a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/42194ff9/attachment.html 

From harshmahey at gmail.com  Sun Nov  1 23:12:23 2015
From: harshmahey at gmail.com (harsh mahey)
Date: Sun, 1 Nov 2015 21:12:23 -0700
Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
Message-ID: <CA+YyFz5s=CEYn7PsqnyutMXUYhXzGr3yWbNtEXRJaEuOv01zRw@mail.gmail.com>

Hi guys,
Has any one faced any issue with tomcat 8 adapters.
For some reason i am not get keycloak login screen on my web app,Here is my
scenario

1. Latest version of Keycloak runs on wildfly
2. A war runs on tomcat.I put all the jar files under tomcat/lib dir.Below
is the keycloak.json and my web.xml file which goes under my WEB-INF
3. When i login , i directly gets my webapp page and it does not redirects
me to keycloak login page.
4. My webapp is build using angularjs

keycloak.json
********************

{

  "realm": "SnrAppsRealm",

  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",

  "auth-server-url": "http://xxxxx.com:9322/auth",

  "ssl-required": "none",

  "resource": "snrapps-web",

  "credentials": {

    "secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"

  },

  "use-resource-role-mappings": true

}

*****************************

web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">

       <module-name>snrapps-web</module-name>



    <security-constraint>

        <web-resource-collection>

            <web-resource-name>/snrapps-web</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>user</role-name>

        </auth-constraint>

    </security-constraint>


    <security-constraint>

        <web-resource-collection>

        <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <user-data-constraint>

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

    <login-config>

        <auth-method>BASIC</auth-method>

        <realm-name>this is ignored currently</realm-name>

    </login-config>

    <security-role>

        <role-name>admin</role-name>

    </security-role>

    <security-role>

        <role-name>user</role-name>

    </security-role>

</web-app>


***************

META-INF/context.xml


<?xml version="1.0" encoding="UTF-8"?>

    <Context path="/snrapps-web">

        <Valve className=
"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />

    </Context>


***********
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/8c65d636/attachment-0001.html 

From nicolas.grange at retrievercommunications.com  Mon Nov  2 00:31:42 2015
From: nicolas.grange at retrievercommunications.com (Nic Grange)
Date: Mon, 2 Nov 2015 05:31:42 +0000
Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
Message-ID: <955ACCD2-FFAD-4DD1-B7CF-A3B0B1D2B3C4@retrievercommunications.com>

Hi Harsh,

Your problem is most likely caused by duplicate security-constraints for the same url-pattern (/*).
This used to be in one of the older versions of the documentation but was updated with https://issues.jboss.org/browse/KEYCLOAK-1724. 
Try just removing the second <security-constraint> in your web.xml and retest to see if it is the problem.

Cheers,
Nic


>
>Message: 4
>Date: Sun, 1 Nov 2015 21:12:23 -0700
>From: harsh mahey <harshmahey at gmail.com>
>Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
>To: keycloak-user at lists.jboss.org
>Message-ID:
>	<CA+YyFz5s=CEYn7PsqnyutMXUYhXzGr3yWbNtEXRJaEuOv01zRw at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>Hi guys,
>Has any one faced any issue with tomcat 8 adapters.
>For some reason i am not get keycloak login screen on my web app,Here is my
>scenario
>
>1. Latest version of Keycloak runs on wildfly
>2. A war runs on tomcat.I put all the jar files under tomcat/lib dir.Below
>is the keycloak.json and my web.xml file which goes under my WEB-INF
>3. When i login , i directly gets my webapp page and it does not redirects
>me to keycloak login page.
>4. My webapp is build using angularjs
>
>keycloak.json
>********************
>
>{
>
>  "realm": "SnrAppsRealm",
>
>  "realm-public-key":
>"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",
>
>  "auth-server-url": "http://xxxxx.com:9322/auth",
>
>  "ssl-required": "none",
>
>  "resource": "snrapps-web",
>
>  "credentials": {
>
>    "secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"
>
>  },
>
>  "use-resource-role-mappings": true
>
>}
>
>*****************************
>
>web.xml
>
><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>http://www.w3.org/2001/XMLSchema-instance"
>
>xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
>
>       <module-name>snrapps-web</module-name>
>
>
>
>    <security-constraint>
>
>        <web-resource-collection>
>
>            <web-resource-name>/snrapps-web</web-resource-name>
>
>            <url-pattern>/*</url-pattern>
>
>        </web-resource-collection>
>
>        <auth-constraint>
>
>            <role-name>user</role-name>
>
>        </auth-constraint>
>
>    </security-constraint>
>
>
>    <security-constraint>
>
>        <web-resource-collection>
>
>        <url-pattern>/*</url-pattern>
>
>        </web-resource-collection>
>
>        <user-data-constraint>
>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
>        </user-data-constraint>
>
>    </security-constraint>
>
>    <login-config>
>
>        <auth-method>BASIC</auth-method>
>
>        <realm-name>this is ignored currently</realm-name>
>
>    </login-config>
>
>    <security-role>
>
>        <role-name>admin</role-name>
>
>    </security-role>
>
>    <security-role>
>
>        <role-name>user</role-name>
>
>    </security-role>
>
></web-app>
>
>
>***************
>
>META-INF/context.xml
>
>
><?xml version="1.0" encoding="UTF-8"?>
>
>    <Context path="/snrapps-web">
>
>        <Valve className=
>"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
>
>    </Context>
>
>
>***********
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/8c65d636/attachment.html 
>
>------------------------------
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>End of keycloak-user Digest, Vol 23, Issue 1
>********************************************


From harshmahey at gmail.com  Mon Nov  2 01:13:03 2015
From: harshmahey at gmail.com (harsh mahey)
Date: Sun, 1 Nov 2015 23:13:03 -0700
Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
In-Reply-To: <955ACCD2-FFAD-4DD1-B7CF-A3B0B1D2B3C4@retrievercommunications.com>
References: <955ACCD2-FFAD-4DD1-B7CF-A3B0B1D2B3C4@retrievercommunications.com>
Message-ID: <CA+YyFz6SjTfaH=cuvFXS77cVz_2dwcS59TYOMyvq=Q7xWj6JrQ@mail.gmail.com>

Thanks a lot !
It worked...is there some good documentation where i can see how can i get
the Mapper fields in my application.I am using angularjs.

On Sun, Nov 1, 2015 at 10:31 PM, Nic Grange <
nicolas.grange at retrievercommunications.com> wrote:

> Hi Harsh,
>
> Your problem is most likely caused by duplicate security-constraints for
> the same url-pattern (/*).
> This used to be in one of the older versions of the documentation but was
> updated with https://issues.jboss.org/browse/KEYCLOAK-1724.
> Try just removing the second <security-constraint> in your web.xml and
> retest to see if it is the problem.
>
> Cheers,
> Nic
>
>
> >
> >Message: 4
> >Date: Sun, 1 Nov 2015 21:12:23 -0700
> >From: harsh mahey <harshmahey at gmail.com>
> >Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
> >To: keycloak-user at lists.jboss.org
> >Message-ID:
> >       <CA+YyFz5s=
> CEYn7PsqnyutMXUYhXzGr3yWbNtEXRJaEuOv01zRw at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >Hi guys,
> >Has any one faced any issue with tomcat 8 adapters.
> >For some reason i am not get keycloak login screen on my web app,Here is
> my
> >scenario
> >
> >1. Latest version of Keycloak runs on wildfly
> >2. A war runs on tomcat.I put all the jar files under tomcat/lib dir.Below
> >is the keycloak.json and my web.xml file which goes under my WEB-INF
> >3. When i login , i directly gets my webapp page and it does not redirects
> >me to keycloak login page.
> >4. My webapp is build using angularjs
> >
> >keycloak.json
> >********************
> >
> >{
> >
> >  "realm": "SnrAppsRealm",
> >
> >  "realm-public-key":
>
> >"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",
> >
> >  "auth-server-url": "http://xxxxx.com:9322/auth",
> >
> >  "ssl-required": "none",
> >
> >  "resource": "snrapps-web",
> >
> >  "credentials": {
> >
> >    "secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"
> >
> >  },
> >
> >  "use-resource-role-mappings": true
> >
> >}
> >
> >*****************************
> >
> >web.xml
> >
> ><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
> >http://www.w3.org/2001/XMLSchema-instance"
> >
> >xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> >http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
> >
> >       <module-name>snrapps-web</module-name>
> >
> >
> >
> >    <security-constraint>
> >
> >        <web-resource-collection>
> >
> >            <web-resource-name>/snrapps-web</web-resource-name>
> >
> >            <url-pattern>/*</url-pattern>
> >
> >        </web-resource-collection>
> >
> >        <auth-constraint>
> >
> >            <role-name>user</role-name>
> >
> >        </auth-constraint>
> >
> >    </security-constraint>
> >
> >
> >    <security-constraint>
> >
> >        <web-resource-collection>
> >
> >        <url-pattern>/*</url-pattern>
> >
> >        </web-resource-collection>
> >
> >        <user-data-constraint>
> >
> >            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >
> >        </user-data-constraint>
> >
> >    </security-constraint>
> >
> >    <login-config>
> >
> >        <auth-method>BASIC</auth-method>
> >
> >        <realm-name>this is ignored currently</realm-name>
> >
> >    </login-config>
> >
> >    <security-role>
> >
> >        <role-name>admin</role-name>
> >
> >    </security-role>
> >
> >    <security-role>
> >
> >        <role-name>user</role-name>
> >
> >    </security-role>
> >
> ></web-app>
> >
> >
> >***************
> >
> >META-INF/context.xml
> >
> >
> ><?xml version="1.0" encoding="UTF-8"?>
> >
> >    <Context path="/snrapps-web">
> >
> >        <Valve className=
> >"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
> >
> >    </Context>
> >
> >
> >***********
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/8c65d636/attachment.html
> >
> >------------------------------
> >
> >_______________________________________________
> >keycloak-user mailing list
> >keycloak-user at lists.jboss.org
> >https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >End of keycloak-user Digest, Vol 23, Issue 1
> >********************************************
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/915c22f7/attachment.html 

From ornot2008 at yahoo.com  Mon Nov  2 05:13:58 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Mon, 2 Nov 2015 10:13:58 +0000 (UTC)
Subject: [keycloak-user] Can not logout from demo broker
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>

Hi, there,?? ? I follow the instruction to import broker 's two realms and successfully login in . ?When logout, it failed.?

? Any help will be appreciated?

Maizi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/e37e6646/attachment.html 

From ornot2008 at yahoo.com  Mon Nov  2 05:19:15 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Mon, 2 Nov 2015 10:19:15 +0000 (UTC)
Subject: [keycloak-user] Fw: Can not logout from demo broker
In-Reply-To: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1814331870.757212.1446459555341.JavaMail.yahoo@mail.yahoo.com>

BTW: version 1.6.0?
    ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, November 2, 2015 6:13 PM
 Subject: Can not logout from demo broker
   
Hi, there,?? ? I follow the instruction to import broker 's two realms and successfully login in . ?When logout, it failed.?

? Any help will be appreciated?

Maizi

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/dbd69d95/attachment-0001.html 

From sthorger at redhat.com  Mon Nov  2 06:06:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Nov 2015 11:06:13 +0000
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
Message-ID: <CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>

I would create a client for each customer. Enable the service account
feature to map roles to the client. Then customers can authenticate either
with a secret or signed jwt (public/private key). They can then use the
client credentials grant to obtain tokens.
On 30 Oct 2015 15:37, "P?l Orby" <orby at sendregning.no> wrote:

> Saw your session at JavaZone, so thought we could give KC a try :-)
>
> Our web application is split on two; frontend (HTML5/Javascript) and our
> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>
> Our frontend is just a consumer of our backend API (just like any other
> client), and I've successfully configured KC to use openid-connect/public
> for our frontend with keycloak.js, and openid-connect/bearer-only for our
> backend (API) in our test environment (sending the Authorization header
> with Bearer and keycloak.token to backend when doing ajax requests). This
> work like expected. Even written our own federation doing password
> validation from our user database.
>
> But, a lot of our customers have integrated their application to our
> backend API, doing REST calls for issuing invoices, etc...)
>
> Most other services that provides you with an API offers tokens that can
> be used for identification and authentication. And as far as I can see,
> this is offline tokens in KC.
>
> So we want to have our users log in to our service with their browser, go
> to our "API key page" and create a new token to be used by the integrations
> (moving away from Basic auth).
>
> I've created an offline token by hitting a keycloak protected html file
> and requested a resource with parameter ?scope=offline_access. I do see KC
> gives me a value back:
>
> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
> But there is no way I can use this for anything (and in KC it seems to be
> bound to our frontend application).
>
> Why can't I use the admin rest api to say something like: give me an
> offline token for this user for this app?
>
> /P?l
>
> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Heisann,
>>
>> Nice to see fellow Norwegians are using Keycloak :)
>>
>> For offline tokens the idea is that you'd have a frontend app (server or
>> client, whichever floats your boat) that can bootstrap the offline token.
>>
>> Not sure offline tokens is quite what you need though - can you elaborate
>> a bit on your use case?
>>
>> On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no> wrote:
>>
>>> We have two clients registered in our realm; frontend and backend.
>>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>>> is openid-connect/bearer-only.
>>>
>>> How can we generate an offline token for a given user that can be used
>>> towards our backend (which is bearer only)?
>>>
>>> We have a lot of customers that is integrated to our API (which is our
>>> backend client).
>>>
>>> *P?l Orby*
>>> UNIT4 Agresso AS
>>> DevOps
>>> Tlf: 22 58 85 00
>>> Mobil: 900 91 705
>>>
>>> SendRegning - Gj?r det enkelt!
>>> http://www.sendregning.no
>>> http://facebook.com/sendregning
>>> http://twitter.com/sendregning
>>> http://faktura.no
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/0ff382a6/attachment.html 

From ado.boj.83 at gmail.com  Mon Nov  2 06:30:42 2015
From: ado.boj.83 at gmail.com (AAA BBB)
Date: Mon, 2 Nov 2015 12:30:42 +0100
Subject: [keycloak-user] Issue with 3.3. Adding Keycloak server in Domain
 Mode with 1.6.0.Final version
Message-ID: <CALxJa+1c3+bpNoAKXY9FP=KviAGSMrzY5zJy1oUvdd4sgyyK4g@mail.gmail.com>

Hi all,

I am starting with keycloak and I have issue with add it to existing
Wildfly 9.0.1.Final.
I already used KEYCLOAK BLOG with quick and helpfull conversion with Stian
Thorgersen, but we didn't solve it.
I have issue with modify domain.xml for keycloak.
-----------------------------------------------------------------------------------------------------------------
Hi last advice was:
So you need to get 3 pieces from standalone-keycloak-ha.xml and add to
domain.xml. The bits you need are:



** extension org.keycloak.keycloak-server-subsystem* cache-container
name="keycloak"* subsystem urn:jboss:domain:keycloak-server:1.1*
------------------------------------------------------------------------------------------------------------------
And my last answer was:
Thanks, but It doesn't work for me. Step1 and Step3 are clearly for me. For
Step2 I have to add whole infinispan:












































*<subsystem xmlns="urn:jboss:domain:infinispan:3.0">
 <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
       <local-cache name="realms"/>                <local-cache
name="users"/>                <local-cache name="sessions"/>
 <local-cache name="loginFailures"/>            </cache-container>
   <cache-container name="server" default-cache="default"
module="org.wildfly.clustering.server">                <local-cache
name="default">                    <transaction mode="BATCH"/>
   </local-cache>            </cache-container>            <cache-container
name="web" default-cache="passivation"
module="org.wildfly.clustering.web.infinispan">                <local-cache
name="passivation">                    <transaction mode="BATCH"/>
           <file-store passivation="true" purge="false"/>
 </local-cache>                <local-cache name="persistent">
       <transaction mode="BATCH"/>                    <file-store
passivation="false" purge="false"/>                </local-cache>
 </cache-container>            <cache-container name="ejb" aliases="sfsb"
default-cache="passivation"
module="org.wildfly.clustering.ejb.infinispan">                <local-cache
name="passivation">                    <transaction mode="BATCH"/>
           <file-store passivation="true" purge="false"/>
 </local-cache>                <local-cache name="persistent">
       <transaction mode="BATCH"/>                    <file-store
passivation="false" purge="false"/>                </local-cache>
 </cache-container>            <cache-container name="hibernate"
default-cache="local-query" module="org.hibernate.infinispan">
   <local-cache name="entity">                    <transaction
mode="NON_XA"/>                    <eviction strategy="LRU"
max-entries="10000"/>                    <expiration max-idle="100000"/>
             </local-cache>                <local-cache
name="local-query">                    <eviction strategy="LRU"
max-entries="10000"/>                    <expiration max-idle="100000"/>
             </local-cache>                <local-cache
name="timestamps"/>            </cache-container>        </subsystem>*
because it was missing complety. After run system with such *.xml starting
auth wasn't possible.

I attached my domain.xml with last updated steps mentioned below.

Thanks for answer and Best Regards
Andrej.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/2bcaad6f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: domain.xml
Type: text/xml
Size: 41122 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/2bcaad6f/attachment-0001.xml 

From bburke at redhat.com  Mon Nov  2 08:59:15 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 2 Nov 2015 08:59:15 -0500
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <56376C33.4010305@redhat.com>

Can't really diagnose your problem as you've given very little information.

On 11/2/2015 5:13 AM, Mai Zi wrote:
> Hi, there,
>      I follow the instruction to import broker 's two realms and
> successfully login in .  When logout, it failed.
>
>
>    Any help will be appreciated
>
>
> Maizi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ado.boj.83 at gmail.com  Mon Nov  2 10:07:31 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Mon, 2 Nov 2015 16:07:31 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <56376C33.4010305@redhat.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
Message-ID: <CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>

Hi Bill,

which more info would you request pls?

I have issue with modify domain.xml for keycloak.
Because in chapter
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e409
are missing some configuration infos and after add everything what was
advice me after start wildfly in command line: ./domain.sh
--domain-config=domain.xml --host-config=host.xml
Still http://localhost:8080/auth/admin/index.html doesn't work for
wildfly-domain.

Br,
Andrej.

On Mon, Nov 2, 2015 at 2:59 PM, Bill Burke <bburke at redhat.com> wrote:

> Can't really diagnose your problem as you've given very little information.
>
> On 11/2/2015 5:13 AM, Mai Zi wrote:
> > Hi, there,
> >      I follow the instruction to import broker 's two realms and
> > successfully login in .  When logout, it failed.
> >
> >
> >    Any help will be appreciated
> >
> >
> > Maizi
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/62b440ba/attachment.html 

From mstrukel at redhat.com  Mon Nov  2 12:35:12 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 2 Nov 2015 18:35:12 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
Message-ID: <CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>

That part of the user guide is clearly out of date.

It should be:

<extensions>
    ...
    <extension module="org.keycloak.keycloak-server-subsystem"/>
</extensions>


And:

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
    <web-context>auth</web-context>
</subsystem>




On Mon, Nov 2, 2015 at 4:07 PM, Andrej P <ado.boj.83 at gmail.com> wrote:

> Hi Bill,
>
> which more info would you request pls?
>
> I have issue with modify domain.xml for keycloak.
> Because in chapter
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e409
> are missing some configuration infos and after add everything what was
> advice me after start wildfly in command line: ./domain.sh
> --domain-config=domain.xml --host-config=host.xml
> Still http://localhost:8080/auth/admin/index.html doesn't work for
> wildfly-domain.
>
> Br,
> Andrej.
>
> On Mon, Nov 2, 2015 at 2:59 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> Can't really diagnose your problem as you've given very little
>> information.
>>
>> On 11/2/2015 5:13 AM, Mai Zi wrote:
>> > Hi, there,
>> >      I follow the instruction to import broker 's two realms and
>> > successfully login in .  When logout, it failed.
>> >
>> >
>> >    Any help will be appreciated
>> >
>> >
>> > Maizi
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/51477219/attachment.html 

From cmoulliard at redhat.com  Mon Nov  2 12:41:25 2015
From: cmoulliard at redhat.com (Charles Moulliard)
Date: Mon, 2 Nov 2015 18:41:25 +0100
Subject: [keycloak-user] Enhance Keycloak with Certificate Authority
Message-ID: <5637A045.9030704@redhat.com>

Hi,

During this summer a Google project has been designed to Enhance 
Keycloak with Certificate Authority. Does somebody knows if the code has 
been integrated within a Keycloak release/snapshot ?

https://www.google-melange.com/gsoc/project/details/google/gsoc2015/girirajsharma/5693417237512192

Regards,

Charles

From giriraj.sharma27 at gmail.com  Mon Nov  2 13:22:16 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Mon, 2 Nov 2015 23:52:16 +0530
Subject: [keycloak-user] Enhance Keycloak with Certificate Authority
In-Reply-To: <5637A045.9030704@redhat.com>
References: <5637A045.9030704@redhat.com>
Message-ID: <CAB5vuUzd+dTkVVmqtkFsxWWC3nJaRgjrMm17K5tLjvCtXGaKXw@mail.gmail.com>

Hi,

The project was mainly targeted to enable automatic SSL setup over keycloak
and to enable two way (mutual) SSL authentication over keycloak/wildlfly
for authenticating users and clients. I am sorry to say but the code hasn't
been merged into keycloak master as it was mainly a prototype to develop
the actual client-cert authentication.

I did manage to get 3 of my prototype quickstarts (demo's)  to be merged
into wildfly/quickstarts 10.x. They will be shipped with wildfly 10.

https://github.com/wildfly/quickstart/tree/10.x
helloworld-ssl  [
https://github.com/wildfly/quickstart/tree/10.x/helloworld-ssl]
helloworld-war-ssl  [
https://github.com/wildfly/quickstart/tree/10.x/helloworld-war-ssl]
helloworld-client-ssl  [
https://github.com/wildfly/quickstart/tree/10.x/helloworld-client-ssl]

http://blog.keycloak.org/2015/09/google-summer-of-code-2015.html

Thanks,


On Mon, Nov 2, 2015 at 11:11 PM, Charles Moulliard <cmoulliard at redhat.com>
wrote:

> Hi,
>
> During this summer a Google project has been designed to Enhance
> Keycloak with Certificate Authority. Does somebody knows if the code has
> been integrated within a Keycloak release/snapshot ?
>
>
> https://www.google-melange.com/gsoc/project/details/google/gsoc2015/girirajsharma/5693417237512192
>
> Regards,
>
> Charles
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/9f640742/attachment-0001.html 

From srossillo at smartling.com  Mon Nov  2 15:00:14 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 2 Nov 2015 15:00:14 -0500
Subject: [keycloak-user] Documentation on website
In-Reply-To: <CAJgngAdK19zRpvUraBJNQX0-rTEMdjS58KOEvH+AT48jZdgHFA@mail.gmail.com>
References: <56336C1F.8090106@first8.nl>
	<CAJgngAdK19zRpvUraBJNQX0-rTEMdjS58KOEvH+AT48jZdgHFA@mail.gmail.com>
Message-ID: <A8BA4365-A125-4483-9A2F-73C756B1CE70@smartling.com>

The links for admin api and java docs don?t work from here:

http://keycloak.github.io/docs/

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Oct 30, 2015, at 9:14 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> We're having some issues with the website - in the mean time you can get the docs from http://keycloak.github.io/docs/index.html <http://keycloak.github.io/docs/index.html>
> 
> On 30 October 2015 at 13:09, Mark Hayen <m.hayen at first8.nl <mailto:m.hayen at first8.nl>> wrote:
> Hi guys, 
> 
> I tried to look into the documenation of keycloak, but suddenly the links are dead. 
> On http://keycloak.jboss.org/ <http://keycloak.jboss.org/> the documentation link is grey 
> and when googling I get a 404 
> How can I access the keycloak docs? 
> 
> Mark 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/6838505e/attachment.html 

From orby at sendregning.no  Mon Nov  2 16:40:58 2015
From: orby at sendregning.no (=?UTF-8?B?UMOlbCBPcmJ5?=)
Date: Mon, 2 Nov 2015 22:40:58 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
Message-ID: <CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>

It's not an option to create a client for each customer. Currently we have
65 000 customers, and we do not care if they use our API or using us within
their browser.

We want to just generate an offline token for a given user? Can someone
please tell me how to do it. I've read the documentation, but it not clear
for me how to obtain an offline token (
http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access
).

Thanks in advance :-)

/P?l

*P?l Orby*
UNIT4 Agresso AS
Programvareingeni?r
Tlf: 22 58 85 00
Mobil: 900 91 705

SendRegning - Gj?r det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no

2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> I would create a client for each customer. Enable the service account
> feature to map roles to the client. Then customers can authenticate either
> with a secret or signed jwt (public/private key). They can then use the
> client credentials grant to obtain tokens.
> On 30 Oct 2015 15:37, "P?l Orby" <orby at sendregning.no> wrote:
>
>> Saw your session at JavaZone, so thought we could give KC a try :-)
>>
>> Our web application is split on two; frontend (HTML5/Javascript) and our
>> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>>
>> Our frontend is just a consumer of our backend API (just like any other
>> client), and I've successfully configured KC to use openid-connect/public
>> for our frontend with keycloak.js, and openid-connect/bearer-only for our
>> backend (API) in our test environment (sending the Authorization header
>> with Bearer and keycloak.token to backend when doing ajax requests). This
>> work like expected. Even written our own federation doing password
>> validation from our user database.
>>
>> But, a lot of our customers have integrated their application to our
>> backend API, doing REST calls for issuing invoices, etc...)
>>
>> Most other services that provides you with an API offers tokens that can
>> be used for identification and authentication. And as far as I can see,
>> this is offline tokens in KC.
>>
>> So we want to have our users log in to our service with their browser, go
>> to our "API key page" and create a new token to be used by the integrations
>> (moving away from Basic auth).
>>
>> I've created an offline token by hitting a keycloak protected html file
>> and requested a resource with parameter ?scope=offline_access. I do see KC
>> gives me a value back:
>>
>> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>>
>> But there is no way I can use this for anything (and in KC it seems to be
>> bound to our frontend application).
>>
>> Why can't I use the admin rest api to say something like: give me an
>> offline token for this user for this app?
>>
>> /P?l
>>
>> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> Heisann,
>>>
>>> Nice to see fellow Norwegians are using Keycloak :)
>>>
>>> For offline tokens the idea is that you'd have a frontend app (server or
>>> client, whichever floats your boat) that can bootstrap the offline token.
>>>
>>> Not sure offline tokens is quite what you need though - can you
>>> elaborate a bit on your use case?
>>>
>>> On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no> wrote:
>>>
>>>> We have two clients registered in our realm; frontend and backend.
>>>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>>>> is openid-connect/bearer-only.
>>>>
>>>> How can we generate an offline token for a given user that can be used
>>>> towards our backend (which is bearer only)?
>>>>
>>>> We have a lot of customers that is integrated to our API (which is our
>>>> backend client).
>>>>
>>>> *P?l Orby*
>>>> UNIT4 Agresso AS
>>>> DevOps
>>>> Tlf: 22 58 85 00
>>>> Mobil: 900 91 705
>>>>
>>>> SendRegning - Gj?r det enkelt!
>>>> http://www.sendregning.no
>>>> http://facebook.com/sendregning
>>>> http://twitter.com/sendregning
>>>> http://faktura.no
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151102/01a293ed/attachment.html 

From stuart.jacobs at symbiotics.co.za  Tue Nov  3 01:11:14 2015
From: stuart.jacobs at symbiotics.co.za (Stuart Jacobs)
Date: Tue, 3 Nov 2015 08:11:14 +0200
Subject: [keycloak-user] Infinite loop in all browsers except Edge
Message-ID: <CADW1CM_P9QD=sJbZe8MAP7PuPsgjnHGmgsdkY02Zbp-E-F5C6w@mail.gmail.com>

Good Day,

I am working on a angular administration web project using wildfly 8.2 with
Keycloak.

The base url to my site is http://localhost:9000/#/dashboard/home.

Keycloak does a successful login when using the new Edge browser from
Windows but in any other browser it goes into an infinite loop between the
landing page url and the landing page url appended with the token provided
by Keycloak.

I specify my redirect uri as http://localhost:9000/* because if I specify
the full landing page uri it returns invalid, I presume this is due to the
# anchor symbol in the uri?

My question is what is a possible cause of this infinite loop and what is
the correct way to keep the # anchor and specifying specific redirect uri's?

  Kind Regards
  Stuart Jacobs

-- 
********************************************************************************
This email and any accompanying attachments may contain confidential and 
proprietary information. This information is private and protected by law 
and, accordingly, if you are not the intended recipient, you are requested 
to delete this entire communication immediately and are notified that any 
disclosure, copying or distribution of or taking any action based on this 
information is prohibited. 

Emails cannot be guaranteed to be secure or free of errors or viruses. The 
sender does not accept any liability or responsibility for any 
interception, corruption, destruction, loss, late arrival or incompleteness 
of or tampering or interference with any of the information contained in 
this email or for its incorrect delivery or non-delivery for whatsoever 
reason or for its effect on any electronic device of the recipient. 

********************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/be09535f/attachment-0001.html 

From kalc04 at gmail.com  Tue Nov  3 01:50:11 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 3 Nov 2015 12:20:11 +0530
Subject: [keycloak-user] Bug in AbstractClaimMapper class
Message-ID: <CAPj1eSzVHZ-2WxPT8GM6XG0kFm54gkB++TYJeta2m5S5-aQc=w@mail.gmail.com>

We came across an issue when integrating a custom OIDC IDP and mapping
roles into it. When we have a list of external roles to map into Keycloak
roles, the process fails.

The issue is at the bottom of the valueEquals(String, Object) method in the
AbstractClaimMapper class. When the incoming Object is a list, it just
performs the comparison with the first element and returns...

...
} else if (value instanceof List) {
  List list = (List)value;
  for (Object val : list) {
    return valueEquals(desiredValue, val);
  }
}
...

Instead the code should be something like this:
...
} else if (value instanceof List) {
  List list = (List)value;
  for (Object val : list) {
    if (valueEquals(desiredValue, val)) return true;
  }
}
...


Regards,
Lohitha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/694a364f/attachment.html 

From ado.boj.83 at gmail.com  Tue Nov  3 02:50:03 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Tue, 3 Nov 2015 08:50:03 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
Message-ID: <CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>

Hi Marko,

thanks for your answer, but this 2 corrections in domain.xml for extensions
and subsystem like you wrote below I changed, but it doesn't work.

After run wildfly via:
[root at demosetup /opt/wildfly/bin]$  ./domain.sh --domain-config=domain.xml
--host-config=host.xml

This link doesn't work:
http://192.168.56.10:8080/auth

I attached my actual domain.xml

Br,
Andrej.


On Mon, Nov 2, 2015 at 6:35 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> That part of the user guide is clearly out of date.
>


>
> It should be:
>
> <extensions>
>     ...
>     <extension module="org.keycloak.keycloak-server-subsystem"/>
> </extensions>
>
>
> And:
>
> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>     <web-context>auth</web-context>
> </subsystem>
>
>
>
>
> On Mon, Nov 2, 2015 at 4:07 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>
>> Hi Bill,
>>
>> which more info would you request pls?
>>
>> I have issue with modify domain.xml for keycloak.
>> Because in chapter
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e409
>> are missing some configuration infos and after add everything what was
>> advice me after start wildfly in command line: ./domain.sh
>> --domain-config=domain.xml --host-config=host.xml
>> Still http://localhost:8080/auth/admin/index.html doesn't work for
>> wildfly-domain.
>>
>> Br,
>> Andrej.
>>
>> On Mon, Nov 2, 2015 at 2:59 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> Can't really diagnose your problem as you've given very little
>>> information.
>>>
>>> On 11/2/2015 5:13 AM, Mai Zi wrote:
>>> > Hi, there,
>>> >      I follow the instruction to import broker 's two realms and
>>> > successfully login in .  When logout, it failed.
>>> >
>>> >
>>> >    Any help will be appreciated
>>> >
>>> >
>>> > Maizi
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/b442d0dd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: domain.xml
Type: text/xml
Size: 38769 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/b442d0dd/attachment-0001.xml 

From mposolda at redhat.com  Tue Nov  3 03:06:45 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 3 Nov 2015 09:06:45 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
Message-ID: <56386B15.2070206@redhat.com>

On 02/11/15 22:40, P?l Orby wrote:
> It's not an option to create a client for each customer. Currently we 
> have 65 000 customers, and we do not care if they use our API or using 
> us within their browser.
>
> We want to just generate an offline token for a given user? Can 
> someone please tell me how to do it. I've read the documentation, but 
> it not clear for me how to obtain an offline token 
> (http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access).
Not sure I understand all the details for your usecase. But the usecase 
like "give me an offline token for this user for this app" can be done 
with usage of direct grant. See here the docs for direct grant 
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html 
. If you want to retrieve offline token through direct grant, you just 
need to add the parameter "scope=offline_access" to the body of POST 
methods. So instead of just:

username=bburke&password=geheim&grant_type=password

you will use:

username=bburke&password=geheim&grant_type=password&scope=offline_access


But note, that offline token is not a permanent token, which can be 
unlimitedly used for authentication against REST backend services. 
Offline token is just special kind of refresh token, which never 
expires. You can use offline token to "refresh" and retrieve the access 
token, which can itself be used for authentication against REST backend 
services. But the access token has limited lifetime (usually 1 minute). 
So typically once you retrieve offline token, you need to save it in the 
database and always when you need to send request to REST backend, you 
use offline token to retrieve access token and then use this access 
token to send REST request. I suggest to take a look at 
offline_access_app example in the demo.

Marek
>
> Thanks in advance :-)
>
> /P?l
>
> *P?l Orby*
> UNIT4 Agresso AS*
> *Programvareingeni?r
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gj?r det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>>:
>
>     I would create a client for each customer. Enable the service
>     account feature to map roles to the client. Then customers can
>     authenticate either with a secret or signed jwt (public/private
>     key). They can then use the client credentials grant to obtain tokens.
>
>     On 30 Oct 2015 15:37, "P?l Orby" <orby at sendregning.no
>     <mailto:orby at sendregning.no>> wrote:
>
>         Saw your session at JavaZone, so thought we could give KC a
>         try :-)
>
>         Our web application is split on two; frontend
>         (HTML5/Javascript) and our backend (REST lv. 3 developed in
>         Java, currently running inside Tomcat).
>
>         Our frontend is just a consumer of our backend API (just like
>         any other client), and I've successfully configured KC to use
>         openid-connect/public for our frontend with keycloak.js, and
>         openid-connect/bearer-only for our backend (API) in our test
>         environment (sending the Authorization header with Bearer
>         and keycloak.token to backend when doing ajax requests). This
>         work like expected. Even written our own federation doing
>         password validation from our user database.
>
>         But, a lot of our customers have integrated their application
>         to our backend API, doing REST calls for issuing invoices, etc...)
>
>         Most other services that provides you with an API offers
>         tokens that can be used for identification and authentication.
>         And as far as I can see, this is offline tokens in KC.
>
>         So we want to have our users log in to our service with their
>         browser, go to our "API key page" and create a new token to be
>         used by the integrations (moving away from Basic auth).
>
>         I've created an offline token by hitting a keycloak protected
>         html file and requested a resource with parameter
>         ?scope=offline_access. I do see KC gives me a value back:
>         http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>
>         But there is no way I can use this for anything (and in KC it
>         seems to be bound to our frontend application).
>
>         Why can't I use the admin rest api to say something like: give
>         me an offline token for this user for this app?
>
>         /P?l
>
>         2015-10-30 15:06 GMT+01:00 Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>>:
>
>             Heisann,
>
>             Nice to see fellow Norwegians are using Keycloak :)
>
>             For offline tokens the idea is that you'd have a frontend
>             app (server or client, whichever floats your boat) that
>             can bootstrap the offline token.
>
>             Not sure offline tokens is quite what you need though -
>             can you elaborate a bit on your use case?
>
>             On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no
>             <mailto:orby at sendregning.no>> wrote:
>
>                 We have two clients registered in our realm; frontend
>                 and backend. Frontend is defined openid-connect/public
>                 (HTML/Javascript app) and backend is
>                 openid-connect/bearer-only.
>
>                 How can we generate an offline token for a given user
>                 that can be used towards our backend (which is bearer
>                 only)?
>
>                 We have a lot of customers that is integrated to our
>                 API (which is our backend client).
>
>                 *P?l Orby*
>                 UNIT4 Agresso AS*
>                 *DevOps
>                 Tlf: 22 58 85 00
>                 Mobil: 900 91 705
>
>                 SendRegning - Gj?r det enkelt!
>                 http://www.sendregning.no
>                 http://facebook.com/sendregning
>                 http://twitter.com/sendregning
>                 http://faktura.no
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/c9638dc6/attachment.html 

From sthorger at redhat.com  Tue Nov  3 03:23:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Nov 2015 08:23:19 +0000
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
Message-ID: <CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>

To create a token you need to have a client and a user (or service account
in which case you only need the client). Once you have that you can use the
browser based flow or obtain through REST (resource owner credential grant
for users, client credential grant for service accounts). You should not
share client and user between customers as that will stop you from being
able to revoke the offline tokens. Another issue is that tokens are fairly
big (it's not just a short key, it's a json document).

I would suggest you either:

* Create service account for customers - they can then use this to obtain a
token (offline or standard refresh) using REST endpoints on Keycloak
* Give offline token to users - in this case I would create a service
account for the customer and then create the offline token (all can be done
with Keycloak REST endpoints)

Take a look at
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java#L71
it shows how to obtain tokens without browser. To retrieve an offline token
just add scope=offline query parameter.

One thing you could do if you want to give customers the token is to create
a db that stores the token then send the customers a reference to the token
instead. You'd then need a proxy in front of your apps that can exchange
the reference for the full token. If you're interested in this approach I
can get you in touch with someone that is doing that.

On 2 November 2015 at 21:40, P?l Orby <orby at sendregning.no> wrote:

> It's not an option to create a client for each customer. Currently we have
> 65 000 customers, and we do not care if they use our API or using us within
> their browser.
>

> We want to just generate an offline token for a given user? Can someone
> please tell me how to do it. I've read the documentation, but it not clear
> for me how to obtain an offline token (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access
> ).
>

> Thanks in advance :-)
>
> /P?l
>
> *P?l Orby*
> UNIT4 Agresso AS
> Programvareingeni?r
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gj?r det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-02 12:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> I would create a client for each customer. Enable the service account
>> feature to map roles to the client. Then customers can authenticate either
>> with a secret or signed jwt (public/private key). They can then use the
>> client credentials grant to obtain tokens.
>> On 30 Oct 2015 15:37, "P?l Orby" <orby at sendregning.no> wrote:
>>
>>> Saw your session at JavaZone, so thought we could give KC a try :-)
>>>
>>> Our web application is split on two; frontend (HTML5/Javascript) and our
>>> backend (REST lv. 3 developed in Java, currently running inside Tomcat).
>>>
>>> Our frontend is just a consumer of our backend API (just like any other
>>> client), and I've successfully configured KC to use openid-connect/public
>>> for our frontend with keycloak.js, and openid-connect/bearer-only for our
>>> backend (API) in our test environment (sending the Authorization header
>>> with Bearer and keycloak.token to backend when doing ajax requests). This
>>> work like expected. Even written our own federation doing password
>>> validation from our user database.
>>>
>>> But, a lot of our customers have integrated their application to our
>>> backend API, doing REST calls for issuing invoices, etc...)
>>>
>>> Most other services that provides you with an API offers tokens that can
>>> be used for identification and authentication. And as far as I can see,
>>> this is offline tokens in KC.
>>>
>>> So we want to have our users log in to our service with their browser,
>>> go to our "API key page" and create a new token to be used by the
>>> integrations (moving away from Basic auth).
>>>
>>> I've created an offline token by hitting a keycloak protected html file
>>> and requested a resource with parameter ?scope=offline_access. I do see KC
>>> gives me a value back:
>>>
>>> http://localhost/keycloak.html?scope=offline_access&code=HU5UkZ_EbNUjX3Vhmg-3EIhC6Abz5rwhNMy_cuPzpLA.bfa6846d-b8f2-46da-b923-6a2824c82dd6&state=f2c410f3-37dd-4b5b-b933-1aacce916846
>>>
>>> But there is no way I can use this for anything (and in KC it seems to
>>> be bound to our frontend application).
>>>
>>> Why can't I use the admin rest api to say something like: give me an
>>> offline token for this user for this app?
>>>
>>> /P?l
>>>
>>> 2015-10-30 15:06 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> Heisann,
>>>>
>>>> Nice to see fellow Norwegians are using Keycloak :)
>>>>
>>>> For offline tokens the idea is that you'd have a frontend app (server
>>>> or client, whichever floats your boat) that can bootstrap the offline token.
>>>>
>>>> Not sure offline tokens is quite what you need though - can you
>>>> elaborate a bit on your use case?
>>>>
>>>> On 30 October 2015 at 13:51, P?l Orby <orby at sendregning.no> wrote:
>>>>
>>>>> We have two clients registered in our realm; frontend and backend.
>>>>> Frontend is defined openid-connect/public (HTML/Javascript app) and backend
>>>>> is openid-connect/bearer-only.
>>>>>
>>>>> How can we generate an offline token for a given user that can be used
>>>>> towards our backend (which is bearer only)?
>>>>>
>>>>> We have a lot of customers that is integrated to our API (which is our
>>>>> backend client).
>>>>>
>>>>> *P?l Orby*
>>>>> UNIT4 Agresso AS
>>>>> DevOps
>>>>> Tlf: 22 58 85 00
>>>>> Mobil: 900 91 705
>>>>>
>>>>> SendRegning - Gj?r det enkelt!
>>>>> http://www.sendregning.no
>>>>> http://facebook.com/sendregning
>>>>> http://twitter.com/sendregning
>>>>> http://faktura.no
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/58fd33a0/attachment-0001.html 

From thomas.raehalme at aitiofinland.com  Tue Nov  3 03:32:34 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 3 Nov 2015 10:32:34 +0200
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
Message-ID: <CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>

On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> * Create service account for customers - they can then use this to obtain
> a token (offline or standard refresh) using REST endpoints on Keycloak
>

Sorry to step in, but could you please explain the use case or the
reasoning for offline tokens on service accounts? If I have understood it
correctly you'll still need clientId and secret to generate the access
token from the offline token. Why not just use them to login whenever
necessary? Thanks!

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/53f01c07/attachment.html 

From mstrukel at redhat.com  Tue Nov  3 04:46:04 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 3 Nov 2015 10:46:04 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
Message-ID: <CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>

By default Wildfly only binds to localhost (127.0.0.1), and is not
reachable via any external network interfaces.

Running in domain mode is an advanced Wildfly topic, so I suggest you check
Wildfly documentation:

https://docs.jboss.org/author/display/WFLY9/Interfaces+and+ports
https://docs.jboss.org/author/display/WFLY9/Domain+Setup


A quick way to bind to all the network interfaces in standalone mode is to
use -b 0.0.0.0 as a parameter to standalone.sh. But that doesn't work for
domain mode AFAIK.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/2547e6e1/attachment.html 

From ado.boj.83 at gmail.com  Tue Nov  3 06:22:45 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Tue, 3 Nov 2015 12:22:45 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
Message-ID: <CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>

I think, that there is no issue,

because next link works fine:
http://192.168.56.10:9990/console/App.html#home

and with this link
http://192.168.56.10:8080/auth
I getting answer: 404 - Not Found

and in both domain.xml and host.xml are interface definitions this way:
   * <interfaces>*
*        <interface name="management">*
*            <any-address/>*
*        </interface>*
*        <interface name="public">*
*            <any-address/>*
*        </interface>*
*        <interface name="unsecure">*
*            <any-address/>*
*        </interface>*
*    </interfaces>*

On Tue, Nov 3, 2015 at 10:46 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> By default Wildfly only binds to localhost (127.0.0.1), and is not
> reachable via any external network interfaces.
>
> Running in domain mode is an advanced Wildfly topic, so I suggest you
> check Wildfly documentation:
>
> https://docs.jboss.org/author/display/WFLY9/Interfaces+and+ports
> https://docs.jboss.org/author/display/WFLY9/Domain+Setup
>
>
> A quick way to bind to all the network interfaces in standalone mode is to
> use -b 0.0.0.0 as a parameter to standalone.sh. But that doesn't work for
> domain mode AFAIK.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/20fb7f79/attachment.html 

From mposolda at redhat.com  Tue Nov  3 07:49:04 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 3 Nov 2015 13:49:04 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
Message-ID: <5638AD40.8050408@redhat.com>

On 03/11/15 09:32, Thomas Raehalme wrote:
> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     * Create service account for customers - they can then use this to
>     obtain a token (offline or standard refresh) using REST endpoints
>     on Keycloak
>
>
> Sorry to step in, but could you please explain the use case or the 
> reasoning for offline tokens on service accounts? If I have understood 
> it correctly you'll still need clientId and secret to generate the 
> access token from the offline token. Why not just use them to login 
> whenever necessary? Thanks!
We support offline tokens for service accounts because there is no 
reason (bad side effect) of not supporting it. Or at least I am not 
aware of any. Are you? Adding this support came "for free".

One usecase when it can be useful is, for example if you have offline 
token and you don't know how was this offline token authenticated (if it 
was direct grant, service account or browser). You can send the refresh 
token request with this token regardless of the offline token type as 
the refreshToken endpoint is same for all cases.

Marek
>
> Best regards,
> Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/85099c70/attachment.html 

From victor.evangelista at caixa.gov.br  Tue Nov  3 09:27:49 2015
From: victor.evangelista at caixa.gov.br (Victor Neves Evangelista)
Date: Tue, 3 Nov 2015 14:27:49 +0000
Subject: [keycloak-user] Invalid URI redirect using j_security_check
Message-ID: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFE5B@DFEXCHSD005.corp.caixa.gov.br>

Original question https://issues.jboss.org/browse/KEYCLOAK-2029



Hi,

I'm studing how integrate my applications whit keycloak whit minor impact.
I'm using JBoss EAP 6.3.0, i instaled keycloak adapters like reference guide says in chapter 8 and keycloak 1.6.0.

#1 I have a form html:

        <form class="form-signin" id="loginform" action="j_security_check" method="POST" >


            <label for="inputUsernamel" class="sr-only">Usu&aacute;rio</label>


            <input name="j_username" type="text" id="usuario" class="form-control" placeholder="Usuario" required autofocus >





            <label for="inputPassword" class="sr-only">Senha</label>


            <input name="j_password" type="password" id="senha" class="form-control" placeholder="Senha" required >





            <button class="btn btn-lg btn-primary btn-block" type="submit" id="btnLogin" >Acessar</button>


        </form>


#2 In my web.xml i have <auth-method>KEYCLOAK</auth-method>

#3 I have WEB-INF/keycloak.json like reference says.

#4 my client is configured like image attached

#5 When i send a user and pass in html form i have:

We're sorry ...
Invalid parameter: redirect_uri

#6 the keycloak log sasy:
12:14:26,904 DEBUG [org.jboss.ejb.client.txn] (Periodic Recovery) Send recover request for transaction origin node identifier 1 to EJB receiver with node name cd7390sx006
12:14:33,270 DEBUG [org.jboss.resteasy.core.SynchronousDispatcher] (default task-24) PathInfo: /realms/laboratorio/protocol/openid-connect/auth
12:14:33,273 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-24) replacing relative valid redirect with: /sisduweb/
12:14:33,273 WARN [org.keycloak.events] (default task-24) type=LOGIN_ERROR, realmId=laboratorio, clientId=sisdu, userId=null, ipAddress=10.208.20.97, error=invalid_redirect_uri, response_type=code, redirect_uri=http://10.208.20.97:8080/sisduweb/j_security_check*
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template_pt_BR.ftl"): Not found
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template_pt.ftl"): Not found
12:14:33,274 DEBUG [freemarker.cache] (default task-24) TemplateLoader.findTemplateSource("template.ftl"): Found
12:14:33,275 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed): using cached since file:/opt/kc/keycloak-1.6.0.Final/standalone/configuration/themes/base/login/template.ftl<file:///\\opt\kc\keycloak-1.6.0.Final\standalone\configuration\themes\base\login\template.ftl> hasn't changed.
12:14:33,277 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed) cached copy not yet stale; using cached.
12:14:33,280 DEBUG [freemarker.cache] (default task-24) "template.ftl"("pt_BR", UTF-8, parsed) cached copy not yet stale; using cached.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/b1f20024/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kc.png
Type: image/png
Size: 26422 bytes
Desc: kc.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/b1f20024/attachment-0001.png 

From m.hayen at first8.nl  Tue Nov  3 10:19:01 2015
From: m.hayen at first8.nl (Mark Hayen)
Date: Tue, 3 Nov 2015 16:19:01 +0100
Subject: [keycloak-user]  disable edit account after password reset
Message-ID: <5638D065.7070502@first8.nl>

Hi,

Is it possible to disable the Edit Account page?
Currently (keycloak 1.4.0) users who click on the link in the password 
reset email
get redirected to the Edit Account page.

I would like them to get redirected to my application.
How should I approach this?

Thx
Mark Hayen
First8.nl

From mstrukel at redhat.com  Tue Nov  3 10:24:34 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 3 Nov 2015 16:24:34 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
Message-ID: <CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>

>From your descriptions of the problem it sounds like your server-one which
binds to port 8080 doesn't have keycloak-server configured at all - it's
using a server group, that uses a different profile than the one you
configured.

There are four profiles in the default domain.xml - default, ha, full, and
full-ha

If you want your multiple Keycloak instances to run in high availability
mode, using a shared Infinispan cache, and a shared database, then that's
the most complex of all configurations - you have to setup a standalone
database, use "full-ha" profile to configure the datasource with proper
database connection url, and configure the distributed Infinispan cache.
Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
declaration.

In server-groups section define a new group or reuse existing one, and set
its profile to "full-ha", and use "full-ha-sockets" binding group.
In host.xml make sure that server definitions have the proper group set.

Then you also have to copy some configurations.

Assuming you have two servers defined in host.xml - called server-one, and
server-two, create a directory:

$WILDFLY_HOME/domain/servers/server-one/configuration
$WILDFLY_HOME/domain/servers/server-two/configuration

Then copy the following configurations from standalone/configuration:

cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
$WILDFLY_HOME/domain/servers/server-one/configuration/
cp -r $WILDFLY_HOME/standalone/configuration/themes
$WILDFLY_HOME/domain/servers/server-one/configuration/
cp -r $WILDFLY_HOME/standalone/configuration/providers
$WILDFLY_HOME/domain/servers/server-one/configuration/

cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
$WILDFLY_HOME/domain/servers/server-two/configuration/
cp -r $WILDFLY_HOME/standalone/configuration/themes
$WILDFLY_HOME/domain/servers/server-two/configuration/
cp -r $WILDFLY_HOME/standalone/configuration/providers
$WILDFLY_HOME/domain/servers/server-two/configuration/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/71107c5f/attachment.html 

From victor.evangelista at caixa.gov.br  Tue Nov  3 11:34:01 2015
From: victor.evangelista at caixa.gov.br (Victor Neves Evangelista)
Date: Tue, 3 Nov 2015 16:34:01 +0000
Subject: [keycloak-user] (Sugest) Add item in keycloak.json to redirect
 after login successful
Message-ID: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEA1@DFEXCHSD005.corp.caixa.gov.br>

Good afternoon,

I'm having problems with keycloak redirect after login using j_security_check.

I have many applications and i can't change JAAS authentication. So, i'm using keycloak JAAS  (chapter 8 , p. 35 , version 1.6.0).

After login, keycloak redirect me to http://<application>/j_security_check !!!
But i need that keycloak redirect me to other URI !

I tried  many configurations in keycloak client ID, and dont work.

I suggest create a item in keycloak.json where you say to where redirect after login successful; and a item to redirect when token expire.

My problem is posted in http://lists.jboss.org/pipermail/keycloak-user/2015-November/003528.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/0b45e28d/attachment.html 

From victor.evangelista at caixa.gov.br  Tue Nov  3 11:40:32 2015
From: victor.evangelista at caixa.gov.br (Victor Neves Evangelista)
Date: Tue, 3 Nov 2015 16:40:32 +0000
Subject: [keycloak-user] Revision in chapter 8 JAAS plugin
Message-ID: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEAC@DFEXCHSD005.corp.caixa.gov.br>

Come to knowledge
Don't have informations about org.keycloak.adapters.jboss.KeycloakLoginModule .
Dont exist references in user guide about JAAS plugin.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/d5186d6a/attachment.html 

From orby at sendregning.no  Tue Nov  3 13:10:55 2015
From: orby at sendregning.no (=?UTF-8?B?UMOlbCBPcmJ5?=)
Date: Tue, 3 Nov 2015 19:10:55 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <5638AD40.8050408@redhat.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
	<5638AD40.8050408@redhat.com>
Message-ID: <CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>

Ok, so after reading the replies here I understand that it isn't offline
tokens I'm looking for.

The token I'm looking for is what I would call an "application token". Any
plans implementing that?

Example:
If you enable two factor authentication on Github, you can't connect with
username/password anymore in terminal or other 3. party applications
integrated with GitHub without using an "application token" that you create
on your GitHub account page.

/P?l

*P?l Orby*
UNIT4 Agresso AS
Programvareingeni?r
Tlf: 22 58 85 00
Mobil: 900 91 705

SendRegning - Gj?r det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no

2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda at redhat.com>:

> On 03/11/15 09:32, Thomas Raehalme wrote:
>
> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen < <sthorger at redhat.com>
> sthorger at redhat.com> wrote:
>
>> * Create service account for customers - they can then use this to obtain
>> a token (offline or standard refresh) using REST endpoints on Keycloak
>>
>
> Sorry to step in, but could you please explain the use case or the
> reasoning for offline tokens on service accounts? If I have understood it
> correctly you'll still need clientId and secret to generate the access
> token from the offline token. Why not just use them to login whenever
> necessary? Thanks!
>
> We support offline tokens for service accounts because there is no reason
> (bad side effect) of not supporting it. Or at least I am not aware of any.
> Are you? Adding this support came "for free".
>
> One usecase when it can be useful is, for example if you have offline
> token and you don't know how was this offline token authenticated (if it
> was direct grant, service account or browser). You can send the refresh
> token request with this token regardless of the offline token type as the
> refreshToken endpoint is same for all cases.
>
> Marek
>
>
> Best regards,
> Thomas
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/45d021a9/attachment-0001.html 

From fadiabdeen at gmail.com  Tue Nov  3 13:43:47 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Tue, 3 Nov 2015 13:43:47 -0500
Subject: [keycloak-user] Ldap sync
Message-ID: <CABXXV0QWn9X30hDv8vEQ3g+H6LPgqxv2=cqZ_FwLQtArRkioqg@mail.gmail.com>

I have setup my keycloak with a read only LDAP User Federation Provider and
set it up to sync periodically, but for some reason only some users are not
syncing , not all users , only some.

I tried to trigger the sync with the "Synchronize all users" but no luck.
The only way it worked is by completely removing the provider and adding it
again. which is not a great solution . Have anyone seen this ? is there a
way to fix it ?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151103/fad9e0d7/attachment.html 

From bburke at redhat.com  Tue Nov  3 14:06:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 3 Nov 2015 14:06:32 -0500
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
	<5638AD40.8050408@redhat.com>
	<CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>
Message-ID: <563905B8.9040200@redhat.com>

For 3rd party app, the app would just use OAuth protocol to obtain a 
token.  That's what OAuth was originally written to do.  OpenID Connect 
just extended it for authentication.

On 11/3/2015 1:10 PM, P?l Orby wrote:
> Ok, so after reading the replies here I understand that it isn't offline
> tokens I'm looking for.
>
> The token I'm looking for is what I would call an "application token".
> Any plans implementing that?
>
> Example:
> If you enable two factor authentication on Github, you can't connect
> with username/password anymore in terminal or other 3. party
> applications integrated with GitHub without using an "application token"
> that you create on your GitHub account page.
>
> /P?l
>
> *P?l Orby*
> UNIT4 Agresso AS*
> *Programvareingeni?r
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gj?r det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
>     On 03/11/15 09:32, Thomas Raehalme wrote:
>>     On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen
>>     <<mailto:sthorger at redhat.com>sthorger at redhat.com
>>     <mailto:sthorger at redhat.com>> wrote:
>>
>>         * Create service account for customers - they can then use
>>         this to obtain a token (offline or standard refresh) using
>>         REST endpoints on Keycloak
>>
>>
>>     Sorry to step in, but could you please explain the use case or the
>>     reasoning for offline tokens on service accounts? If I have
>>     understood it correctly you'll still need clientId and secret to
>>     generate the access token from the offline token. Why not just use
>>     them to login whenever necessary? Thanks!
>     We support offline tokens for service accounts because there is no
>     reason (bad side effect) of not supporting it. Or at least I am not
>     aware of any. Are you? Adding this support came "for free".
>
>     One usecase when it can be useful is, for example if you have
>     offline token and you don't know how was this offline token
>     authenticated (if it was direct grant, service account or browser).
>     You can send the refresh token request with this token regardless of
>     the offline token type as the refreshToken endpoint is same for all
>     cases.
>
>     Marek
>>
>>     Best regards,
>>     Thomas
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Tue Nov  3 23:24:10 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Nov 2015 12:24:10 +0800
Subject: [keycloak-user] Keycloak Mysql
Message-ID: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>

Hi Guys,

Have you encountered this error before using mysql to store keycloak data?


- JDK 1.8

- mysql-connector-java-5.1.25.jar

- MYSQL  5.6.23-log

- Keycloak.json

"connectionsJpa": {
        "default": {
            "dataSource": "java:jboss/datasources/KeycloakDS",
            "databaseSchema": "update",
            "driverDialect" : "org.hibernate.dialect.MySQL5InnoDBDialect"
        }
    },

- logs

04:23:26,251 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
04:23:26,251 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(ServerService Thread Pool -- 56) You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ')) order by persistent0_.USER_SESSION_ID' at line
1
04:23:26,267 ERROR
[org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]]
(ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak REST
Interface threw load() exception:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ')) order by
persistent0_.USER_SESSION_ID' at line 1
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [rt.jar:1.8.0_65]
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_65]
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_65]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
[rt.jar:1.8.0_65]
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
        at com.mysql.jdbc.Util.getInstance(Util.java:386)
        at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
        at
com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
        at
com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
        at
org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
        at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
        at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.Loader.getResultSet(Loader.java:2062)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.Loader.doQuery(Loader.java:906)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:348)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.Loader.doList(Loader.java:2550)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.Loader.doList(Loader.java:2536)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.Loader.list(Loader.java:2361)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at
org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101)
[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
        at org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268)
[hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/25cbc21e/attachment.html 

From mposolda at redhat.com  Wed Nov  4 02:30:43 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 4 Nov 2015 08:30:43 +0100
Subject: [keycloak-user] Keycloak Mysql
In-Reply-To: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>
References: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>
Message-ID: <5639B423.3080707@redhat.com>

I didn't see the error, but we are not using InnoDB dialect during 
testing. Will it work if you remove "driverDialect" property?

Marek

On 04/11/15 05:24, Chen Keong Yap wrote:
> Hi Guys,
>
> Have you encountered this error before using mysql to store keycloak data?
>
>
> - JDK 1.8
>
> - mysql-connector-java-5.1.25.jar
>
> - MYSQL  5.6.23-log
>
> - Keycloak.json
>
> "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/KeycloakDS",
>             "databaseSchema": "update",
>             "driverDialect" : "org.hibernate.dialect.MySQL5InnoDBDialect"
>         }
>     },
>
> - logs
>
> 04:23:26,251 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] 
> (ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
> 04:23:26,251 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] 
> (ServerService Thread Pool -- 56) You have an error in your SQL 
> syntax; check the manual that corresponds to your MySQL server version 
> for the right syntax to use near ')) order by 
> persistent0_.USER_SESSION_ID' at line 1
> 04:23:26,267 ERROR 
> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]] 
> (ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak REST 
> Interface threw load() exception: 
> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an 
> error in your SQL syntax; check the manual that corresponds to your 
> MySQL server version for the right syntax to use near ')) order by 
> persistent0_.USER_SESSION_ID' at line 1
>         at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
> [rt.jar:1.8.0_65]
>         at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
> [rt.jar:1.8.0_65]
>         at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
> [rt.jar:1.8.0_65]
>         at 
> java.lang.reflect.Constructor.newInstance(Constructor.java:422) 
> [rt.jar:1.8.0_65]
>         at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
>         at com.mysql.jdbc.Util.getInstance(Util.java:386)
>         at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
>         at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
>         at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
>         at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
>         at 
> com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
>         at 
> com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
>         at 
> org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
>         at 
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
>         at 
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.getResultSet(Loader.java:2062) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doQuery(Loader.java:906) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:348) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doList(Loader.java:2550) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doList(Loader.java:2536) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.list(Loader.java:2361) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101) 
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at 
> org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268) 
> [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/0dc9c721/attachment-0001.html 

From mposolda at redhat.com  Wed Nov  4 02:35:38 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 4 Nov 2015 08:35:38 +0100
Subject: [keycloak-user] Ldap sync
In-Reply-To: <CABXXV0QWn9X30hDv8vEQ3g+H6LPgqxv2=cqZ_FwLQtArRkioqg@mail.gmail.com>
References: <CABXXV0QWn9X30hDv8vEQ3g+H6LPgqxv2=cqZ_FwLQtArRkioqg@mail.gmail.com>
Message-ID: <5639B54A.7030607@redhat.com>

I guess the reason can be that in original LDAP provider, you defined 
some additional "User Object classes" ? Right now, Object classes is the 
only thing used for filter during querying LDAP for all users sync, so 
that would be probably the reason why some users were filtered during query.

Marek

On 03/11/15 19:43, Fadi Abdin wrote:
> I have setup my keycloak with a read only LDAP User Federation 
> Provider and set it up to sync periodically, but for some reason only 
> some users are not syncing , not all users , only some.
>
> I tried to trigger the sync with the "Synchronize all users" but no 
> luck. The only way it worked is by completely removing the provider 
> and adding it again. which is not a great solution . Have anyone seen 
> this ? is there a way to fix it ?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/dfeda0e9/attachment.html 

From chenkeong.yap at izeno.com  Wed Nov  4 02:52:34 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Nov 2015 15:52:34 +0800
Subject: [keycloak-user] Keycloak Mysql
In-Reply-To: <5639B423.3080707@redhat.com>
References: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>
	<5639B423.3080707@redhat.com>
Message-ID: <CAC2UnuWKozdPj9J1ZdKyeeKSUe9Hz4=gdo-0Rgg0aCahmi21EA@mail.gmail.com>

hi marek,

i was trying to play around with "driverDialect" property but it does not
work.

Anyway, i've just modified this file and it's working now. This error only
happened during the first time startup of keycloak.

model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#chg-model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java>

+

<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#add-comment>
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#Lmodel/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.javaT180>

+        if(userSessionIds!=null && userSessionIds.size()==0)

<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#add-comment>
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#Lmodel/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.javaT181>

+        	userSessionIds.add("");

<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#add-comment>
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#Lmodel/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.javaF179T182>


<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#add-comment>
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#Lmodel/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.javaF180T183>

         TypedQuery<PersistentClientSessionEntity> query2 =
em.createNamedQuery("findClientSessionsByUserSessions",
PersistentClientSessionEntity.class);

<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#add-comment>
<https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#Lmodel/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.javaF181T184>

         query2.setParameter("userSessionIds", userSessionIds);


On Wed, Nov 4, 2015 at 3:30 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I didn't see the error, but we are not using InnoDB dialect during
> testing. Will it work if you remove "driverDialect" property?
>
> Marek
>
>
> On 04/11/15 05:24, Chen Keong Yap wrote:
>
> Hi Guys,
>
> Have you encountered this error before using mysql to store keycloak data?
>
>
> - JDK 1.8
>
> - mysql-connector-java-5.1.25.jar
>
> - MYSQL  5.6.23-log
>
> - Keycloak.json
>
> "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/KeycloakDS",
>             "databaseSchema": "update",
>             "driverDialect" : "org.hibernate.dialect.MySQL5InnoDBDialect"
>         }
>     },
>
> - logs
>
> 04:23:26,251 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
> 04:23:26,251 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (ServerService Thread Pool -- 56) You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near ')) order by persistent0_.USER_SESSION_ID' at line
> 1
> 04:23:26,267 ERROR
> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]]
> (ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak REST
> Interface threw load() exception:
> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an
> error in your SQL syntax; check the manual that corresponds to your MySQL
> server version for the right syntax to use near ')) order by
> persistent0_.USER_SESSION_ID' at line 1
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) [rt.jar:1.8.0_65]
>         at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> [rt.jar:1.8.0_65]
>         at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> [rt.jar:1.8.0_65]
>         at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> [rt.jar:1.8.0_65]
>         at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
>         at com.mysql.jdbc.Util.getInstance(Util.java:386)
>         at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
>         at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
>         at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
>         at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
>         at
> com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
>         at
> com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
>         at
> org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
>         at
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
>         at
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.getResultSet(Loader.java:2062)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doQuery(Loader.java:906)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:348)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doList(Loader.java:2550)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.doList(Loader.java:2536)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.Loader.list(Loader.java:2361)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at
> org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101)
> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>         at org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268)
> [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/1683ae4c/attachment-0001.html 

From mposolda at redhat.com  Wed Nov  4 03:01:22 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 4 Nov 2015 09:01:22 +0100
Subject: [keycloak-user] Keycloak Mysql
In-Reply-To: <CAC2UnuWKozdPj9J1ZdKyeeKSUe9Hz4=gdo-0Rgg0aCahmi21EA@mail.gmail.com>
References: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>
	<5639B423.3080707@redhat.com>
	<CAC2UnuWKozdPj9J1ZdKyeeKSUe9Hz4=gdo-0Rgg0aCahmi21EA@mail.gmail.com>
Message-ID: <5639BB52.2000906@redhat.com>

ah, you're using 1.6.0 correct? This is already fixed in 1.6.1. I 
suggest to upgrade.

Marek

On 04/11/15 08:52, Chen Keong Yap wrote:
> hi marek,
>
> i was trying to play around with "driverDialect" property but it does 
> not work.
>
> Anyway, i've just modified this file and it's working now. This error 
> only happened during the first time startup of keycloak.
>
> model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java 
> <https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#chg-model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java> 
>
>
> +
> + if(userSessionIds!=null && userSessionIds.size()==0)
> + userSessionIds.add("");
>   
>           TypedQuery<PersistentClientSessionEntity> query2 = em.createNamedQuery("findClientSessionsByUserSessions", PersistentClientSessionEntity.class);
>           query2.setParameter("userSessionIds", userSessionIds);
>
> On Wed, Nov 4, 2015 at 3:30 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I didn't see the error, but we are not using InnoDB dialect during
>     testing. Will it work if you remove "driverDialect" property?
>
>     Marek
>
>
>     On 04/11/15 05:24, Chen Keong Yap wrote:
>>     Hi Guys,
>>
>>     Have you encountered this error before using mysql to store
>>     keycloak data?
>>
>>
>>     - JDK 1.8
>>
>>     - mysql-connector-java-5.1.25.jar
>>
>>     - MYSQL  5.6.23-log
>>
>>     - Keycloak.json
>>
>>     "connectionsJpa": {
>>             "default": {
>>                 "dataSource": "java:jboss/datasources/KeycloakDS",
>>                 "databaseSchema": "update",
>>                 "driverDialect" :
>>     "org.hibernate.dialect.MySQL5InnoDBDialect"
>>             }
>>         },
>>
>>     - logs
>>
>>     04:23:26,251 WARN
>>      [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
>>     (ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
>>     04:23:26,251 ERROR
>>     [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService
>>     Thread Pool -- 56) You have an error in your SQL syntax; check
>>     the manual that corresponds to your MySQL server version for the
>>     right syntax to use near ')) order by
>>     persistent0_.USER_SESSION_ID' at line 1
>>     04:23:26,267 ERROR
>>     [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]]
>>     (ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak
>>     REST Interface threw load() exception:
>>     com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You
>>     have an error in your SQL syntax; check the manual that
>>     corresponds to your MySQL server version for the right syntax to
>>     use near ')) order by persistent0_.USER_SESSION_ID' at line 1
>>             at
>>     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>     Method) [rt.jar:1.8.0_65]
>>             at
>>     sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>     [rt.jar:1.8.0_65]
>>             at
>>     sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>     [rt.jar:1.8.0_65]
>>             at
>>     java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>     [rt.jar:1.8.0_65]
>>             at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
>>             at com.mysql.jdbc.Util.getInstance(Util.java:386)
>>             at
>>     com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
>>             at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
>>             at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
>>             at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
>>             at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
>>             at
>>     com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
>>             at
>>     com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
>>             at
>>     com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
>>             at
>>     org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
>>             at
>>     org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
>>             at
>>     org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.Loader.getResultSet(Loader.java:2062)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at org.hibernate.loader.Loader.doQuery(Loader.java:906)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.Loader.doQueryAfindClientSessionsByUserSessionsndInitializeNonLazyCollections(Loader.java:348)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at org.hibernate.loader.Loader.doList(Loader.java:2550)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at org.hibernate.loader.Loader.doList(Loader.java:2536)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366) [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at org.hibernate.loader.Loader.list(Loader.java:2361)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.internal.QueryImpl.list(QueryImpl.java:101)
>>     [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>             at
>>     org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268)
>>     [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/81b9c3cc/attachment.html 

From chenkeong.yap at izeno.com  Wed Nov  4 03:05:26 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 4 Nov 2015 16:05:26 +0800
Subject: [keycloak-user] Keycloak Mysql
In-Reply-To: <5639BB52.2000906@redhat.com>
References: <CAC2UnuXZTX7xogpnD8LjbkgT9h9bp06sA42yuBCxjisJw26xsA@mail.gmail.com>
	<5639B423.3080707@redhat.com>
	<CAC2UnuWKozdPj9J1ZdKyeeKSUe9Hz4=gdo-0Rgg0aCahmi21EA@mail.gmail.com>
	<5639BB52.2000906@redhat.com>
Message-ID: <CAC2UnuVMvth43j8H4sMDpaOdeHmkhFkcw91wbEHMVmKPjgcXig@mail.gmail.com>

ok thanks

On Wed, Nov 4, 2015 at 4:01 PM, Marek Posolda <mposolda at redhat.com> wrote:

> ah, you're using 1.6.0 correct? This is already fixed in 1.6.1. I suggest
> to upgrade.
>
> Marek
>
>
> On 04/11/15 08:52, Chen Keong Yap wrote:
>
> hi marek,
>
> i was trying to play around with "driverDialect" property but it does not
> work.
>
> Anyway, i've just modified this file and it's working now. This error only
> happened during the first time startup of keycloak.
>
>
> model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java
> <https://bitbucket.org/keycloakizeno/singhealth/commits/395cfe9aee30bee96ec25cba35435c029cb551e3#chg-model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java>
>
> +
>
> +        if(userSessionIds!=null && userSessionIds.size()==0)
>
> +        	userSessionIds.add("");
>
>           TypedQuery<PersistentClientSessionEntity> query2 = em.createNamedQuery("findClientSessionsByUserSessions", PersistentClientSessionEntity.class);
>
>          query2.setParameter("userSessionIds", userSessionIds);
>
>
> On Wed, Nov 4, 2015 at 3:30 PM, Marek Posolda < <mposolda at redhat.com>
> mposolda at redhat.com> wrote:
>
>> I didn't see the error, but we are not using InnoDB dialect during
>> testing. Will it work if you remove "driverDialect" property?
>>
>> Marek
>>
>>
>> On 04/11/15 05:24, Chen Keong Yap wrote:
>>
>> Hi Guys,
>>
>> Have you encountered this error before using mysql to store keycloak data?
>>
>>
>> - JDK 1.8
>>
>> - mysql-connector-java-5.1.25.jar
>>
>> - MYSQL  5.6.23-log
>>
>> - Keycloak.json
>>
>> "connectionsJpa": {
>>         "default": {
>>             "dataSource": "java:jboss/datasources/KeycloakDS",
>>             "databaseSchema": "update",
>>             "driverDialect" : "org.hibernate.dialect.MySQL5InnoDBDialect"
>>         }
>>     },
>>
>> - logs
>>
>> 04:23:26,251 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
>> (ServerService Thread Pool -- 56) SQL Error: 1064, SQLState: 42000
>> 04:23:26,251 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
>> (ServerService Thread Pool -- 56) You have an error in your SQL syntax;
>> check the manual that corresponds to your MySQL server version for the
>> right syntax to use near ')) order by persistent0_.USER_SESSION_ID' at line
>> 1
>> 04:23:26,267 ERROR
>> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/auth]]
>> (ServerService Thread Pool -- 56) JBWEB000289: Servlet Keycloak REST
>> Interface threw load() exception:
>> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an
>> error in your SQL syntax; check the manual that corresponds to your MySQL
>> server version for the right syntax to use near ')) order by
>> persistent0_.USER_SESSION_ID' at line 1
>>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method) [rt.jar:1.8.0_65]
>>         at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> [rt.jar:1.8.0_65]
>>         at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> [rt.jar:1.8.0_65]
>>         at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> [rt.jar:1.8.0_65]
>>         at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
>>         at com.mysql.jdbc.Util.getInstance(Util.java:386)
>>         at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054)
>>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)
>>         at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)
>>         at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)
>>         at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)
>>         at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)
>>         at
>> com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)
>>         at
>> com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2322)
>>         at
>> org.jboss.jca.adapters.jdbc.CachedPreparedStatement.executeQuery(CachedPreparedStatement.java:107)
>>         at
>> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
>>         at
>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.loader.Loader.getResultSet(Loader.java:2062)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1859)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1838)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.loader.Loader.doQuery(Loader.java:906)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.loader.Loader.doQueryAfindClientSessionsByUserSessionsndInitializeNonLazyCollections(Loader.java:348)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.loader.Loader.doList(Loader.java:2550)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.loader.Loader.doList(Loader.java:2536)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2366)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.loader.Loader.list(Loader.java:2361)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at
>> org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:198)[hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1230)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101)
>> [hibernate-core-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>         at org.hibernate.ejb.QueryImpl.getResultList(QueryImpl.java:268)
>> [hibernate-entitymanager-4.2.18.Final-redhat-2.jar:4.2.18.Final-redhat-2]
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/6dc4a18e/attachment-0001.html 

From ado.boj.83 at gmail.com  Wed Nov  4 08:20:26 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Wed, 4 Nov 2015 14:20:26 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
Message-ID: <CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>

Hi Marko,

thanks for your hints, I went through but still w/o positive result.
I will write my comments inside your hints.
I attached 2 files: domain-idbt.xml - with added sections for keycloak
                          log.txt - log after start wildfly in command line

Br,
Andrej.

On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> From your descriptions of the problem it sounds like your server-one which
> binds to port 8080 doesn't have keycloak-server configured at all - it's
> using a server group, that uses a different profile than the one you
> configured.
>
    Our group/server/profile setup looks like:

  GROUP SERVER PROFILE   configuration configuration-server-demosetup
idbt-ha   authentication authentication-server-demosetup idbt-ha


>
> There are four profiles in the default domain.xml - default, ha, full, and
> full-ha
>
    In our domain-idbt.xml are only 2 profiles:idbt-ha and idbt-security
and I modified inifinispan for idbt-ha (but ha is only in name not used
inside configuration)

>
> If you want your multiple Keycloak instances to run in high availability
> mode, using a shared Infinispan cache, and a shared database, then that's
> the most complex of all configurations - you have to setup a standalone
> database, use "full-ha" profile to configure the datasource with proper
> database connection url, and configure the distributed Infinispan cache.
> Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
> declaration.
>

    I created Keycloak_DS, which was before missing.
    I add : extension; inifinispan and subsystem section for Keycloak
inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
you can check it inside.

>
>
> In server-groups section define a new group or reuse existing one, and set
> its profile to "full-ha", and use "full-ha-sockets" binding group.
> In host.xml make sure that server definitions have the proper group set.
>
> Then you also have to copy some configurations.
>
> Assuming you have two servers defined in host.xml - called server-one, and
> server-two, create a directory:
>
> $WILDFLY_HOME/domain/servers/server-one/configuration
> $WILDFLY_HOME/domain/servers/server-two/configuration
>
> Then copy the following configurations from standalone/configuration:
>
> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
> $WILDFLY_HOME/domain/servers/server-one/configuration/
> cp -r $WILDFLY_HOME/standalone/configuration/themes
> $WILDFLY_HOME/domain/servers/server-one/configuration/
> cp -r $WILDFLY_HOME/standalone/configuration/providers
> $WILDFLY_HOME/domain/servers/server-one/configuration/
>
> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
> $WILDFLY_HOME/domain/servers/server-two/configuration/
> cp -r $WILDFLY_HOME/standalone/configuration/themes
> $WILDFLY_HOME/domain/servers/server-two/configuration/
> cp -r $WILDFLY_HOME/standalone/configuration/providers
> $WILDFLY_HOME/domain/servers/server-two/configuration/
>

  Done all creation and copying steps.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/6b50e416/attachment-0001.html 
-------------- next part --------------
[root at demosetup /opt/wildfly/bin]$ ./domain.sh --domain-config=domain-idbt.xml --host-config=host-idbt.xml
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/wildfly

  JAVA: java

  JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
13:38:36,641 INFO  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
13:38:36,894 INFO  [org.jboss.as.process.Host Controller.status] (main) WFLYPC0018: Starting process 'Host Controller'
[Host Controller] OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
[Host Controller] 13:38:37,844 INFO  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
[Host Controller] 13:38:38,167 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
[Host Controller] 13:38:38,238 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) starting
[Host Controller] 13:38:39,057 INFO  [org.xnio] (MSC service thread 1-2) XNIO version 3.3.1.Final
[Host Controller] 13:38:39,093 INFO  [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.3.1.Final
[Host Controller] 13:38:39,110 INFO  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0003: Creating http management service using network interface (management) port (9990) securePort (-1)
[Host Controller] 13:38:39,231 INFO  [org.jboss.remoting] (MSC service thread 1-2) JBoss Remoting version 4.0.9.Final
[Host Controller] 13:38:39,332 INFO  [org.jboss.as.remoting] (MSC service thread 1-1) WFLYRMT0001: Listening on 0.0.0.0:9999
[Host Controller] 13:38:42,801 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'job-repository-type' in the resource at address '/profile=idbt-ha/subsystem=batch' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,803 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'enabled' in the resource at address '/profile=idbt-ha/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,804 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'enabled' in the resource at address '/profile=idbt-ha/subsystem=datasources/data-source=idbt-rest-service-demo-DS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,805 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'enabled' in the resource at address '/profile=idbt-ha/subsystem=datasources/data-source=idbt-configuration-service-DS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,806 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'enabled' in the resource at address '/profile=idbt-ha/subsystem=datasources/data-source=idbt-device-authentication-service-DS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,807 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'enabled' in the resource at address '/profile=idbt-ha/subsystem=datasources/data-source=Keycloak-DS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:42,908 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'job-repository-type' in the resource at address '/profile=idbt-security/subsystem=batch' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
[Host Controller] 13:38:43,479 INFO  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0023: Starting server configuration-server-demosetup
13:38:43,552 INFO  [org.jboss.as.process.Server:configuration-server-demosetup.status] (ProcessController-threads - 3) WFLYPC0018: Starting process 'Server:configuration-server-demosetup'
[Host Controller] 13:38:46,125 INFO  [org.jboss.as.host.controller] (Remoting "demosetup:MANAGEMENT" task-4) WFLYHC0021: Server [Server:configuration-server-demosetup] connected using connection [Channel ID 656dd302 (inbound) of Remoting connection 1d425566 to /127.0.0.1:50449]
[Host Controller] 13:38:46,193 INFO  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0023: Starting server authentication-server-demosetup
[Host Controller] 13:38:46,246 INFO  [org.jboss.as.host.controller] (server-registration-threads - 1) WFLYHC0020: Registering server configuration-server-demosetup
13:38:46,270 INFO  [org.jboss.as.process.Server:authentication-server-demosetup.status] (ProcessController-threads - 3) WFLYPC0018: Starting process 'Server:authentication-server-demosetup'
[Host Controller] 13:38:53,794 INFO  [org.jboss.as.host.controller] (Remoting "demosetup:MANAGEMENT" task-8) WFLYHC0021: Server [Server:authentication-server-demosetup] connected using connection [Channel ID 3e8ad11c (inbound) of Remoting connection 67282c6a to /127.0.0.1:52804]
[Host Controller] 13:38:53,867 INFO  [org.jboss.as.host.controller] (server-registration-threads - 1) WFLYHC0020: Registering server authentication-server-demosetup
[Host Controller] 13:38:53,928 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://0.0.0.0:9990/management
[Host Controller] 13:38:53,929 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://0.0.0.0:9990
[Host Controller] 13:38:53,929 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) (Host Controller) started in 16794ms - Started 47 of 50 services (15 services are lazy, passive or on-demand)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: domain-idbt.xml
Type: text/xml
Size: 42065 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/6b50e416/attachment-0001.xml 

From mstrukel at redhat.com  Wed Nov  4 08:49:02 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 4 Nov 2015 14:49:02 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
Message-ID: <CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>

Your log.txt doesn't look right. Only a host controller is started - no
server running your idbt-ha profile is started at all.

There should be entries in the log looking like:

[Server:configuration-server-demosetup] 15:58:05,712 INFO
 [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
[Server:configuration-server-demosetup] 15:58:06,017 INFO  [org.jboss.msc]
(main) JBoss MSC version 1.2.6.Final
[Server:configuration-server-demosetup] 15:58:06,118 INFO  [org.jboss.as]
(MSC service thread 1-6) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly
Core 1.0.1.Final) starting
...


There must be a problem with your host.xml file. You should have a server
definition there referring to one of your server groups, for example:

<servers>
        <server name="configuration-server-demosetup"
group="group-authentication"/>
        ...
</servers>

Also, in domain-idbt.xml your Infinispan cache is configured to be local.
For distributed setup you should be using distributed Infinispan cache:

              <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                    <transport lock-timeout="60000"/>
                    <invalidation-cache name="realms" mode="SYNC"/>
                    <invalidation-cache name="users" mode="SYNC"/>
                    <distributed-cache name="sessions" mode="SYNC"
owners="1"/>
                    <distributed-cache name="loginFailures" mode="SYNC"
owners="1"/>
              </cache-container>



On Wed, Nov 4, 2015 at 2:20 PM, Andrej P <ado.boj.83 at gmail.com> wrote:

> Hi Marko,
>
> thanks for your hints, I went through but still w/o positive result.
> I will write my comments inside your hints.
> I attached 2 files: domain-idbt.xml - with added sections for keycloak
>                           log.txt - log after start wildfly in command line
>
> Br,
> Andrej.
>
> On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> From your descriptions of the problem it sounds like your server-one
>> which binds to port 8080 doesn't have keycloak-server configured at all -
>> it's using a server group, that uses a different profile than the one you
>> configured.
>>
>     Our group/server/profile setup looks like:
>
>   GROUP SERVER PROFILE   configuration configuration-server-demosetup
> idbt-ha   authentication authentication-server-demosetup idbt-ha
>
>
>>
>> There are four profiles in the default domain.xml - default, ha, full,
>> and full-ha
>>
>     In our domain-idbt.xml are only 2 profiles:idbt-ha and idbt-security
> and I modified inifinispan for idbt-ha (but ha is only in name not used
> inside configuration)
>
>>
>> If you want your multiple Keycloak instances to run in high availability
>> mode, using a shared Infinispan cache, and a shared database, then that's
>> the most complex of all configurations - you have to setup a standalone
>> database, use "full-ha" profile to configure the datasource with proper
>> database connection url, and configure the distributed Infinispan cache.
>> Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>> declaration.
>>
>
>     I created Keycloak_DS, which was before missing.
>     I add : extension; inifinispan and subsystem section for Keycloak
> inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
> you can check it inside.
>
>>
>>
>> In server-groups section define a new group or reuse existing one, and
>> set its profile to "full-ha", and use "full-ha-sockets" binding group.
>> In host.xml make sure that server definitions have the proper group set.
>>
>> Then you also have to copy some configurations.
>>
>> Assuming you have two servers defined in host.xml - called server-one,
>> and server-two, create a directory:
>>
>> $WILDFLY_HOME/domain/servers/server-one/configuration
>> $WILDFLY_HOME/domain/servers/server-two/configuration
>>
>> Then copy the following configurations from standalone/configuration:
>>
>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>
>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>
>
>   Done all creation and copying steps.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/1c1be9fd/attachment.html 

From ado.boj.83 at gmail.com  Wed Nov  4 09:18:37 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Wed, 4 Nov 2015 15:18:37 +0100
Subject: [keycloak-user] Possible bug: Changing of role description via REST
 API causes deleting of role name
Message-ID: <CALxJa+3b2Ycw6aNnvypjvS4DxiQ-x5mg+KDEPxzuO3TYbge9OQ@mail.gmail.com>

*Description:* I want to add or change role description via REST API
interface

*Details:* In the request body only attribute ?description? (from role
description) is set (see request body section)
*Usecases from API specification:* *Update a role by name* and *Update the
role*
*Request body:*

{
"description":"manage realm role of UNI-4/4. Add/delete/update of users."
}

*Observed reaction:* after request, the parameter ?name? is missing in the
role.
*Result:* (of REST API Get all roles for the realm or client)

 {
      "id": "da1f8c02-6823-4d86-8873-f2d533ba43fa",
      "description": "manage realm role of UNI-4/4. Add/delete/update
of users.",
      "scopeParamRequired": false,
      "composite": false
  },


Printscreen of result in GUI:
[image: Inline image 1]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/f2249753/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 79029 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/f2249753/attachment-0001.png 

From ado.boj.83 at gmail.com  Wed Nov  4 09:31:01 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Wed, 4 Nov 2015 15:31:01 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
Message-ID: <CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>

Again inside text are my answers.



On Wed, Nov 4, 2015 at 2:49 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> Your log.txt doesn't look right. Only a host controller is started - no
> server running your idbt-ha profile is started at all.
>
> There should be entries in the log looking like:
>
> [Server:configuration-server-demosetup] 15:58:05,712 INFO
>  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
> [Server:configuration-server-demosetup] 15:58:06,017 INFO  [org.jboss.msc]
> (main) JBoss MSC version 1.2.6.Final
> [Server:configuration-server-demosetup] 15:58:06,118 INFO  [org.jboss.as]
> (MSC service thread 1-6) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly
> Core 1.0.1.Final) starting
>
...
>
   In log /opt/wildfly-9.0.1.Final/domain/log/host-controller.log are
presnt your requested lines (log.txt was copied from command line)
   2015-11-04 13:38:43,479 INFO  [org.jboss.as.host.controller] (Controller
Boot Thread) WFLYHC0023: Starting server configuration-server-demosetup
  2015-11-04 13:38:46,125 INFO  [org.jboss.as.host.controller] (Remoting
"demosetup:MANAGEMENT" task-4) WFLYHC0021: Server
[Server:configuration-server-demosetup] connected using    connection
[Channel ID 656dd302 (inbound) of Remoting connection 1d425566 to /
127.0.0.1:50449]
  2015-11-04 13:38:46,193 INFO  [org.jboss.as.host.controller] (Controller
Boot Thread) WFLYHC0023: Starting server authentication-server-demosetup
2015-11-04 13:38:46,246 INFO  [org.jboss.as.host.controller]
(server-registration-threads - 1) WFLYHC0020: Registering server
configuration-server-demosetup
2015-11-04 13:38:53,794 INFO  [org.jboss.as.host.controller] (Remoting
"demosetup:MANAGEMENT" task-8) WFLYHC0021: Server
[Server:authentication-server-demosetup] connected using connection
[Channel ID 3e8ad11c (inbound) of Remoting connection 67282c6a to /
127.0.0.1:52804]
2015-11-04 13:38:53,867 INFO  [org.jboss.as.host.controller]
(server-registration-threads - 1) WFLYHC0020: Registering server
authentication-server-demosetup

>
>
> There must be a problem with your host.xml file. You should have a server
> definition there referring to one of your server groups, for example:
>
> <servers>
>         <server name="configuration-server-demosetup"
> group="group-authentication"/>
>         ...
> </servers>
>
   I attached host-idbt.xml now and from my point of view it looks fine.


>
> Also, in domain-idbt.xml your Infinispan cache is configured to be local.
> For distributed setup you should be using distributed Infinispan cache:
>
>               <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">
>                     <transport lock-timeout="60000"/>
>                     <invalidation-cache name="realms" mode="SYNC"/>
>                     <invalidation-cache name="users" mode="SYNC"/>
>                     <distributed-cache name="sessions" mode="SYNC"
> owners="1"/>
>                     <distributed-cache name="loginFailures" mode="SYNC"
> owners="1"/>
>               </cache-container>
>
   In previous attached domain-idbt.xml I configured Infinispan cache like
local not distributed, is it conflict, have to be in HA mode?



>
>
>
> On Wed, Nov 4, 2015 at 2:20 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>
>> Hi Marko,
>>
>> thanks for your hints, I went through but still w/o positive result.
>> I will write my comments inside your hints.
>> I attached 2 files: domain-idbt.xml - with added sections for keycloak
>>                           log.txt - log after start wildfly in command
>> line
>>
>> Br,
>> Andrej.
>>
>> On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> From your descriptions of the problem it sounds like your server-one
>>> which binds to port 8080 doesn't have keycloak-server configured at all -
>>> it's using a server group, that uses a different profile than the one you
>>> configured.
>>>
>>     Our group/server/profile setup looks like:
>>
>>   GROUP SERVER PROFILE   configuration configuration-server-demosetup
>> idbt-ha   authentication authentication-server-demosetup idbt-ha
>>
>>
>>>
>>> There are four profiles in the default domain.xml - default, ha, full,
>>> and full-ha
>>>
>>     In our domain-idbt.xml are only 2 profiles:idbt-ha and idbt-security
>> and I modified inifinispan for idbt-ha (but ha is only in name not used
>> inside configuration)
>>
>>>
>>> If you want your multiple Keycloak instances to run in high availability
>>> mode, using a shared Infinispan cache, and a shared database, then that's
>>> the most complex of all configurations - you have to setup a standalone
>>> database, use "full-ha" profile to configure the datasource with proper
>>> database connection url, and configure the distributed Infinispan cache.
>>> Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>> declaration.
>>>
>>
>>     I created Keycloak_DS, which was before missing.
>>     I add : extension; inifinispan and subsystem section for Keycloak
>> inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
>> you can check it inside.
>>
>>>
>>>
>>> In server-groups section define a new group or reuse existing one, and
>>> set its profile to "full-ha", and use "full-ha-sockets" binding group.
>>> In host.xml make sure that server definitions have the proper group set.
>>>
>>> Then you also have to copy some configurations.
>>>
>>> Assuming you have two servers defined in host.xml - called server-one,
>>> and server-two, create a directory:
>>>
>>> $WILDFLY_HOME/domain/servers/server-one/configuration
>>> $WILDFLY_HOME/domain/servers/server-two/configuration
>>>
>>> Then copy the following configurations from standalone/configuration:
>>>
>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>
>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>
>>
>>   Done all creation and copying steps.
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/6c8f50c3/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: host-idbt.xml
Type: text/xml
Size: 3559 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/6c8f50c3/attachment.xml 

From mstrukel at redhat.com  Wed Nov  4 09:48:00 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 4 Nov 2015 15:48:00 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
Message-ID: <CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>

Can you confirm that you see the following lines in
your host-controller.log:

[Server:authentication-server-demosetup] 15:58:23,220 INFO
 [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
WFLYUT0021: Registered web context: /auth
[Server:authentication-server-demosetup] 15:58:23,267 INFO
 [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")


What does the following url show: http://localhost:8180/auth

Infinispan in HA mode ensures there is a distributed cache layer in use. It
means there are not two local caches with possibly different states. That's
important if you use round-robin front end proxy without sticky sessions.
Otherwise you may see strange Admin UI behaviour.

On Wed, Nov 4, 2015 at 3:31 PM, Andrej P <ado.boj.83 at gmail.com> wrote:

> Again inside text are my answers.
>
>
>
> On Wed, Nov 4, 2015 at 2:49 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Your log.txt doesn't look right. Only a host controller is started - no
>> server running your idbt-ha profile is started at all.
>>
>> There should be entries in the log looking like:
>>
>> [Server:configuration-server-demosetup] 15:58:05,712 INFO
>>  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
>> [Server:configuration-server-demosetup] 15:58:06,017 INFO
>>  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
>> [Server:configuration-server-demosetup] 15:58:06,118 INFO  [org.jboss.as]
>> (MSC service thread 1-6) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly
>> Core 1.0.1.Final) starting
>>
> ...
>>
>    In log /opt/wildfly-9.0.1.Final/domain/log/host-controller.log are
> presnt your requested lines (log.txt was copied from command line)
>    2015-11-04 13:38:43,479 INFO  [org.jboss.as.host.controller]
> (Controller Boot Thread) WFLYHC0023: Starting server
> configuration-server-demosetup
>   2015-11-04 13:38:46,125 INFO  [org.jboss.as.host.controller] (Remoting
> "demosetup:MANAGEMENT" task-4) WFLYHC0021: Server
> [Server:configuration-server-demosetup] connected using    connection
> [Channel ID 656dd302 (inbound) of Remoting connection 1d425566 to /
> 127.0.0.1:50449]
>   2015-11-04 13:38:46,193 INFO  [org.jboss.as.host.controller] (Controller
> Boot Thread) WFLYHC0023: Starting server authentication-server-demosetup
> 2015-11-04 13:38:46,246 INFO  [org.jboss.as.host.controller]
> (server-registration-threads - 1) WFLYHC0020: Registering server
> configuration-server-demosetup
> 2015-11-04 13:38:53,794 INFO  [org.jboss.as.host.controller] (Remoting
> "demosetup:MANAGEMENT" task-8) WFLYHC0021: Server
> [Server:authentication-server-demosetup] connected using connection
> [Channel ID 3e8ad11c (inbound) of Remoting connection 67282c6a to /
> 127.0.0.1:52804]
> 2015-11-04 13:38:53,867 INFO  [org.jboss.as.host.controller]
> (server-registration-threads - 1) WFLYHC0020: Registering server
> authentication-server-demosetup
>
>>
>>
>> There must be a problem with your host.xml file. You should have a server
>> definition there referring to one of your server groups, for example:
>>
>> <servers>
>>         <server name="configuration-server-demosetup"
>> group="group-authentication"/>
>>         ...
>> </servers>
>>
>    I attached host-idbt.xml now and from my point of view it looks fine.
>
>
>>
>> Also, in domain-idbt.xml your Infinispan cache is configured to be local.
>> For distributed setup you should be using distributed Infinispan cache:
>>
>>               <cache-container name="keycloak"
>> jndi-name="infinispan/Keycloak">
>>                     <transport lock-timeout="60000"/>
>>                     <invalidation-cache name="realms" mode="SYNC"/>
>>                     <invalidation-cache name="users" mode="SYNC"/>
>>                     <distributed-cache name="sessions" mode="SYNC"
>> owners="1"/>
>>                     <distributed-cache name="loginFailures" mode="SYNC"
>> owners="1"/>
>>               </cache-container>
>>
>    In previous attached domain-idbt.xml I configured Infinispan cache
> like local not distributed, is it conflict, have to be in HA mode?
>
>
>
>>
>>
>>
>> On Wed, Nov 4, 2015 at 2:20 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>
>>> Hi Marko,
>>>
>>> thanks for your hints, I went through but still w/o positive result.
>>> I will write my comments inside your hints.
>>> I attached 2 files: domain-idbt.xml - with added sections for keycloak
>>>                           log.txt - log after start wildfly in command
>>> line
>>>
>>> Br,
>>> Andrej.
>>>
>>> On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com>
>>> wrote:
>>>
>>>> From your descriptions of the problem it sounds like your server-one
>>>> which binds to port 8080 doesn't have keycloak-server configured at all -
>>>> it's using a server group, that uses a different profile than the one you
>>>> configured.
>>>>
>>>     Our group/server/profile setup looks like:
>>>
>>>   GROUP SERVER PROFILE   configuration configuration-server-demosetup
>>> idbt-ha   authentication authentication-server-demosetup idbt-ha
>>>
>>>
>>>>
>>>> There are four profiles in the default domain.xml - default, ha, full,
>>>> and full-ha
>>>>
>>>     In our domain-idbt.xml are only 2 profiles:idbt-ha and
>>> idbt-security and I modified inifinispan for idbt-ha (but ha is only in
>>> name not used inside configuration)
>>>
>>>>
>>>> If you want your multiple Keycloak instances to run in high
>>>> availability mode, using a shared Infinispan cache, and a shared database,
>>>> then that's the most complex of all configurations - you have to setup a
>>>> standalone database, use "full-ha" profile to configure the datasource with
>>>> proper database connection url, and configure the distributed Infinispan
>>>> cache. Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>>> declaration.
>>>>
>>>
>>>     I created Keycloak_DS, which was before missing.
>>>     I add : extension; inifinispan and subsystem section for Keycloak
>>> inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
>>> you can check it inside.
>>>
>>>>
>>>>
>>>> In server-groups section define a new group or reuse existing one, and
>>>> set its profile to "full-ha", and use "full-ha-sockets" binding group.
>>>> In host.xml make sure that server definitions have the proper group set.
>>>>
>>>> Then you also have to copy some configurations.
>>>>
>>>> Assuming you have two servers defined in host.xml - called server-one,
>>>> and server-two, create a directory:
>>>>
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration
>>>>
>>>> Then copy the following configurations from standalone/configuration:
>>>>
>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>>
>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>>
>>>
>>>   Done all creation and copying steps.
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/e0cb79bb/attachment-0001.html 

From ado.boj.83 at gmail.com  Wed Nov  4 10:10:56 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Wed, 4 Nov 2015 16:10:56 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
Message-ID: <CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>

On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> Can you confirm that you see the following lines in
> your host-controller.log:
>
> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
> WFLYUT0021: Registered web context: /auth
> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>
   No, this lines are missing in log.


>
>
> What does the following url show: http://localhost:8180/auth
>
   I have to use lin http://192.168.56.10:8180/auth, because it is not
local machine by virtualized.
   And answer is like I already before wrote: 404 - Not Found

>
> Infinispan in HA mode ensures there is a distributed cache layer in use.
> It means there are not two local caches with possibly different states.
> That's important if you use round-robin front end proxy without sticky
> sessions. Otherwise you may see strange Admin UI behaviour.
>
   Now I am using this domain concept only in small or testing topology
without accent on HA


> On Wed, Nov 4, 2015 at 3:31 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>
>> Again inside text are my answers.
>>
>>
>>
>> On Wed, Nov 4, 2015 at 2:49 PM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> Your log.txt doesn't look right. Only a host controller is started - no
>>> server running your idbt-ha profile is started at all.
>>>
>>> There should be entries in the log looking like:
>>>
>>> [Server:configuration-server-demosetup] 15:58:05,712 INFO
>>>  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
>>> [Server:configuration-server-demosetup] 15:58:06,017 INFO
>>>  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
>>> [Server:configuration-server-demosetup] 15:58:06,118 INFO  [org.jboss.as]
>>> (MSC service thread 1-6) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly
>>> Core 1.0.1.Final) starting
>>>
>> ...
>>>
>>    In log /opt/wildfly-9.0.1.Final/domain/log/host-controller.log are
>> presnt your requested lines (log.txt was copied from command line)
>>    2015-11-04 13:38:43,479 INFO  [org.jboss.as.host.controller]
>> (Controller Boot Thread) WFLYHC0023: Starting server
>> configuration-server-demosetup
>>   2015-11-04 13:38:46,125 INFO  [org.jboss.as.host.controller] (Remoting
>> "demosetup:MANAGEMENT" task-4) WFLYHC0021: Server
>> [Server:configuration-server-demosetup] connected using    connection
>> [Channel ID 656dd302 (inbound) of Remoting connection 1d425566 to /
>> 127.0.0.1:50449]
>>   2015-11-04 13:38:46,193 INFO  [org.jboss.as.host.controller]
>> (Controller Boot Thread) WFLYHC0023: Starting server
>> authentication-server-demosetup
>> 2015-11-04 13:38:46,246 INFO  [org.jboss.as.host.controller]
>> (server-registration-threads - 1) WFLYHC0020: Registering server
>> configuration-server-demosetup
>> 2015-11-04 13:38:53,794 INFO  [org.jboss.as.host.controller] (Remoting
>> "demosetup:MANAGEMENT" task-8) WFLYHC0021: Server
>> [Server:authentication-server-demosetup] connected using connection
>> [Channel ID 3e8ad11c (inbound) of Remoting connection 67282c6a to /
>> 127.0.0.1:52804]
>> 2015-11-04 13:38:53,867 INFO  [org.jboss.as.host.controller]
>> (server-registration-threads - 1) WFLYHC0020: Registering server
>> authentication-server-demosetup
>>
>>>
>>>
>>> There must be a problem with your host.xml file. You should have a
>>> server definition there referring to one of your server groups, for example:
>>>
>>> <servers>
>>>         <server name="configuration-server-demosetup"
>>> group="group-authentication"/>
>>>         ...
>>> </servers>
>>>
>>    I attached host-idbt.xml now and from my point of view it looks fine.
>>
>>
>>>
>>> Also, in domain-idbt.xml your Infinispan cache is configured to be
>>> local. For distributed setup you should be using distributed Infinispan
>>> cache:
>>>
>>>               <cache-container name="keycloak"
>>> jndi-name="infinispan/Keycloak">
>>>                     <transport lock-timeout="60000"/>
>>>                     <invalidation-cache name="realms" mode="SYNC"/>
>>>                     <invalidation-cache name="users" mode="SYNC"/>
>>>                     <distributed-cache name="sessions" mode="SYNC"
>>> owners="1"/>
>>>                     <distributed-cache name="loginFailures" mode="SYNC"
>>> owners="1"/>
>>>               </cache-container>
>>>
>>    In previous attached domain-idbt.xml I configured Infinispan cache
>> like local not distributed, is it conflict, have to be in HA mode?
>>
>>
>>
>>>
>>>
>>>
>>> On Wed, Nov 4, 2015 at 2:20 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>>
>>>> Hi Marko,
>>>>
>>>> thanks for your hints, I went through but still w/o positive result.
>>>> I will write my comments inside your hints.
>>>> I attached 2 files: domain-idbt.xml - with added sections for keycloak
>>>>                           log.txt - log after start wildfly in command
>>>> line
>>>>
>>>> Br,
>>>> Andrej.
>>>>
>>>> On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com>
>>>> wrote:
>>>>
>>>>> From your descriptions of the problem it sounds like your server-one
>>>>> which binds to port 8080 doesn't have keycloak-server configured at all -
>>>>> it's using a server group, that uses a different profile than the one you
>>>>> configured.
>>>>>
>>>>     Our group/server/profile setup looks like:
>>>>
>>>>   GROUP SERVER PROFILE   configuration configuration-server-demosetup
>>>> idbt-ha   authentication authentication-server-demosetup idbt-ha
>>>>
>>>>
>>>>>
>>>>> There are four profiles in the default domain.xml - default, ha, full,
>>>>> and full-ha
>>>>>
>>>>     In our domain-idbt.xml are only 2 profiles:idbt-ha and
>>>> idbt-security and I modified inifinispan for idbt-ha (but ha is only in
>>>> name not used inside configuration)
>>>>
>>>>>
>>>>> If you want your multiple Keycloak instances to run in high
>>>>> availability mode, using a shared Infinispan cache, and a shared database,
>>>>> then that's the most complex of all configurations - you have to setup a
>>>>> standalone database, use "full-ha" profile to configure the datasource with
>>>>> proper database connection url, and configure the distributed Infinispan
>>>>> cache. Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>>>> declaration.
>>>>>
>>>>
>>>>     I created Keycloak_DS, which was before missing.
>>>>     I add : extension; inifinispan and subsystem section for Keycloak
>>>> inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
>>>> you can check it inside.
>>>>
>>>>>
>>>>>
>>>>> In server-groups section define a new group or reuse existing one, and
>>>>> set its profile to "full-ha", and use "full-ha-sockets" binding group.
>>>>> In host.xml make sure that server definitions have the proper group
>>>>> set.
>>>>>
>>>>> Then you also have to copy some configurations.
>>>>>
>>>>> Assuming you have two servers defined in host.xml - called server-one,
>>>>> and server-two, create a directory:
>>>>>
>>>>> $WILDFLY_HOME/domain/servers/server-one/configuration
>>>>> $WILDFLY_HOME/domain/servers/server-two/configuration
>>>>>
>>>>> Then copy the following configurations from standalone/configuration:
>>>>>
>>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>>>
>>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>>>
>>>>
>>>>   Done all creation and copying steps.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/1d4edbfc/attachment.html 

From mstrukel at redhat.com  Wed Nov  4 10:35:42 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 4 Nov 2015 16:35:42 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
Message-ID: <CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>

On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <ado.boj.83 at gmail.com> wrote:

>
>
> On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Can you confirm that you see the following lines in
>> your host-controller.log:
>>
>> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
>> WFLYUT0021: Registered web context: /auth
>> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
>> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>>
>    No, this lines are missing in log.
>

That's the root of your problem then. Keycloak server subsystem doesn't
seem to be initialized at all.
>From your config files it follows that your
'authentication-server-demosetup' server is using 'group-authentication'
group, and 'group-authentication' group is using 'idbt-ha' profile, and
'idbt-ha' profile contains keycloak-server subsystem declaration ...

I see no reason for Keycloak server to not get initialized.

I'm sorry to say, but I'm out of ideas. If I were you I would try from
scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server
without any additional applications deployed, following the instructions I
described previously - just get server-one, and server-two using the same
group tied to full-ha profile. That way you should get Keycloak up and
running. Then I would slowly evolve the configuration towards what you have
now. Somewhere during that process there must be a step, that breaks
things, and it's not obvious what that step is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/17e90cc9/attachment-0001.html 

From giovanni.baruzzi at syntlogo.de  Wed Nov  4 13:58:42 2015
From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi)
Date: Wed, 4 Nov 2015 19:58:42 +0100
Subject: [keycloak-user] LDAP Role Mapping after the "memberOf" style
Message-ID: <D26013F2.1D0A2%giovanni.baruzzi@syntlogo.de>

Dear all,


at the moment using the LDAP Identity federation we can map a role to the
membership to a group.

We are using instead of the groupMembership the ?menberOf? approach,
dedicating an attribute to list the values of the roles owned by the user.
How would you suggest the implementation of this requirement?
Can you imagine a way to implement it using the planned customised filter?
Should we go for a custom federation provider?

thank you for your answers,
Giovanni


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/01933c9b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5133 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/01933c9b/attachment.bin 

From mposolda at redhat.com  Thu Nov  5 03:39:21 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 5 Nov 2015 09:39:21 +0100
Subject: [keycloak-user] LDAP Role Mapping after the "memberOf" style
In-Reply-To: <D26013F2.1D0A2%giovanni.baruzzi@syntlogo.de>
References: <D26013F2.1D0A2%giovanni.baruzzi@syntlogo.de>
Message-ID: <563B15B9.8070207@redhat.com>

Hi,


On 04/11/15 19:58, Giovanni Baruzzi wrote:
> Dear all,
>
>
> at the moment using the LDAP Identity federation we can map a role to 
> the membership to a group.
>
> We are using instead of the groupMembership the ?menberOf? approach, 
> dedicating an attribute to list the values of the roles owned by the user.

AFAIK memberOf is just read-only mirror of "member" attribute where 
"member" is writable and it's available on the group (roles) objects 
when memberOf is mirrored on users. At least it works this way on the 
Active Directory and some other LDAP servers too. Or doesn't it work on 
your LDAP server and you are not seeing "member" attribute on groups?

Our RoleLDAPFederationMapper implementation is using "member" attribute 
approach because "member" attribute is writable and it's sufficient to 
achieve to all of CRUD user role mappings operations.

At this moment, the only reason when I can see the advantage of 
"memberOf" is better performance in read-only LDAP servers as you need 
to query just user object to receive both it's attributes and role 
mappings in single step. Is this the reason why you want it or do you 
have other reason?
> How would you suggest the implementation of this requirement?
> Can you imagine a way to implement it using the planned customised filter?
> Should we go for a custom federation provider?
There are 2 steps to achieve it.

1) You can use existing "User attribute" mapper to map "memberOf" 
attribute to some attribute in user model. This way the "memberOf" will 
be queried from LDAP and saved into Keycloak DB as part of the user 
record. You can check in admin console (tab "Attributes" of user) if the 
memberOf was successfully returned

2) Then you may need to implement custom LDAPFederationMapper, which 
will return proxy user object and you override some methods of this 
proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and 
getClientRoleMappings) to return the roles based on the "memberOf" 
attribute, which is available on UserModel thanks to previous step. See 
existing RoleLDAPFederationMapper for inspiration.

So you don't need custom federation provider, but just custom federation 
mapper.

I wonder if we should support "memberOf" in Keycloak OOTB. I am curious 
about your reasons to use it in prefer to "member" .

Marek
>
> thank you for your answers,
> Giovanni
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d84c320b/attachment.html 

From sthorger at redhat.com  Thu Nov  5 06:38:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 12:38:51 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
Message-ID: <CAJgngAdN=M+pgtB8WzqBHOKPtjvj_AJiHn4TSa4+bS4jNwrNCg@mail.gmail.com>

On 3 November 2015 at 09:32, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> * Create service account for customers - they can then use this to obtain
>> a token (offline or standard refresh) using REST endpoints on Keycloak
>>
>
> Sorry to step in, but could you please explain the use case or the
> reasoning for offline tokens on service accounts? If I have understood it
> correctly you'll still need clientId and secret to generate the access
> token from the offline token. Why not just use them to login whenever
> necessary? Thanks!
>

I wouldn't use offline tokens myself, but if you want to provide customers
with a "token" rather than a service account it should be an offline token.
Problem is that it'll be rather big, not just a short "api key".


>
> Best regards,
> Thomas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/4f2eecb2/attachment.html 

From sthorger at redhat.com  Thu Nov  5 06:42:48 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 12:42:48 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
	<5638AD40.8050408@redhat.com>
	<CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>
Message-ID: <CAJgngAdRHHsXFkrAvPuT5H9voj=L+dmns9t0aSzt7M4oiusdfA@mail.gmail.com>

On 3 November 2015 at 19:10, P?l Orby <orby at sendregning.no> wrote:

> Ok, so after reading the replies here I understand that it isn't offline
> tokens I'm looking for.
>
> The token I'm looking for is what I would call an "application token". Any
> plans implementing that?
>

No, we don't have any plans for that. However as I suggested you can
relatively easily provide that yourself by creating a client with service
account for a customer then create an offline token to send to them. Main
issue still stands though is that an offline token is not just a short "API
Key" it's a relatively big base64 string.

If you want a short "API Key" you'd need a proxy in front of your services
that can swap the key for the actual token.


>
> Example:
> If you enable two factor authentication on Github, you can't connect with
> username/password anymore in terminal or other 3. party applications
> integrated with GitHub without using an "application token" that you create
> on your GitHub account page.
>
> /P?l
>
> *P?l Orby*
> UNIT4 Agresso AS
> Programvareingeni?r
> Tlf: 22 58 85 00
> Mobil: 900 91 705
>
> SendRegning - Gj?r det enkelt!
> http://www.sendregning.no
> http://facebook.com/sendregning
> http://twitter.com/sendregning
> http://faktura.no
>
> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>
>> On 03/11/15 09:32, Thomas Raehalme wrote:
>>
>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen < <sthorger at redhat.com>
>> sthorger at redhat.com> wrote:
>>
>>> * Create service account for customers - they can then use this to
>>> obtain a token (offline or standard refresh) using REST endpoints on
>>> Keycloak
>>>
>>
>> Sorry to step in, but could you please explain the use case or the
>> reasoning for offline tokens on service accounts? If I have understood it
>> correctly you'll still need clientId and secret to generate the access
>> token from the offline token. Why not just use them to login whenever
>> necessary? Thanks!
>>
>> We support offline tokens for service accounts because there is no reason
>> (bad side effect) of not supporting it. Or at least I am not aware of any.
>> Are you? Adding this support came "for free".
>>
>> One usecase when it can be useful is, for example if you have offline
>> token and you don't know how was this offline token authenticated (if it
>> was direct grant, service account or browser). You can send the refresh
>> token request with this token regardless of the offline token type as the
>> refreshToken endpoint is same for all cases.
>>
>> Marek
>>
>>
>> Best regards,
>> Thomas
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/e47298d7/attachment-0001.html 

From amaeztu at tesicnor.com  Thu Nov  5 06:55:04 2015
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Thu, 5 Nov 2015 12:55:04 +0100
Subject: [keycloak-user] Keycloak redirects me to my index url instead of to
	the requested one
In-Reply-To: <563B4331.7080107@tesicnor.com>
References: <563B4331.7080107@tesicnor.com>
Message-ID: <563B4398.6050607@tesicnor.com>


StackOverflow link to the question 
<http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one>

I'm using Keycloak server (v 1.5.1) to perform an open-id-connect like 
authentication to my service. I've set up a basic web application which 
has two urls, the */index.html* one and other one called /hello. I use 
Spring security, Spring boot and Spring MVC for all of that. That's my 
pom.xml configuration:


     <?xml version="1.0" encoding="UTF-8"?>
     <project xmlns="http://maven.apache.org/POM/4.0.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd">
         <modelVersion>4.0.0</modelVersion>

         <groupId>com.keycloaktes</groupId>
         <artifactId>keycloaktes</artifactId>
         <version>0.0.1-SNAPSHOT</version>
         <packaging>jar</packaging>

         <name>demo</name>
         <description>Demo project for Spring Boot</description>

         <parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
             <version>1.2.7.RELEASE</version>
             <relativePath />
         </parent>

         <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
             <java.version>1.7</java.version>
         </properties>

         <dependencies>
             <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
             </dependency>

             <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
             </dependency>

             <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
                 <scope>test</scope>
             </dependency>

             <dependency>
                 <groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
                 <version>1.5.1.Final</version>
             </dependency>

             <dependency>
                 <groupId>org.keycloak</groupId>
<artifactId>keycloak-tomcat8-adapter</artifactId>
                 <version>1.5.1.Final</version>
             </dependency>

         </dependencies>


         <build>
             <plugins>
                 <plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
                 </plugin>
             </plugins>
         </build>


     </project>

The issue comes when I address to /hello url when not logged in, the 
keycloak login screen shows properly, but instead of performing a 
redirection to /hello after successful login, it does it to my 
/index.html page. That's how I've configured the security adapter:


<!-- language: lang-java -->

     @Configuration
     @EnableWebSecurity
     @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
     public class SecurityConfig extends 
KeycloakWebSecurityConfigurerAdapter {

         @Autowired
         public void configureGlobal(AuthenticationManagerBuilder auth)
                 throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
         }

         /**
          * Defines the session authentication strategy.
          */
         @Bean
         @Override
         protected SessionAuthenticationStrategy 
sessionAuthenticationStrategy() {
             return new RegisterSessionAuthenticationStrategy(
                     new SessionRegistryImpl());
         }

         @Bean
         public FilterRegistrationBean 
keycloakAuthenticationProcessingFilterRegistrationBean(
                 KeycloakAuthenticationProcessingFilter filter) {
             FilterRegistrationBean registrationBean = new 
FilterRegistrationBean(
                     filter);
             registrationBean.setEnabled(false);
             return registrationBean;
         }

         @Bean
         public FilterRegistrationBean 
keycloakPreAuthActionsFilterRegistrationBean(
                 KeycloakPreAuthActionsFilter filter) {
             FilterRegistrationBean registrationBean = new 
FilterRegistrationBean(
                     filter);
             registrationBean.setEnabled(false);
             return registrationBean;
         }

         @Override
         protected void configure(HttpSecurity http) throws Exception {
             super.configure(http);
http.authorizeRequests().antMatchers("/*").hasRole("ADMIN")
                     .anyRequest().permitAll();
             http.csrf().disable();
         }
     }

I've been trying enabling both the 
`KeycloakAuthenticationProcessingFilter` and 
`KeycloakPreAuthActionsFilter`, but result keeps the same. Does anybody 
know how to solve the issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/b21da7c1/attachment.html 

From orby at sendregning.no  Thu Nov  5 07:19:49 2015
From: orby at sendregning.no (=?UTF-8?B?UMOlbCBPcmJ5?=)
Date: Thu, 5 Nov 2015 13:19:49 +0100
Subject: [keycloak-user] Generate offline token
In-Reply-To: <CAJgngAdRHHsXFkrAvPuT5H9voj=L+dmns9t0aSzt7M4oiusdfA@mail.gmail.com>
References: <CAG+mJvHZZZe8Z-U8BO5pnOgcrTFHdiSumd6u8xwNKXq68vkejg@mail.gmail.com>
	<CAJgngAcupUec=rGV6n4dGpYpi7XiutzD29t_=JrVNoaRatOYog@mail.gmail.com>
	<CAG+mJvFAeo4UJZb1qL=65DHs31Mv4Yn2HgpoUBUQ6VhuTK7pQQ@mail.gmail.com>
	<CAJgngAe=w=kNvPot94PEm-HCaxTruNe5yt3uf13_3ROOMWz9nQ@mail.gmail.com>
	<CAG+mJvFAxL9uxiMa=+14UOz+uEBjW7QXTrXEk2FOVvrVsduTeg@mail.gmail.com>
	<CAJgngAePnUKwEdWPmEFjMFRCG4hg=4SY6se8O2Xe6Lc_JdvXtA@mail.gmail.com>
	<CAPyAMoY4LwFYj3LRM_zU99qXY6X8mOLJdP7AYZEH-O0PVEChJA@mail.gmail.com>
	<5638AD40.8050408@redhat.com>
	<CAG+mJvHr8--ez79RRtftt0P1b0bB0ZQpW3norKudEn-oEDCZeA@mail.gmail.com>
	<CAJgngAdRHHsXFkrAvPuT5H9voj=L+dmns9t0aSzt7M4oiusdfA@mail.gmail.com>
Message-ID: <CAG+mJvHYqTLmDuhabFMZKaP+DGpm2y7f1Ezyun7nUVjMKgE-DA@mail.gmail.com>

I'm currently implementing the proxy solution.

Thanks for you help :-)

*P?l Orby*
UNIT4 Agresso AS
Programvareingeni?r
Tlf: 22 58 85 00
Mobil: 900 91 705

SendRegning - Gj?r det enkelt!
http://www.sendregning.no
http://facebook.com/sendregning
http://twitter.com/sendregning
http://faktura.no

2015-11-05 12:42 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

>
>
> On 3 November 2015 at 19:10, P?l Orby <orby at sendregning.no> wrote:
>
>> Ok, so after reading the replies here I understand that it isn't offline
>> tokens I'm looking for.
>>
>> The token I'm looking for is what I would call an "application token".
>> Any plans implementing that?
>>
>
> No, we don't have any plans for that. However as I suggested you can
> relatively easily provide that yourself by creating a client with service
> account for a customer then create an offline token to send to them. Main
> issue still stands though is that an offline token is not just a short "API
> Key" it's a relatively big base64 string.
>
> If you want a short "API Key" you'd need a proxy in front of your services
> that can swap the key for the actual token.
>
>
>>
>> Example:
>> If you enable two factor authentication on Github, you can't connect with
>> username/password anymore in terminal or other 3. party applications
>> integrated with GitHub without using an "application token" that you create
>> on your GitHub account page.
>>
>> /P?l
>>
>> *P?l Orby*
>> UNIT4 Agresso AS
>> Programvareingeni?r
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>>
>> SendRegning - Gj?r det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>>
>> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> On 03/11/15 09:32, Thomas Raehalme wrote:
>>>
>>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <
>>> <sthorger at redhat.com>sthorger at redhat.com> wrote:
>>>
>>>> * Create service account for customers - they can then use this to
>>>> obtain a token (offline or standard refresh) using REST endpoints on
>>>> Keycloak
>>>>
>>>
>>> Sorry to step in, but could you please explain the use case or the
>>> reasoning for offline tokens on service accounts? If I have understood it
>>> correctly you'll still need clientId and secret to generate the access
>>> token from the offline token. Why not just use them to login whenever
>>> necessary? Thanks!
>>>
>>> We support offline tokens for service accounts because there is no
>>> reason (bad side effect) of not supporting it. Or at least I am not aware
>>> of any. Are you? Adding this support came "for free".
>>>
>>> One usecase when it can be useful is, for example if you have offline
>>> token and you don't know how was this offline token authenticated (if it
>>> was direct grant, service account or browser). You can send the refresh
>>> token request with this token regardless of the offline token type as the
>>> refreshToken endpoint is same for all cases.
>>>
>>> Marek
>>>
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/3943e3d4/attachment.html 

From sthorger at redhat.com  Thu Nov  5 07:36:34 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 13:36:34 +0100
Subject: [keycloak-user] setting log level
In-Reply-To: <908979050.697883.1446394737577.JavaMail.yahoo@mail.yahoo.com>
References: <908979050.697883.1446394737577.JavaMail.yahoo@mail.yahoo.com>
	<908979050.697883.1446394737577.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAfqJW10ogVY4xNJOc-NbteKnb06nQi1NxPWYgm0RpYNTQ@mail.gmail.com>

Sounds like you're setting it correctly - what logging library are you
using? Are you including org.jboss.logging in your module?

On 1 November 2015 at 17:18, alex orl <alex_orl1079 at yahoo.it> wrote:

> I'm trying to setting the log level on keycloak.
> Opening the wildfly admin console... or editing wildfly standalone.xml and
> adding a new category:
>
> category= my.userfederation.provider
> level= debug
>
> Nothing happens.
> My user federation provider is installed as module. What am i missing?
> Thanks a lot.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/c63bb575/attachment-0001.html 

From giovanni.baruzzi at syntlogo.de  Thu Nov  5 07:42:47 2015
From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi)
Date: Thu, 5 Nov 2015 13:42:47 +0100
Subject: [keycloak-user] LDAP Role Mapping after the "memberOf" style
	(Marek Posolda)
Message-ID: <D2610A63.1D0D1%giovanni.baruzzi@syntlogo.de>

Merk,

Please see my comments inline.

Giovanni


>
>Message: 2
>Date: Thu, 5 Nov 2015 09:39:21 +0100
>From: Marek Posolda <mposolda at redhat.com>
>Subject: Re: [keycloak-user] LDAP Role Mapping after the "memberOf"
>	style
>To: Giovanni Baruzzi <giovanni.baruzzi at syntlogo.de>,
>	"keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>Message-ID: <563B15B9.8070207 at redhat.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Hi,
>
>
>On 04/11/15 19:58, Giovanni Baruzzi wrote:
>> Dear all,
>>
>>
>> at the moment using the LDAP Identity federation we can map a role to
>> the membership to a group.
>>
>> We are using instead of the groupMembership the ?menberOf? approach,
>> dedicating an attribute to list the values of the roles owned by the
>>user.
>
>AFAIK memberOf is just read-only mirror of "member" attribute where
>"member" is writable and it's available on the group (roles) objects
>when memberOf is mirrored on users. At least it works this way on the
>Active Directory and some other LDAP servers too. Or doesn't it work on
>your LDAP server and you are not seeing "member" attribute on groups?

Yes the ?memberOf? is just the group membership seen from the point of
view of the user object.


We resorted to this technique for mainly two reasons:
1) Scalability: the LDAP groups technique gives acceptable results up to
80.000 members. After this threshold the insert times are growing
unacceptable
2) flexibility: sometime, to describe a Role, you need more than just a
name. For this reason we defined a custom attribute ?syUserRole?
containing a case ignore string, structured as a name and a parameter. One
value of this attribute describe a role.

This very simple approach would allow us to scale the design to 1.000.000
users, our target, because with just one access to the user object you get
even all the needed roles.

Of course it would be nice to map those roles to the Keycloak roles.
I?m going to follow your suggestion to  implement a "custom
LDAPFederationMapper?.

I will keep you current.

Regards,
Giovanni




>
>Our RoleLDAPFederationMapper implementation is using "member" attribute
>approach because "member" attribute is writable and it's sufficient to
>achieve to all of CRUD user role mappings operations.
>
>At this moment, the only reason when I can see the advantage of
>"memberOf" is better performance in read-only LDAP servers as you need
>to query just user object to receive both it's attributes and role
>mappings in single step. Is this the reason why you want it or do you
>have other reason?

As said above this is one of the reasons, the other one is to have a
parameter.


>> How would you suggest the implementation of this requirement?
>> Can you imagine a way to implement it using the planned customised
>>filter?
>> Should we go for a custom federation provider?
>There are 2 steps to achieve it.
>
>1) You can use existing "User attribute" mapper to map "memberOf"
>attribute to some attribute in user model. This way the "memberOf" will
>be queried from LDAP and saved into Keycloak DB as part of the user
>record. You can check in admin console (tab "Attributes" of user) if the
>memberOf was successfully returned
>
>2) Then you may need to implement custom LDAPFederationMapper, which
>will return proxy user object and you override some methods of this
>proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and
>getClientRoleMappings) to return the roles based on the "memberOf"
>attribute, which is available on UserModel thanks to previous step. See
>existing RoleLDAPFederationMapper for inspiration.
>
>So you don't need custom federation provider, but just custom federation
>mapper.
>
>I wonder if we should support "memberOf" in Keycloak OOTB. I am curious
>about your reasons to use it in prefer to "member" .
>
>Marek
>>
>> thank you for your answers,
>> Giovanni
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: 
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d84c32
>0b/attachment-0001.html
>
>------------------------------
>
>Message: 3
>Date: Thu, 5 Nov 2015 12:38:51 +0100
>From: Stian Thorgersen <sthorger at redhat.com>
>Subject: Re: [keycloak-user] Generate offline token
>To: Thomas Raehalme <thomas.raehalme at aitiofinland.com>
>Cc: keycloak-user <keycloak-user at lists.jboss.org>, P?l Orby
>	<orby at sendregning.no>
>Message-ID:
>	<CAJgngAdN=M+pgtB8WzqBHOKPtjvj_AJiHn4TSa4+bS4jNwrNCg at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On 3 November 2015 at 09:32, Thomas Raehalme <
>thomas.raehalme at aitiofinland.com> wrote:
>
>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> * Create service account for customers - they can then use this to
>>>obtain
>>> a token (offline or standard refresh) using REST endpoints on Keycloak
>>>
>>
>> Sorry to step in, but could you please explain the use case or the
>> reasoning for offline tokens on service accounts? If I have understood
>>it
>> correctly you'll still need clientId and secret to generate the access
>> token from the offline token. Why not just use them to login whenever
>> necessary? Thanks!
>>
>
>I wouldn't use offline tokens myself, but if you want to provide customers
>with a "token" rather than a service account it should be an offline
>token.
>Problem is that it'll be rather big, not just a short "api key".
>
>
>>
>> Best regards,
>> Thomas
>>
>>
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: 
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/4f2eec
>b2/attachment-0001.html
>
>------------------------------
>
>Message: 4
>Date: Thu, 5 Nov 2015 12:42:48 +0100
>From: Stian Thorgersen <sthorger at redhat.com>
>Subject: Re: [keycloak-user] Generate offline token
>To: P?l Orby <orby at sendregning.no>
>Cc: Thomas Raehalme <thomas.raehalme at aitiofinland.com>,	keycloak-user
>	<keycloak-user at lists.jboss.org>
>Message-ID:
>	<CAJgngAdRHHsXFkrAvPuT5H9voj=L+dmns9t0aSzt7M4oiusdfA at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On 3 November 2015 at 19:10, P?l Orby <orby at sendregning.no> wrote:
>
>> Ok, so after reading the replies here I understand that it isn't offline
>> tokens I'm looking for.
>>
>> The token I'm looking for is what I would call an "application token".
>>Any
>> plans implementing that?
>>
>
>No, we don't have any plans for that. However as I suggested you can
>relatively easily provide that yourself by creating a client with service
>account for a customer then create an offline token to send to them. Main
>issue still stands though is that an offline token is not just a short
>"API
>Key" it's a relatively big base64 string.
>
>If you want a short "API Key" you'd need a proxy in front of your services
>that can swap the key for the actual token.
>
>
>>
>> Example:
>> If you enable two factor authentication on Github, you can't connect
>>with
>> username/password anymore in terminal or other 3. party applications
>> integrated with GitHub without using an "application token" that you
>>create
>> on your GitHub account page.
>>
>> /P?l
>>
>> *P?l Orby*
>> UNIT4 Agresso AS
>> Programvareingeni?r
>> Tlf: 22 58 85 00
>> Mobil: 900 91 705
>>
>> SendRegning - Gj?r det enkelt!
>> http://www.sendregning.no
>> http://facebook.com/sendregning
>> http://twitter.com/sendregning
>> http://faktura.no
>>
>> 2015-11-03 13:49 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> On 03/11/15 09:32, Thomas Raehalme wrote:
>>>
>>> On Tue, Nov 3, 2015 at 10:23 AM, Stian Thorgersen <
>>><sthorger at redhat.com>
>>> sthorger at redhat.com> wrote:
>>>
>>>> * Create service account for customers - they can then use this to
>>>> obtain a token (offline or standard refresh) using REST endpoints on
>>>> Keycloak
>>>>
>>>
>>> Sorry to step in, but could you please explain the use case or the
>>> reasoning for offline tokens on service accounts? If I have understood
>>>it
>>> correctly you'll still need clientId and secret to generate the access
>>> token from the offline token. Why not just use them to login whenever
>>> necessary? Thanks!
>>>
>>> We support offline tokens for service accounts because there is no
>>>reason
>>> (bad side effect) of not supporting it. Or at least I am not aware of
>>>any.
>>> Are you? Adding this support came "for free".
>>>
>>> One usecase when it can be useful is, for example if you have offline
>>> token and you don't know how was this offline token authenticated (if
>>>it
>>> was direct grant, service account or browser). You can send the refresh
>>> token request with this token regardless of the offline token type as
>>>the
>>> refreshToken endpoint is same for all cases.
>>>
>>> Marek
>>>
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing
>>>listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinf
>>>o/keycloak-user
>>>
>>>
>>>
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: 
>http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/e47298
>d7/attachment.html
>
>------------------------------
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>End of keycloak-user Digest, Vol 23, Issue 17
>*********************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5133 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/7020613c/attachment.bin 

From sthorger at redhat.com  Thu Nov  5 14:40:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:40:19 +0100
Subject: [keycloak-user] (Sugest) Add item in keycloak.json to redirect
 after login successful
In-Reply-To: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEA1@DFEXCHSD005.corp.caixa.gov.br>
References: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEA1@DFEXCHSD005.corp.caixa.gov.br>
Message-ID: <CAJgngAf7tsfQTnSkH8+BvnR9oKZ82pnzwXoiX5sC36yjkVd6jA@mail.gmail.com>

I assume your auth-method is set to FORM? If so change it to KEYCLOAK and
users will login on the Keycloak login page.

On 3 November 2015 at 17:34, Victor Neves Evangelista <
victor.evangelista at caixa.gov.br> wrote:

> Good afternoon,
>
>
>
> I'm having problems with keycloak redirect after login using
> j_security_check.
>
>
>
> I have many applications and i can't change JAAS authentication. So, i'm
> using keycloak JAAS  (chapter 8 , p. 35 , version 1.6.0).
>
>
>
> After login, keycloak redirect me to http://<application>/j_security_check
> !!!
>
> But i need that keycloak redirect me to other URI !
>
>
>
> I tried  many configurations in keycloak client ID, and dont work.
>
>
>
> I suggest create a item in keycloak.json where you say to where redirect
> after login successful; and a item to redirect when token expire.
>
>
>
> My problem is posted in
> http://lists.jboss.org/pipermail/keycloak-user/2015-November/003528.html
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/026bcb67/attachment.html 

From sthorger at redhat.com  Thu Nov  5 14:43:39 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:43:39 +0100
Subject: [keycloak-user] Accessing authenticated user's details
In-Reply-To: <SNT150-W7874CC205F2AA1927182ABED2F0@phx.gbl>
References: <5627712F.4040200@gmail.com> <562DE9BA.9030703@gmail.com>
	<562DF136.5010209@redhat.com> <5630AEC4.8020301@gmail.com>
	<CAJgngAe0KQ5i_TngJuoKoS8TvdbvhexYS9x1V3DRVDbbH+wJ_A@mail.gmail.com>
	<SNT150-W7874CC205F2AA1927182ABED2F0@phx.gbl>
Message-ID: <CAJgngAf9k7vuDEDuj7DA2UgsS=p=G79RATHKUVrGMPcjTO1HCA@mail.gmail.com>

In JEE there's only Principal with a single getName. You can already map
whatever you want to that.

We could maybe map properties from the token onto attributes in the
request.

On 30 October 2015 at 18:34, Christian Hebert <christian_hebert at hotmail.com>
wrote:

> How about wrapping your application under a filter (or a valve in JBoss
> or Tomcat) ? From there you could populate your authenticated subject (or
> the session?) with whatever information your keycloak token could provide.
>
> Would that be a good idea ?
>
> ------------------------------
> Date: Wed, 28 Oct 2015 05:01:17 -0700
> From: sthorger at redhat.com
> To: tdudgeon.ml at gmail.com
> CC: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Accessing authenticated user's details
>
>
> Yes, JavaEE currently has no standard way of obtaining a user profile.
>
> On 28 October 2015 at 04:17, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:
>
> So if I understand correctly the only way to handle multiple attributes of
> the user (e.g name and email) is to use the Keycloak IDToken approach and
> so be dependent on the Keycloak implementation (or create my own API that
> wraps this)?
>
> Tim
>
> On 26/10/2015 09:24, Marek Posolda wrote:
>
> If you don't want Keycloak dependencies, you can use
> request.getRemoteUser() or request.getPrincipal().getName() to access just
> the userId of authenticated user. If you use "principal-attribute" in
> keycloak.json, it will return the configured attribute instead of userId,
> so you can receive for example username or email instead. But that way, you
> will be able to access just this single attribute.
>
> Marek
>
> On 26/10/15 09:52, Tim Dudgeon wrote:
>
> Wondered if anyone had any thoughts on this?
>
> On 21/10/2015 12:04, Tim Dudgeon wrote:
>
> In the case of a web application (e.g. Tomcat app secured by the keycloak
> adapter) the web app might need to access details of the authenticated user
> (e.g. full name or email).
> I've found that this information is available from the session like this:
>
> KeycloakSecurityContext session =
> (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
> IDToken idToken = session.getIdToken();
> String email = idToken.getEmail();
>
> One issue with this is that all your web apps are tied to keycloak.
>
> Is this the right way to handle this?
> Are there alternatives?
>
> Tim
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________ keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d56d1793/attachment-0001.html 

From sthorger at redhat.com  Thu Nov  5 14:44:54 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:44:54 +0100
Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
In-Reply-To: <CA+YyFz6SjTfaH=cuvFXS77cVz_2dwcS59TYOMyvq=Q7xWj6JrQ@mail.gmail.com>
References: <955ACCD2-FFAD-4DD1-B7CF-A3B0B1D2B3C4@retrievercommunications.com>
	<CA+YyFz6SjTfaH=cuvFXS77cVz_2dwcS59TYOMyvq=Q7xWj6JrQ@mail.gmail.com>
Message-ID: <CAJgngAcYod9x9yp7mNZp+U9wU=iRNyLqvVV=xOYDeUS4zrGXEQ@mail.gmail.com>

By mapper fields do you mean claims in the token? If so you can get them
from keycloak.tokenParsed (see
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter
)

On 2 November 2015 at 07:13, harsh mahey <harshmahey at gmail.com> wrote:

> Thanks a lot !
> It worked...is there some good documentation where i can see how can i get
> the Mapper fields in my application.I am using angularjs.
>
> On Sun, Nov 1, 2015 at 10:31 PM, Nic Grange <
> nicolas.grange at retrievercommunications.com> wrote:
>
>> Hi Harsh,
>>
>> Your problem is most likely caused by duplicate security-constraints for
>> the same url-pattern (/*).
>> This used to be in one of the older versions of the documentation but was
>> updated with https://issues.jboss.org/browse/KEYCLOAK-1724.
>> Try just removing the second <security-constraint> in your web.xml and
>> retest to see if it is the problem.
>>
>> Cheers,
>> Nic
>>
>>
>> >
>> >Message: 4
>> >Date: Sun, 1 Nov 2015 21:12:23 -0700
>> >From: harsh mahey <harshmahey at gmail.com>
>> >Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
>> >To: keycloak-user at lists.jboss.org
>> >Message-ID:
>> >       <CA+YyFz5s=
>> CEYn7PsqnyutMXUYhXzGr3yWbNtEXRJaEuOv01zRw at mail.gmail.com>
>> >Content-Type: text/plain; charset="utf-8"
>> >
>> >Hi guys,
>> >Has any one faced any issue with tomcat 8 adapters.
>> >For some reason i am not get keycloak login screen on my web app,Here is
>> my
>> >scenario
>> >
>> >1. Latest version of Keycloak runs on wildfly
>> >2. A war runs on tomcat.I put all the jar files under tomcat/lib
>> dir.Below
>> >is the keycloak.json and my web.xml file which goes under my WEB-INF
>> >3. When i login , i directly gets my webapp page and it does not
>> redirects
>> >me to keycloak login page.
>> >4. My webapp is build using angularjs
>> >
>> >keycloak.json
>> >********************
>> >
>> >{
>> >
>> >  "realm": "SnrAppsRealm",
>> >
>> >  "realm-public-key":
>>
>> >"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",
>> >
>> >  "auth-server-url": "http://xxxxx.com:9322/auth",
>> >
>> >  "ssl-required": "none",
>> >
>> >  "resource": "snrapps-web",
>> >
>> >  "credentials": {
>> >
>> >    "secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"
>> >
>> >  },
>> >
>> >  "use-resource-role-mappings": true
>> >
>> >}
>> >
>> >*****************************
>> >
>> >web.xml
>> >
>> ><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>> >http://www.w3.org/2001/XMLSchema-instance"
>> >
>> >xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> >http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
>> >
>> >       <module-name>snrapps-web</module-name>
>> >
>> >
>> >
>> >    <security-constraint>
>> >
>> >        <web-resource-collection>
>> >
>> >            <web-resource-name>/snrapps-web</web-resource-name>
>> >
>> >            <url-pattern>/*</url-pattern>
>> >
>> >        </web-resource-collection>
>> >
>> >        <auth-constraint>
>> >
>> >            <role-name>user</role-name>
>> >
>> >        </auth-constraint>
>> >
>> >    </security-constraint>
>> >
>> >
>> >    <security-constraint>
>> >
>> >        <web-resource-collection>
>> >
>> >        <url-pattern>/*</url-pattern>
>> >
>> >        </web-resource-collection>
>> >
>> >        <user-data-constraint>
>> >
>> >            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> >
>> >        </user-data-constraint>
>> >
>> >    </security-constraint>
>> >
>> >    <login-config>
>> >
>> >        <auth-method>BASIC</auth-method>
>> >
>> >        <realm-name>this is ignored currently</realm-name>
>> >
>> >    </login-config>
>> >
>> >    <security-role>
>> >
>> >        <role-name>admin</role-name>
>> >
>> >    </security-role>
>> >
>> >    <security-role>
>> >
>> >        <role-name>user</role-name>
>> >
>> >    </security-role>
>> >
>> ></web-app>
>> >
>> >
>> >***************
>> >
>> >META-INF/context.xml
>> >
>> >
>> ><?xml version="1.0" encoding="UTF-8"?>
>> >
>> >    <Context path="/snrapps-web">
>> >
>> >        <Valve className=
>> >"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
>> >
>> >    </Context>
>> >
>> >
>> >***********
>> >-------------- next part --------------
>> >An HTML attachment was scrubbed...
>> >URL:
>> http://lists.jboss.org/pipermail/keycloak-user/attachments/20151101/8c65d636/attachment.html
>> >
>> >------------------------------
>> >
>> >_______________________________________________
>> >keycloak-user mailing list
>> >keycloak-user at lists.jboss.org
>> >https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >End of keycloak-user Digest, Vol 23, Issue 1
>> >********************************************
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/184e114f/attachment.html 

From sthorger at redhat.com  Thu Nov  5 14:51:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:51:19 +0100
Subject: [keycloak-user] Issue with 3.3. Adding Keycloak server in
 Domain Mode with 1.6.0.Final version
In-Reply-To: <CALxJa+1c3+bpNoAKXY9FP=KviAGSMrzY5zJy1oUvdd4sgyyK4g@mail.gmail.com>
References: <CALxJa+1c3+bpNoAKXY9FP=KviAGSMrzY5zJy1oUvdd4sgyyK4g@mail.gmail.com>
Message-ID: <CAJgngAeieiMs=jHCFVWgfnT-XFKbOMvYUhwT775R7o8LeyzKJw@mail.gmail.com>

Added https://issues.jboss.org/browse/KEYCLOAK-2037 - Marko can you take a
look at it please?

On 2 November 2015 at 12:30, AAA BBB <ado.boj.83 at gmail.com> wrote:

> Hi all,
>
> I am starting with keycloak and I have issue with add it to existing
> Wildfly 9.0.1.Final.
> I already used KEYCLOAK BLOG with quick and helpfull conversion with Stian
> Thorgersen, but we didn't solve it.
> I have issue with modify domain.xml for keycloak.
>
> -----------------------------------------------------------------------------------------------------------------
> Hi last advice was:
> So you need to get 3 pieces from standalone-keycloak-ha.xml and add to
> domain.xml. The bits you need are:
>
>
>
> ** extension org.keycloak.keycloak-server-subsystem* cache-container
> name="keycloak"* subsystem urn:jboss:domain:keycloak-server:1.1*
>
> ------------------------------------------------------------------------------------------------------------------
> And my last answer was:
> Thanks, but It doesn't work for me. Step1 and Step3 are clearly for me.
> For Step2 I have to add whole infinispan:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *<subsystem xmlns="urn:jboss:domain:infinispan:3.0">
>  <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
>        <local-cache name="realms"/>                <local-cache
> name="users"/>                <local-cache name="sessions"/>
>  <local-cache name="loginFailures"/>            </cache-container>
>    <cache-container name="server" default-cache="default"
> module="org.wildfly.clustering.server">                <local-cache
> name="default">                    <transaction mode="BATCH"/>
>    </local-cache>            </cache-container>            <cache-container
> name="web" default-cache="passivation"
> module="org.wildfly.clustering.web.infinispan">                <local-cache
> name="passivation">                    <transaction mode="BATCH"/>
>            <file-store passivation="true" purge="false"/>
>  </local-cache>                <local-cache name="persistent">
>        <transaction mode="BATCH"/>                    <file-store
> passivation="false" purge="false"/>                </local-cache>
>  </cache-container>            <cache-container name="ejb" aliases="sfsb"
> default-cache="passivation"
> module="org.wildfly.clustering.ejb.infinispan">                <local-cache
> name="passivation">                    <transaction mode="BATCH"/>
>            <file-store passivation="true" purge="false"/>
>  </local-cache>                <local-cache name="persistent">
>        <transaction mode="BATCH"/>                    <file-store
> passivation="false" purge="false"/>                </local-cache>
>  </cache-container>            <cache-container name="hibernate"
> default-cache="local-query" module="org.hibernate.infinispan">
>    <local-cache name="entity">                    <transaction
> mode="NON_XA"/>                    <eviction strategy="LRU"
> max-entries="10000"/>                    <expiration max-idle="100000"/>
>              </local-cache>                <local-cache
> name="local-query">                    <eviction strategy="LRU"
> max-entries="10000"/>                    <expiration max-idle="100000"/>
>              </local-cache>                <local-cache
> name="timestamps"/>            </cache-container>        </subsystem>*
> because it was missing complety. After run system with such *.xml starting
> auth wasn't possible.
>
> I attached my domain.xml with last updated steps mentioned below.
>
> Thanks for answer and Best Regards
> Andrej.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/56fe8b8a/attachment-0001.html 

From sthorger at redhat.com  Thu Nov  5 14:54:30 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:54:30 +0100
Subject: [keycloak-user] Infinite loop in all browsers except Edge
In-Reply-To: <CADW1CM_P9QD=sJbZe8MAP7PuPsgjnHGmgsdkY02Zbp-E-F5C6w@mail.gmail.com>
References: <CADW1CM_P9QD=sJbZe8MAP7PuPsgjnHGmgsdkY02Zbp-E-F5C6w@mail.gmail.com>
Message-ID: <CAJgngAf=xLBZ7_8H-3XUEVykwxAEOKdrtbEgsd0U95Lt54J8bA@mail.gmail.com>

You need to initialize Keycloak before AngularJS is initialized. Otherwise
Angular and Keycloak fights about rewriting the URL and you end up with the
infinite loop. It probably only works in Edge because it's slow ;)

We've got around this by not using ng-app to bootstrap Angular, but instead
bootstrap it from within the Keycloak init method. It's a bit of a hack,
but we haven't had the resources to write a proper Angular plugin for
Keycloak. Take a look at:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular-product-app/src/main/webapp/js/app.js#L23

On 3 November 2015 at 07:11, Stuart Jacobs <stuart.jacobs at symbiotics.co.za>
wrote:

> Good Day,
>
> I am working on a angular administration web project using wildfly 8.2
> with Keycloak.
>
> The base url to my site is http://localhost:9000/#/dashboard/home.
>
> Keycloak does a successful login when using the new Edge browser from
> Windows but in any other browser it goes into an infinite loop between the
> landing page url and the landing page url appended with the token provided
> by Keycloak.
>
> I specify my redirect uri as http://localhost:9000/* because if I specify
> the full landing page uri it returns invalid, I presume this is due to the
> # anchor symbol in the uri?
>
> My question is what is a possible cause of this infinite loop and what is
> the correct way to keep the # anchor and specifying specific redirect uri's?
>
>   Kind Regards
>   Stuart Jacobs
>
>
>
>
> ********************************************************************************
> This email and any accompanying attachments may contain confidential and
> proprietary information. This information is private and protected by law
> and, accordingly, if you are not the intended recipient, you are requested
> to delete this entire communication immediately and are notified that any
> disclosure, copying or distribution of or taking any action based on this
> information is prohibited.
>
> Emails cannot be guaranteed to be secure or free of errors or viruses. The
> sender does not accept any liability or responsibility for any
> interception, corruption, destruction, loss, late arrival or incompleteness
> of or tampering or interference with any of the information contained in
> this email or for its incorrect delivery or non-delivery for whatsoever
> reason or for its effect on any electronic device of the recipient.
>
>
> ********************************************************************************
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/126f4d20/attachment.html 

From sthorger at redhat.com  Thu Nov  5 14:57:09 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:57:09 +0100
Subject: [keycloak-user] Enhance Keycloak with Certificate Authority
In-Reply-To: <5637A045.9030704@redhat.com>
References: <5637A045.9030704@redhat.com>
Message-ID: <CAJgngAeoaihHLG=CmFiiP9OdC_eDGd7ZNwvUeDi=9VzkOtgJwA@mail.gmail.com>

Hi,

Thanks to Giriraj we have pars of the initial POC done. However, we don't
currently have the resources required to complete the implementation and
get it production ready. We may provide something around this in 2016, but
I can't give you any guarantees or dates ATM.

On 2 November 2015 at 18:41, Charles Moulliard <cmoulliard at redhat.com>
wrote:

> Hi,
>
> During this summer a Google project has been designed to Enhance
> Keycloak with Certificate Authority. Does somebody knows if the code has
> been integrated within a Keycloak release/snapshot ?
>
>
> https://www.google-melange.com/gsoc/project/details/google/gsoc2015/girirajsharma/5693417237512192
>
> Regards,
>
> Charles
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/5168e5b7/attachment.html 

From sthorger at redhat.com  Thu Nov  5 14:57:37 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 20:57:37 +0100
Subject: [keycloak-user] Bug in AbstractClaimMapper class
In-Reply-To: <CAPj1eSzVHZ-2WxPT8GM6XG0kFm54gkB++TYJeta2m5S5-aQc=w@mail.gmail.com>
References: <CAPj1eSzVHZ-2WxPT8GM6XG0kFm54gkB++TYJeta2m5S5-aQc=w@mail.gmail.com>
Message-ID: <CAJgngAdf1xfyToff6YYyEcRs8_TSXurENd=6XnXcf4-TC4yK1g@mail.gmail.com>

JIRA please

On 3 November 2015 at 07:50, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> We came across an issue when integrating a custom OIDC IDP and mapping
> roles into it. When we have a list of external roles to map into Keycloak
> roles, the process fails.
>
> The issue is at the bottom of the valueEquals(String, Object) method in
> the AbstractClaimMapper class. When the incoming Object is a list, it just
> performs the comparison with the first element and returns...
>
> ...
> } else if (value instanceof List) {
>   List list = (List)value;
>   for (Object val : list) {
>     return valueEquals(desiredValue, val);
>   }
> }
> ...
>
> Instead the code should be something like this:
> ...
> } else if (value instanceof List) {
>   List list = (List)value;
>   for (Object val : list) {
>     if (valueEquals(desiredValue, val)) return true;
>   }
> }
> ...
>
>
> Regards,
> Lohitha
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/42f241ef/attachment.html 

From sthorger at redhat.com  Thu Nov  5 15:00:00 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 21:00:00 +0100
Subject: [keycloak-user] disable edit account after password reset
In-Reply-To: <5638D065.7070502@first8.nl>
References: <5638D065.7070502@first8.nl>
Message-ID: <CAJgngAemzYc8C3v9Lbqg_3xuqhbz8GP0T9bvqZ2=A6_urY-uqw@mail.gmail.com>

The user should not be redirected to the account page - can you confirm if
this still happens in 1.6.1?

On 3 November 2015 at 16:19, Mark Hayen <m.hayen at first8.nl> wrote:

> Hi,
>
> Is it possible to disable the Edit Account page?
> Currently (keycloak 1.4.0) users who click on the link in the password
> reset email
> get redirected to the Edit Account page.
>
> I would like them to get redirected to my application.
> How should I approach this?
>
> Thx
> Mark Hayen
> First8.nl
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/038bbf8d/attachment.html 

From sthorger at redhat.com  Thu Nov  5 15:00:56 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 21:00:56 +0100
Subject: [keycloak-user] Possible bug: Changing of role description via
 REST API causes deleting of role name
In-Reply-To: <CALxJa+3b2Ycw6aNnvypjvS4DxiQ-x5mg+KDEPxzuO3TYbge9OQ@mail.gmail.com>
References: <CALxJa+3b2Ycw6aNnvypjvS4DxiQ-x5mg+KDEPxzuO3TYbge9OQ@mail.gmail.com>
Message-ID: <CAJgngAe=H0qkDDoW=TMy9uassXBkCNfXF+0o9E8ebEp4HgCFZw@mail.gmail.com>

JIRA please

On 4 November 2015 at 15:18, Andrej P <ado.boj.83 at gmail.com> wrote:

> *Description:* I want to add or change role description via REST API
> interface
>
> *Details:* In the request body only attribute ?description? (from role
> description) is set (see request body section)
> *Usecases from API specification:* *Update a role by name* and *Update
> the role*
> *Request body:*
>
> {
> "description":"manage realm role of UNI-4/4. Add/delete/update of users."
> }
>
> *Observed reaction:* after request, the parameter ?name? is missing in
> the role.
> *Result:* (of REST API Get all roles for the realm or client)
>
>  {
>       "id": "da1f8c02-6823-4d86-8873-f2d533ba43fa",
>       "description": "manage realm role of UNI-4/4. Add/delete/update of users.",
>       "scopeParamRequired": false,
>       "composite": false
>   },
>
>
> Printscreen of result in GUI:
> [image: Inline image 1]
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/bac51323/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 79029 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/bac51323/attachment-0001.png 

From sthorger at redhat.com  Thu Nov  5 15:02:45 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Nov 2015 21:02:45 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
Message-ID: <CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>

I came across this:
https://issues.jboss.org/browse/KEYCLOAK-2037

Maybe it's the same issue here?

On 4 November 2015 at 16:35, Marko Strukelj <mstrukel at redhat.com> wrote:

> On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>
>>
>>
>> On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> Can you confirm that you see the following lines in
>>> your host-controller.log:
>>>
>>> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>>>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
>>> WFLYUT0021: Registered web context: /auth
>>> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>>>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
>>> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>>>
>>    No, this lines are missing in log.
>>
>
> That's the root of your problem then. Keycloak server subsystem doesn't
> seem to be initialized at all.
> From your config files it follows that your
> 'authentication-server-demosetup' server is using 'group-authentication'
> group, and 'group-authentication' group is using 'idbt-ha' profile, and
> 'idbt-ha' profile contains keycloak-server subsystem declaration ...
>
> I see no reason for Keycloak server to not get initialized.
>
> I'm sorry to say, but I'm out of ideas. If I were you I would try from
> scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server
> without any additional applications deployed, following the instructions I
> described previously - just get server-one, and server-two using the same
> group tied to full-ha profile. That way you should get Keycloak up and
> running. Then I would slowly evolve the configuration towards what you have
> now. Somewhere during that process there must be a step, that breaks
> things, and it's not obvious what that step is.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/021b6fc4/attachment.html 

From mstrukel at redhat.com  Thu Nov  5 17:26:28 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 5 Nov 2015 23:26:28 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
	<CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
Message-ID: <CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>

@Andrej, try to use the following instructions to set up Keycloak in domain
mode. These instructions work for me, so if you follow them precisely they
should also work for you.

This setup approach assumes that you may want to deploy your secured
applications into the same server(s) running Keycloak server.

Download keycloak-demo-1.6.1.Final.zip from
http://keycloak.jboss.org/keycloak/downloads.

unzip ~/Downloads/keycloak-demo-1.6.1.Final.zip

cd keycloak-demo-1.6.1.Final/keycloak


Open for edit: domain/configuration/domain.xml

Add to <extensions> section:

    <extension module="org.keycloak.keycloak-server-subsystem"/>
    <extension module="org.keycloak.keycloak-adapter-subsystem"/>

The second one is for securing your deployed .wars with Keycloak server.


Scroll down to <profile name="full-ha">

Add to <subsystem xmlns="urn:jboss:domain:datasources:3.0"> section:

                    <datasource
jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
enabled="true" use-java-context="true">

<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                        <driver>h2</driver>
                        <security>
                            <user-name>sa</user-name>
                            <password>sa</password>
                        </security>
                    </datasource>


Add to <subsystem xmlns="urn:jboss:domain:infinispan:3.0"> section:

                <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                    <transport lock-timeout="60000"/>
                    <invalidation-cache name="realms" mode="SYNC"/>
                    <invalidation-cache name="users" mode="SYNC"/>
                    <distributed-cache name="sessions" mode="SYNC"
owners="1"/>
                    <distributed-cache name="loginFailures" mode="SYNC"
owners="1"/>
                </cache-container>


Before the ending </profile> add:

            <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
                <web-context>auth</web-context>
            </subsystem>

            <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>


The second one is for securing your deployed .wars with Keycloak server.

Make sure that you really add all these sections to 'full-ha'. If you use
search or any kind of shortcuts to jump through the edited file, it very
easy to end up in a different section. So doublecheck.

Now scroll further down to <server-groups> section, and change
'main-server-group' to use 'full-ha' profile:

        <server-group name="main-server-group" profile="full-ha">
            <jvm name="default">
                <heap size="64m" max-size="512m"/>
            </jvm>
            <socket-binding-group ref="full-ha-sockets"/>
        </server-group>


Save the file.


Now start Keycloak in domain mode:

    bin/domain.sh


Observing the log, you should see many entries for 'server-one', and
'server-two'.

You should also see two big stacktraces, as the server will try to start
up, and fail due to not being able to find the keycloak-server.json file.
(The stacktrace should be more descriptive - current error reporting
NullPointerException is a bug)

But that's good, it means that keycloak-server subsystem was picked up, and
started to get initialized.

Running this results in two additional directories created:

    domain/servers/server-one

and

    domain/servers/server-two

Now just copy the configuration from standalone to these two directories:

mkdir domain/servers/server-one/configuration
cp standalone/configuration/keycloak-server.json
domain/servers/server-one/configuration/
cp -r standalone/configuration/themes
domain/servers/server-one/configuration/
cp -r standalone/configuration/providers
domain/servers/server-one/configuration/

mkdir domain/servers/server-two/configuration
cp standalone/configuration/keycloak-server.json
domain/servers/server-two/configuration/
cp -r standalone/configuration/themes
domain/servers/server-two/configuration/
cp -r standalone/configuration/providers
domain/servers/server-two/configuration/


And start the server again:

    bin/domain.sh


You should now see the server start up without any errors. You can now open
Keycloak admin on server-one:

    http://localhost:8080/auth

And on server-two:

    http://localhost:8230/auth/



This procedure has always worked for me. If it fails for you then provide
your domain.xml, and stdout from console with any stack traces.



On Thu, Nov 5, 2015 at 9:02 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I came across this:
> https://issues.jboss.org/browse/KEYCLOAK-2037
>
> Maybe it's the same issue here?
>
> On 4 November 2015 at 16:35, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>
>>>
>>>
>>> On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com>
>>> wrote:
>>>
>>>> Can you confirm that you see the following lines in
>>>> your host-controller.log:
>>>>
>>>> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>>>>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
>>>> WFLYUT0021: Registered web context: /auth
>>>> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>>>>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
>>>> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>>>>
>>>    No, this lines are missing in log.
>>>
>>
>> That's the root of your problem then. Keycloak server subsystem doesn't
>> seem to be initialized at all.
>> From your config files it follows that your
>> 'authentication-server-demosetup' server is using 'group-authentication'
>> group, and 'group-authentication' group is using 'idbt-ha' profile, and
>> 'idbt-ha' profile contains keycloak-server subsystem declaration ...
>>
>> I see no reason for Keycloak server to not get initialized.
>>
>> I'm sorry to say, but I'm out of ideas. If I were you I would try from
>> scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server
>> without any additional applications deployed, following the instructions I
>> described previously - just get server-one, and server-two using the same
>> group tied to full-ha profile. That way you should get Keycloak up and
>> running. Then I would slowly evolve the configuration towards what you have
>> now. Somewhere during that process there must be a step, that breaks
>> things, and it's not obvious what that step is.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/565e18c8/attachment-0001.html 

From ornot2008 at yahoo.com  Thu Nov  5 23:22:50 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Fri, 6 Nov 2015 04:22:50 +0000 (UTC)
Subject: [keycloak-user] Can not make SAML2.0  work  anyway.
References: <744518906.694629.1446783770600.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <744518906.694629.1446783770600.JavaMail.yahoo@mail.yahoo.com>

Hi, ?there,
? ?I am trying ? version is 1.6.0 ?keycloak 's brokering. ?I have imported ?two realms :saml-broker-realm.json and?saml-broker-authentication-realm.json?? ?by following the readme in the broker example. ?It works fine ( except failed logout somehow)
? Now I decide to give more try and here is my steps:

1) ?Create a realm named testsaml and the saml descriptor can be found here: ? ?http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor2) ?In the ? ?saml-broker-authentication-realm, ?create a new ID provider named saml ?by importing the URL above:?http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor?3) ?Download ?the SP metadata named "keycloak.xml" from the export tab page. ?4) ?Go to the testsaml reaml, and create a client by importing the downloaded "keycloak.xml" ?5) ?open the page : ??http://localhost:8080/saml-broker-authentication?and can see ?the IDprovider named saml ?on the left.?6) ? login with the ID provider but finally get the errors as below:
Context Path:/authServlet Path:
Path Info:/realms/saml-broker-authentication-realm/broker/saml/endpointQuery String:nullStack Trace
java.lang.RuntimeException: request path: /auth/realms/saml-broker-authentication-realm/broker/saml/endpoint
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
......




So what happened for my configuration? ? I missed something?

T.I.A.
Maizi
.?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/7779e38c/attachment.html 

From Tero.Ahonen at cybercom.com  Fri Nov  6 06:36:58 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Fri, 6 Nov 2015 11:36:58 +0000
Subject: [keycloak-user] Issue with Bearer only auth
Message-ID: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>

Hi,

I have a rest endpoint running on wildfly 9.

Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn?t matter do I use curl or browser.

Wilfly logs says (last line comes from servlet filter)

2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate()
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only
2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,970 INFO  [stdout] (default task-17) GET:/foobar/endpoint


If I add Authorization headar like this

Authorization: Bearer 123

I get HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token?


Is there something that I dont understand?

I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.

Br,
Tero



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/a3413915/attachment.html 

From alex_orl1079 at yahoo.it  Fri Nov  6 07:50:40 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Fri, 6 Nov 2015 12:50:40 +0000 (UTC)
Subject: [keycloak-user] Bug on consecutive logins after a wrong password
References: <792802835.1246901.1446814240626.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <792802835.1246901.1446814240626.JavaMail.yahoo@mail.yahoo.com>

Hi to all.Probably i catched a bug in the keycloak authentication flow.This is my user case:Configuration:1) I've created a new realm, say "TestRealm"2) I've created 1 role: "testRole"3) I've created 2 users: "userTest1" and "userTest2"4) In the role mapping tab of each user i've assigned "testRole" to both of them5) In the credential tab of each user i've changed their pwd
Use case:1) I try to access the account application from:?https://localhost:8444/auth/realms/TestRealm/account/2) I insert username: userTest1? ? ? ? ? ? ? ? pwd: (a wrong password)
Login page displays a tooltip saying "invalid username or password"
3) Withouth any page refreshing i try to login again with second user:? ? ? ? ? ? ?username: userTest2:? ? ? ? ? ? ?pwd: (whatever right or wrong password)
Keycloak catch an exception:The page displays:   ????????????????????????? ? ? ? We're sorry ...          ????????????????????????????????Invalid username or password. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<< Back to Application      
Keycloak console displays this exception:13:35:27,343 WARN ?[org.keycloak.events] (default task-62) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-72) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203) at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
13:35:33,819 WARN ?[org.keycloak.events] (default task-72) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2

I experienced this error while debugging my custom user federation provider. So i tried to replicate it with a clean situation like described in the use case above.Debugging my userfederation provider i could realize the real authentication flow:
When userTest1 logs in the flow starts from:
UsernamePasswordForm.action() ---> validateUser ---> ?----> UserFederationProvider.isValid() ----> ... ... ... ---> UsernamePasswordForm.validatePassword() ----> authenticate?

When userTest2 logs in after userTest1 failure the flow starts from the UserFederationProvider.isValid():
UserFederationProvider.isValid() (the AuthenticationFlowContext user is still userTest1 )---> ... ----> UsernamePasswordForm.action() ---> validateUser ---> ?----> UserFederationProvider.isValid() ----> ... ... ... --->Exception on Context.set(user).
It seems like Context is not cleaned after the first wrong login attempt, bringing with itself the userTest1 user object on the second one. So when keycloak tries to set the new user object catches a USERCONFLICT exception.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/1ada01ad/attachment-0001.html 

From sthorger at redhat.com  Fri Nov  6 07:58:07 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Nov 2015 13:58:07 +0100
Subject: [keycloak-user] Bug on consecutive logins after a wrong password
In-Reply-To: <792802835.1246901.1446814240626.JavaMail.yahoo@mail.yahoo.com>
References: <792802835.1246901.1446814240626.JavaMail.yahoo.ref@mail.yahoo.com>
	<792802835.1246901.1446814240626.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAf+XbaynhrZxKU5qzcqp63-rCipD4RLoJPuxODT=D83aQ@mail.gmail.com>

What version?

On 6 November 2015 at 13:50, alex orl <alex_orl1079 at yahoo.it> wrote:

> Hi to all.
> Probably i catched a bug in the keycloak authentication flow.
> This is my user case:
> Configuration:
> 1) I've created a new realm, say "TestRealm"
> 2) I've created 1 role: "testRole"
> 3) I've created 2 users: "userTest1" and "userTest2"
> 4) In the role mapping tab of each user i've assigned "testRole" to both
> of them
> 5) In the credential tab of each user i've changed their pwd
>
> Use case:
> 1) I try to access the account application from:
> https://localhost:8444/auth/realms/TestRealm/account/
> <https://localhost:8444/auth/realms/PROVA/account/>
> 2) I insert username: userTest1
>                 pwd: (a wrong password)
>
> Login page displays a tooltip saying "invalid username or password"
>
> 3) Withouth any page refreshing i try to login again with second user:
>              username: userTest2:
>              pwd: (whatever right or wrong password)
>
> Keycloak catch an exception:
> The page displays:
>                                 We're *sorry* ...
>                                 Invalid username or password.
>                                  << Back to Application
>
> Keycloak console displays this exception:
> 13:35:27,343 WARN  [org.keycloak.events] (default task-62)
> type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de,
> clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f,
> ipAddress=127.0.0.1, error=invalid_user_credentials,
> auth_method=openid-connect, auth_type=code, redirect_uri=
> https://localhost:8444/auth/realms/PROVA/account/login-redirect,
> code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest
> 13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor]
> (default task-72) failed authentication: USER_CONFLICT:
> org.keycloak.authentication.AuthenticationFlowException
> at
> org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
> at
> org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
> at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129)
> at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41)
> at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692)
> at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307)
> at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288)
> at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> 13:35:33,819 WARN  [org.keycloak.events] (default task-72)
> type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de,
> clientId=account, userId=null, ipAddress=127.0.0.1,
> error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
> redirect_uri=
> https://localhost:8444/auth/realms/PROVA/account/login-redirect,
> code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2
>
>
> I experienced this error while debugging my custom user federation
> provider. So i tried to replicate it with a clean situation like described
> in the use case above.
> Debugging my userfederation provider i could realize the real
> authentication flow:
>
> When userTest1 logs in the flow starts from:
>
> UsernamePasswordForm.action() ---> validateUser --->  ---->
> UserFederationProvider.isValid() ----> ... ... ... --->
> UsernamePasswordForm.validatePassword() ----> authenticate
>
> When userTest2 logs in after userTest1 failure the flow starts from the
> UserFederationProvider.isValid():
>
> UserFederationProvider.isValid() (the AuthenticationFlowContext user is
> still userTest1 )---> ... ----> UsernamePasswordForm.action() --->
> validateUser --->  ----> UserFederationProvider.isValid() ----> ... ... ...
> --->Exception on Context.set(user).
> It seems like Context is not cleaned after the first wrong login attempt,
> bringing with itself the userTest1 user object on the second one. So when
> keycloak tries to set the new user object catches a USERCONFLICT exception.
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/86c02388/attachment.html 

From sthorger at redhat.com  Fri Nov  6 07:59:38 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Nov 2015 13:59:38 +0100
Subject: [keycloak-user] Issue with Bearer only auth
In-Reply-To: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>
References: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>
Message-ID: <CAJgngAcZMZLTDOFwHxpU=5wQS=adJkCJTcYAhJ6E+E-qSiuSdQ@mail.gmail.com>

Did you put any security constraints on the endpoints?

On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com> wrote:

> Hi,
>
> I have a rest endpoint running on wildfly 9.
>
> Wildfly and application is setup to use Keycloak and request to endpoints
> are intercepted with keycloak adapter. But is seems to be that it is not
> working. If auth header is not present keycloak just skips authentication
> and lets all request thru. It doesn?t matter do I use curl or browser.
>
> Wilfly logs says (last line comes from servlet filter)
>
> 2015-11-06 13:10:23,962 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler] (default task-17)
> adminRequest https://localhost:8443/foobar/endpoint
> 2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator]
> (default task-17) --> authenticate()
> 2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator]
> (default task-17) try bearer
> 2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator]
> (default task-17) NOT_ATTEMPTED: bearer only
> 2015-11-06 13:10:23,970 DEBUG
> [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17)
> AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
> 2015-11-06 13:10:23,970 INFO  [stdout] (default task-17)
> GET:/foobar/endpoint
>
>
> If I add Authorization headar like this
>
> Authorization: Bearer 123
>
> I get HTTP/1.1 401 Unauthorized
>
> WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token",
> error_description="Couldn't parse token?
>
>
> Is there something that I dont understand?
>
> I have tried with web.xml/keycloak.json and keycloak subsystem
> configuration methods, same outcome.
>
> Br,
> Tero
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/fbbbd1ac/attachment-0001.html 

From Tero.Ahonen at cybercom.com  Fri Nov  6 08:06:21 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Fri, 6 Nov 2015 13:06:21 +0000
Subject: [keycloak-user] Issue with Bearer only auth
In-Reply-To: <CAJgngAcZMZLTDOFwHxpU=5wQS=adJkCJTcYAhJ6E+E-qSiuSdQ@mail.gmail.com>
References: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>
	<CAJgngAcZMZLTDOFwHxpU=5wQS=adJkCJTcYAhJ6E+E-qSiuSdQ@mail.gmail.com>
Message-ID: <2CC66953-A221-4675-8568-8AD8869142C9@cybercom.com>

At first I had

<security-constraint>
<web-resource-collection>
<web-resource-name>foobar</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
             <http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Then added

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

And it started working.

So without auth-constraint all request are ok even token is not present or valid.

Br,
Tero




On 06 Nov 2015, at 14:59 PM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Did you put any security constraints on the endpoints?

On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
Hi,

I have a rest endpoint running on wildfly 9.

Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn?t matter do I use curl or browser.

Wilfly logs says (last line comes from servlet filter)

2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate()
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only
2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,970 INFO  [stdout] (default task-17) GET:/foobar/endpoint


If I add Authorization headar like this

Authorization: Bearer 123

I get HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token?


Is there something that I dont understand?

I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.

Br,
Tero




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/65234b21/attachment.html 

From alex_orl1079 at yahoo.it  Fri Nov  6 08:06:38 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Fri, 6 Nov 2015 13:06:38 +0000
Subject: [keycloak-user] R: Re: Bug on consecutive logins after a wrong
	password
In-Reply-To: <CAJgngAf+XbaynhrZxKU5qzcqp63-rCipD4RLoJPuxODT=D83aQ@mail.gmail.com>
Message-ID: <1446815198.13970.YahooMailAndroidMobile@web172306.mail.ir2.yahoo.com>

Sorry version is 1.5.0 final


Da:"Stian Thorgersen" <sthorger at redhat.com>
Data:ven, 6 nov, 2015 alle 13:58
Oggetto:Re: [keycloak-user] Bug on consecutive logins after a wrong password

What version?


On 6 November 2015 at 13:50, alex orl <alex_orl1079 at yahoo.it> wrote:

Hi to all.

Probably i catched a bug in the keycloak authentication flow.

This is my user case:

Configuration:

1) I've created a new realm, say "TestRealm"

2) I've created 1 role: "testRole"

3) I've created 2 users: "userTest1" and "userTest2"

4) In the role mapping tab of each user i've assigned "testRole" to both of them

5) In the credential tab of each user i've changed their pwd


Use case:

1) I try to access the account application from:?https://localhost:8444/auth/realms/TestRealm/account/

2) I insert username: userTest1

? ? ? ? ? ? ? ? pwd: (a wrong password)


Login page displays a tooltip saying "invalid username or password"


3) Withouth any page refreshing i try to login again with second user:

? ? ? ? ? ? ?username: userTest2:

? ? ? ? ? ? ?pwd: (whatever right or wrong password)


Keycloak catch an exception:

The page displays:

????????????????????????? ? ? ? We're sorry ... 

????????????????????????????????Invalid username or password.

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<< Back to Application


Keycloak console displays this exception:

13:35:27,343 WARN ?[org.keycloak.events] (default task-62) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest

13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-72) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException

	at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)

	at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)

	at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129)

	at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41)

	at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34)

	at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62)

	at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54)

	at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692)

	at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307)

	at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288)

	at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334)

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

	at java.lang.reflect.Method.invoke(Method.java:497)

	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)

	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)

	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)

	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)

	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)

	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)

	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)

	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)

	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)

	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)

	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)

	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)

	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)

	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)

	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)

	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)

	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)

	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)

	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)

	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)

	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)

	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)

	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)

	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

	at java.lang.Thread.run(Thread.java:745)


13:35:33,819 WARN ?[org.keycloak.events] (default task-72) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2



I experienced this error while debugging my custom user federation provider. So i tried to replicate it with a clean situation like described in the use case above.

Debugging my userfederation provider i could realize the real authentication flow:


When userTest1 logs in the flow starts from:


UsernamePasswordForm.action() ---> validateUser ---> ?----> UserFederationProvider.isValid() ----> ... ... ... ---> UsernamePasswordForm.validatePassword() ----> authenticate?


When userTest2 logs in after userTest1 failure the flow starts from the UserFederationProvider.isValid():


UserFederationProvider.isValid() (the AuthenticationFlowContext user is still userTest1 )---> ... ----> UsernamePasswordForm.action() ---> validateUser ---> ?----> UserFederationProvider.isValid() ----> ... ... ... --->Exception on Context.set(user).

It seems like Context is not cleaned after the first wrong login attempt, bringing with itself the userTest1 user object on the second one. So when keycloak tries to set the new user object catches a USERCONFLICT exception.






_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/dabe9bfb/attachment-0001.html 

From ado.boj.83 at gmail.com  Fri Nov  6 08:59:58 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Fri, 6 Nov 2015 14:59:58 +0100
Subject: [keycloak-user] Possible bug: Changing of role description via
 REST API causes deleting of role name
In-Reply-To: <CAJgngAe=H0qkDDoW=TMy9uassXBkCNfXF+0o9E8ebEp4HgCFZw@mail.gmail.com>
References: <CALxJa+3b2Ycw6aNnvypjvS4DxiQ-x5mg+KDEPxzuO3TYbge9OQ@mail.gmail.com>
	<CAJgngAe=H0qkDDoW=TMy9uassXBkCNfXF+0o9E8ebEp4HgCFZw@mail.gmail.com>
Message-ID: <CALxJa+3oESx8jHuUWuAy29qG0CUHa5x9uB3wytm_ETxgaDNupw@mail.gmail.com>

Possible bug was tested now on version 1.6.1 and there is solved.
Is it possible, that it was only 1.6.0?

On Thu, Nov 5, 2015 at 9:00 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> JIRA please
>
> On 4 November 2015 at 15:18, Andrej P <ado.boj.83 at gmail.com> wrote:
>
>> *Description:* I want to add or change role description via REST API
>> interface
>>
>> *Details:* In the request body only attribute ?description? (from role
>> description) is set (see request body section)
>> *Usecases from API specification:* *Update a role by name* and *Update
>> the role*
>> *Request body:*
>>
>> {
>> "description":"manage realm role of UNI-4/4. Add/delete/update of users."
>> }
>>
>> *Observed reaction:* after request, the parameter ?name? is missing in
>> the role.
>> *Result:* (of REST API Get all roles for the realm or client)
>>
>>  {
>>       "id": "da1f8c02-6823-4d86-8873-f2d533ba43fa",
>>       "description": "manage realm role of UNI-4/4. Add/delete/update of users.",
>>       "scopeParamRequired": false,
>>       "composite": false
>>   },
>>
>>
>> Printscreen of result in GUI:
>> [image: Inline image 1]
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/e803cc3a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 79029 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/e803cc3a/attachment-0001.png 

From sthorger at redhat.com  Fri Nov  6 09:04:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Nov 2015 15:04:22 +0100
Subject: [keycloak-user] Bug on consecutive logins after a wrong password
In-Reply-To: <1446815198.13970.YahooMailAndroidMobile@web172306.mail.ir2.yahoo.com>
References: <CAJgngAf+XbaynhrZxKU5qzcqp63-rCipD4RLoJPuxODT=D83aQ@mail.gmail.com>
	<1446815198.13970.YahooMailAndroidMobile@web172306.mail.ir2.yahoo.com>
Message-ID: <CAJgngAf2LLyKucLWfbWtCqBQ7EVvdLn-sMeE9E9fuVRstbKo1w@mail.gmail.com>

I believe this is already fixed in 1.6.1.Final.

On 6 November 2015 at 14:06, alex orl <alex_orl1079 at yahoo.it> wrote:

> Sorry version is 1.5.0 final
>
> ------------------------------
> *Da*:"Stian Thorgersen" <sthorger at redhat.com>
> *Data*:ven, 6 nov, 2015 alle 13:58
> *Oggetto*:Re: [keycloak-user] Bug on consecutive logins after a wrong
> password
>
> What version?
>
> On 6 November 2015 at 13:50, alex orl <alex_orl1079 at yahoo.it> wrote:
>
>> Hi to all.
>> Probably i catched a bug in the keycloak authentication flow.
>> This is my user case:
>> Configuration:
>> 1) I've created a new realm, say "TestRealm"
>> 2) I've created 1 role: "testRole"
>> 3) I've created 2 users: "userTest1" and "userTest2"
>> 4) In the role mapping tab of each user i've assigned "testRole" to both
>> of them
>> 5) In the credential tab of each user i've changed their pwd
>>
>> Use case:
>> 1) I try to access the account application from:
>> https://localhost:8444/auth/realms/TestRealm/account/
>> <https://localhost:8444/auth/realms/PROVA/account/>
>> 2) I insert username: userTest1
>>                 pwd: (a wrong password)
>>
>> Login page displays a tooltip saying "invalid username or password"
>>
>> 3) Withouth any page refreshing i try to login again with second user:
>>              username: userTest2:
>>              pwd: (whatever right or wrong password)
>>
>> Keycloak catch an exception:
>> The page displays:
>>                                 We're *sorry* ...
>>                                 Invalid username or password.
>>                                  << Back to Application
>>
>> Keycloak console displays this exception:
>> 13:35:27,343 WARN  [org.keycloak.events] (default task-62)
>> type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de,
>> clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f,
>> ipAddress=127.0.0.1, error=invalid_user_credentials,
>> auth_method=openid-connect, auth_type=code, redirect_uri=
>> https://localhost:8444/auth/realms/PROVA/account/login-redirect,
>> code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest
>> 13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor]
>> (default task-72) failed authentication: USER_CONFLICT:
>> org.keycloak.authentication.AuthenticationFlowException
>> at
>> org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
>> at
>> org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
>> at
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129)
>> at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41)
>> at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34)
>> at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62)
>> at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54)
>> at
>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692)
>> at
>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307)
>> at
>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288)
>> at
>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:497)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> 13:35:33,819 WARN  [org.keycloak.events] (default task-72)
>> type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de,
>> clientId=account, userId=null, ipAddress=127.0.0.1,
>> error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
>> redirect_uri=
>> https://localhost:8444/auth/realms/PROVA/account/login-redirect,
>> code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2
>>
>>
>> I experienced this error while debugging my custom user federation
>> provider. So i tried to replicate it with a clean situation like described
>> in the use case above.
>> Debugging my userfederation provider i could realize the real
>> authentication flow:
>>
>> When userTest1 logs in the flow starts from:
>>
>> UsernamePasswordForm.action() ---> validateUser --->  ---->
>> UserFederationProvider.isValid() ----> ... ... ... --->
>> UsernamePasswordForm.validatePassword() ----> authenticate
>>
>> When userTest2 logs in after userTest1 failure the flow starts from the
>> UserFederationProvider.isValid():
>>
>> UserFederationProvider.isValid() (the AuthenticationFlowContext user is
>> still userTest1 )---> ... ----> UsernamePasswordForm.action() --->
>> validateUser --->  ----> UserFederationProvider.isValid() ----> ... ... ...
>> --->Exception on Context.set(user).
>> It seems like Context is not cleaned after the first wrong login attempt,
>> bringing with itself the userTest1 user object on the second one. So when
>> keycloak tries to set the new user object catches a USERCONFLICT exception.
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/7b6b5ac8/attachment-0001.html 

From sthorger at redhat.com  Fri Nov  6 09:05:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Nov 2015 15:05:22 +0100
Subject: [keycloak-user] Possible bug: Changing of role description via
 REST API causes deleting of role name
In-Reply-To: <CALxJa+3oESx8jHuUWuAy29qG0CUHa5x9uB3wytm_ETxgaDNupw@mail.gmail.com>
References: <CALxJa+3b2Ycw6aNnvypjvS4DxiQ-x5mg+KDEPxzuO3TYbge9OQ@mail.gmail.com>
	<CAJgngAe=H0qkDDoW=TMy9uassXBkCNfXF+0o9E8ebEp4HgCFZw@mail.gmail.com>
	<CALxJa+3oESx8jHuUWuAy29qG0CUHa5x9uB3wytm_ETxgaDNupw@mail.gmail.com>
Message-ID: <CAJgngAdmtJtpLrhSsJoX1a8U+togiy+ZTsxsoC4NXA44ux8Uqw@mail.gmail.com>

Did you reproduce the issue on 1.6.0? I'm pretty sure there was no related
fixed in 1.6.0->1.6.1.

On 6 November 2015 at 14:59, Andrej P <ado.boj.83 at gmail.com> wrote:

> Possible bug was tested now on version 1.6.1 and there is solved.
> Is it possible, that it was only 1.6.0?
>
> On Thu, Nov 5, 2015 at 9:00 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> JIRA please
>>
>> On 4 November 2015 at 15:18, Andrej P <ado.boj.83 at gmail.com> wrote:
>>
>>> *Description:* I want to add or change role description via REST API
>>> interface
>>>
>>> *Details:* In the request body only attribute ?description? (from role
>>> description) is set (see request body section)
>>> *Usecases from API specification:* *Update a role by name* and *Update
>>> the role*
>>> *Request body:*
>>>
>>> {
>>> "description":"manage realm role of UNI-4/4. Add/delete/update of users."
>>> }
>>>
>>> *Observed reaction:* after request, the parameter ?name? is missing in
>>> the role.
>>> *Result:* (of REST API Get all roles for the realm or client)
>>>
>>>  {
>>>       "id": "da1f8c02-6823-4d86-8873-f2d533ba43fa",
>>>       "description": "manage realm role of UNI-4/4. Add/delete/update of users.",
>>>       "scopeParamRequired": false,
>>>       "composite": false
>>>   },
>>>
>>>
>>> Printscreen of result in GUI:
>>> [image: Inline image 1]
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/87cbb2d5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 79029 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/87cbb2d5/attachment-0001.png 

From sthorger at redhat.com  Fri Nov  6 09:06:27 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Nov 2015 15:06:27 +0100
Subject: [keycloak-user] Issue with Bearer only auth
In-Reply-To: <2CC66953-A221-4675-8568-8AD8869142C9@cybercom.com>
References: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>
	<CAJgngAcZMZLTDOFwHxpU=5wQS=adJkCJTcYAhJ6E+E-qSiuSdQ@mail.gmail.com>
	<2CC66953-A221-4675-8568-8AD8869142C9@cybercom.com>
Message-ID: <CAJgngAc7WqRH+3X8=YexQiwJ2Brka3fvAzc66CB34v+2yXRTtw@mail.gmail.com>

So it's working now?

No auth-constraint = no need to authenticate ;)

On 6 November 2015 at 14:06, Tero Ahonen <Tero.Ahonen at cybercom.com> wrote:

> At first I had
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>foobar</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
>              <http-method>POST</http-method>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Then added
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
>
> And it started working.
>
> So without auth-constraint all request are ok even token is not present or
> valid.
>
> Br,
> Tero
>
>
>
>
> On 06 Nov 2015, at 14:59 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Did you put any security constraints on the endpoints?
>
> On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com> wrote:
>
>> Hi,
>>
>> I have a rest endpoint running on wildfly 9.
>>
>> Wildfly and application is setup to use Keycloak and request to endpoints
>> are intercepted with keycloak adapter. But is seems to be that it is not
>> working. If auth header is not present keycloak just skips authentication
>> and lets all request thru. It doesn?t matter do I use curl or browser.
>>
>> Wilfly logs says (last line comes from servlet filter)
>>
>> 2015-11-06 13:10:23,962 DEBUG
>> [org.keycloak.adapters.PreAuthActionsHandler] (default task-17)
>> adminRequest https://localhost:8443/foobar/endpoint
>> 2015-11-06 13:10:23,969 TRACE
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17) -->
>> authenticate()
>> 2015-11-06 13:10:23,969 TRACE
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
>> 2015-11-06 13:10:23,969 DEBUG
>> [org.keycloak.adapters.RequestAuthenticator] (default task-17)
>> NOT_ATTEMPTED: bearer only
>> 2015-11-06 13:10:23,970 DEBUG
>> [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17)
>> AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
>> 2015-11-06 13:10:23,970 INFO  [stdout] (default task-17)
>> GET:/foobar/endpoint
>>
>>
>> If I add Authorization headar like this
>>
>> Authorization: Bearer 123
>>
>> I get HTTP/1.1 401 Unauthorized
>>
>> WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token",
>> error_description="Couldn't parse token?
>>
>>
>> Is there something that I dont understand?
>>
>> I have tried with web.xml/keycloak.json and keycloak subsystem
>> configuration methods, same outcome.
>>
>> Br,
>> Tero
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/6a46caed/attachment.html 

From Tero.Ahonen at cybercom.com  Fri Nov  6 09:11:23 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Fri, 6 Nov 2015 14:11:23 +0000
Subject: [keycloak-user] Issue with Bearer only auth
In-Reply-To: <CAJgngAc7WqRH+3X8=YexQiwJ2Brka3fvAzc66CB34v+2yXRTtw@mail.gmail.com>
References: <18BB5BD7-D0F3-4FB4-A11D-65778F200086@cybercom.com>
	<CAJgngAcZMZLTDOFwHxpU=5wQS=adJkCJTcYAhJ6E+E-qSiuSdQ@mail.gmail.com>
	<2CC66953-A221-4675-8568-8AD8869142C9@cybercom.com>
	<CAJgngAc7WqRH+3X8=YexQiwJ2Brka3fvAzc66CB34v+2yXRTtw@mail.gmail.com>
Message-ID: <BCF28769-6273-4432-89D1-2FF89636157D@cybercom.com>

It is working now.

Thanks,
Tero
On 06 Nov 2015, at 16:06 PM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

So it's working now?

No auth-constraint = no need to authenticate ;)

On 6 November 2015 at 14:06, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
At first I had

<security-constraint>
<web-resource-collection>
<web-resource-name>foobar</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
             <http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Then added

<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

And it started working.

So without auth-constraint all request are ok even token is not present or valid.

Br,
Tero




On 06 Nov 2015, at 14:59 PM, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Did you put any security constraints on the endpoints?

On 6 November 2015 at 12:36, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
Hi,

I have a rest endpoint running on wildfly 9.

Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn?t matter do I use curl or browser.

Wilfly logs says (last line comes from servlet filter)

2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate()
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only
2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,970 INFO  [stdout] (default task-17) GET:/foobar/endpoint


If I add Authorization headar like this

Authorization: Bearer 123

I get HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token?


Is there something that I dont understand?

I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.

Br,
Tero




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151106/a80d48b2/attachment-0001.html 

From ornot2008 at yahoo.com  Sat Nov  7 21:23:02 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Sun, 8 Nov 2015 02:23:02 +0000 (UTC)
Subject: [keycloak-user] Fw: Can not make SAML2.0  work  anyway.
In-Reply-To: <744518906.694629.1446783770600.JavaMail.yahoo@mail.yahoo.com>
References: <744518906.694629.1446783770600.JavaMail.yahoo.ref@mail.yahoo.com>
	<744518906.694629.1446783770600.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1933622655.1471472.1446949382709.JavaMail.yahoo@mail.yahoo.com>

Hi,?? ? ?Can anybody help me on this ? ??? ? ?Not sure why the post format ?shown in forum is in a mess, so I attach the context as a text file .?
? ?T.I.A.

    ----- Forwarded Message -----
  From: Mai Zi <ornot2008 at yahoo.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Friday, November 6, 2015 12:22 PM
 Subject: Can not make SAML2.0 work anyway.
   
Hi, ?there,
? ?I am trying ? version is 1.6.0 ?keycloak 's brokering. ?I have imported ?two realms :saml-broker-realm.json and?saml-broker-authentication-realm.json?? ?by following the readme in the broker example. ?It works fine ( except failed logout somehow)
? Now I decide to give more try and here is my steps:

1) ?Create a realm named testsaml and the saml descriptor can be found here: ? ?http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor2) ?In the ? ?saml-broker-authentication-realm, ?create a new ID provider named saml ?by importing the URL above:?http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor?3) ?Download ?the SP metadata named "keycloak.xml" from the export tab page. ?4) ?Go to the testsaml reaml, and create a client by importing the downloaded "keycloak.xml" ?5) ?open the page : ??http://localhost:8080/saml-broker-authentication?and can see ?the IDprovider named saml ?on the left.?6) ? login with the ID provider but finally get the errors as below:
Context Path:/authServlet Path:
Path Info:/realms/saml-broker-authentication-realm/broker/saml/endpointQuery String:nullStack Trace
java.lang.RuntimeException: request path: /auth/realms/saml-broker-authentication-realm/broker/saml/endpoint
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
......




So what happened for my configuration? ? I missed something?

T.I.A.
Maizi
.?


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151108/0d5a8235/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: emal.txt
Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151108/0d5a8235/attachment.txt 

From kalc04 at gmail.com  Sun Nov  8 06:36:06 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Sun, 8 Nov 2015 17:06:06 +0530
Subject: [keycloak-user] Bug in AbstractClaimMapper class
In-Reply-To: <CAJgngAdf1xfyToff6YYyEcRs8_TSXurENd=6XnXcf4-TC4yK1g@mail.gmail.com>
References: <CAPj1eSzVHZ-2WxPT8GM6XG0kFm54gkB++TYJeta2m5S5-aQc=w@mail.gmail.com>
	<CAJgngAdf1xfyToff6YYyEcRs8_TSXurENd=6XnXcf4-TC4yK1g@mail.gmail.com>
Message-ID: <CAPj1eSz8DmAuxYt=vTW9P2g678XX=KGN4KeS=KNffCKELn+KXw@mail.gmail.com>

Created here: https://issues.jboss.org/browse/KEYCLOAK-2044

On Fri, Nov 6, 2015 at 1:27 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> JIRA please
>
> On 3 November 2015 at 07:50, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:
>
>> We came across an issue when integrating a custom OIDC IDP and mapping
>> roles into it. When we have a list of external roles to map into Keycloak
>> roles, the process fails.
>>
>> The issue is at the bottom of the valueEquals(String, Object) method in
>> the AbstractClaimMapper class. When the incoming Object is a list, it just
>> performs the comparison with the first element and returns...
>>
>> ...
>> } else if (value instanceof List) {
>>   List list = (List)value;
>>   for (Object val : list) {
>>     return valueEquals(desiredValue, val);
>>   }
>> }
>> ...
>>
>> Instead the code should be something like this:
>> ...
>> } else if (value instanceof List) {
>>   List list = (List)value;
>>   for (Object val : list) {
>>     if (valueEquals(desiredValue, val)) return true;
>>   }
>> }
>> ...
>>
>>
>> Regards,
>> Lohitha
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151108/b2bf5657/attachment.html 

From ado.boj.83 at gmail.com  Mon Nov  9 02:59:10 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Mon, 9 Nov 2015 08:59:10 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
	<CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
	<CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>
Message-ID: <CALxJa+28k2q=MomcUbDFOBhYFQjxhtDFFtoCSpVdDCYcFtZAew@mail.gmail.com>

Hi Marko,

still I didn't try your advices, but I don't understand, why should I
download  DEMO (keycloak-demo-1.6.1.Final.zip), because I want to add
keycloak into running wildfly domain mode and before I always downloaded
 OVERLAYkeycloak-overlay-1.6.0.Final.zip
<http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.6.1.Final/keycloak-overlay-1.6.1.Final.zip>
.

Andrej.

On Thu, Nov 5, 2015 at 11:26 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> @Andrej, try to use the following instructions to set up Keycloak in
> domain mode. These instructions work for me, so if you follow them
> precisely they should also work for you.
>
> This setup approach assumes that you may want to deploy your secured
> applications into the same server(s) running Keycloak server.
>
> Download keycloak-demo-1.6.1.Final.zip from
> http://keycloak.jboss.org/keycloak/downloads.
>
> unzip ~/Downloads/keycloak-demo-1.6.1.Final.zip
>
> cd keycloak-demo-1.6.1.Final/keycloak
>
>
> Open for edit: domain/configuration/domain.xml
>
> Add to <extensions> section:
>
>     <extension module="org.keycloak.keycloak-server-subsystem"/>
>     <extension module="org.keycloak.keycloak-adapter-subsystem"/>
>
> The second one is for securing your deployed .wars with Keycloak server.
>
>
> Scroll down to <profile name="full-ha">
>
> Add to <subsystem xmlns="urn:jboss:domain:datasources:3.0"> section:
>
>                     <datasource
> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
> enabled="true" use-java-context="true">
>
> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
>                         <driver>h2</driver>
>                         <security>
>                             <user-name>sa</user-name>
>                             <password>sa</password>
>                         </security>
>                     </datasource>
>
>
> Add to <subsystem xmlns="urn:jboss:domain:infinispan:3.0"> section:
>
>                 <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">
>                     <transport lock-timeout="60000"/>
>                     <invalidation-cache name="realms" mode="SYNC"/>
>                     <invalidation-cache name="users" mode="SYNC"/>
>                     <distributed-cache name="sessions" mode="SYNC"
> owners="1"/>
>                     <distributed-cache name="loginFailures" mode="SYNC"
> owners="1"/>
>                 </cache-container>
>
>
> Before the ending </profile> add:
>
>             <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>                 <web-context>auth</web-context>
>             </subsystem>
>
>             <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
>
>
> The second one is for securing your deployed .wars with Keycloak server.
>
> Make sure that you really add all these sections to 'full-ha'. If you use
> search or any kind of shortcuts to jump through the edited file, it very
> easy to end up in a different section. So doublecheck.
>
> Now scroll further down to <server-groups> section, and change
> 'main-server-group' to use 'full-ha' profile:
>
>         <server-group name="main-server-group" profile="full-ha">
>             <jvm name="default">
>                 <heap size="64m" max-size="512m"/>
>             </jvm>
>             <socket-binding-group ref="full-ha-sockets"/>
>         </server-group>
>
>
> Save the file.
>
>
> Now start Keycloak in domain mode:
>
>     bin/domain.sh
>
>
> Observing the log, you should see many entries for 'server-one', and
> 'server-two'.
>
> You should also see two big stacktraces, as the server will try to start
> up, and fail due to not being able to find the keycloak-server.json file.
> (The stacktrace should be more descriptive - current error reporting
> NullPointerException is a bug)
>
> But that's good, it means that keycloak-server subsystem was picked up,
> and started to get initialized.
>
> Running this results in two additional directories created:
>
>     domain/servers/server-one
>
> and
>
>     domain/servers/server-two
>
> Now just copy the configuration from standalone to these two directories:
>
> mkdir domain/servers/server-one/configuration
> cp standalone/configuration/keycloak-server.json
> domain/servers/server-one/configuration/
> cp -r standalone/configuration/themes
> domain/servers/server-one/configuration/
> cp -r standalone/configuration/providers
> domain/servers/server-one/configuration/
>
> mkdir domain/servers/server-two/configuration
> cp standalone/configuration/keycloak-server.json
> domain/servers/server-two/configuration/
> cp -r standalone/configuration/themes
> domain/servers/server-two/configuration/
> cp -r standalone/configuration/providers
> domain/servers/server-two/configuration/
>
>
> And start the server again:
>
>     bin/domain.sh
>
>
> You should now see the server start up without any errors. You can now
> open Keycloak admin on server-one:
>
>     http://localhost:8080/auth
>
> And on server-two:
>
>     http://localhost:8230/auth/
>
>
>
> This procedure has always worked for me. If it fails for you then provide
> your domain.xml, and stdout from console with any stack traces.
>
>
>
> On Thu, Nov 5, 2015 at 9:02 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I came across this:
>> https://issues.jboss.org/browse/KEYCLOAK-2037
>>
>> Maybe it's the same issue here?
>>
>> On 4 November 2015 at 16:35, Marko Strukelj <mstrukel at redhat.com> wrote:
>>
>>> On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com>
>>>> wrote:
>>>>
>>>>> Can you confirm that you see the following lines in
>>>>> your host-controller.log:
>>>>>
>>>>> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>>>>>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
>>>>> WFLYUT0021: Registered web context: /auth
>>>>> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>>>>>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
>>>>> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>>>>>
>>>>    No, this lines are missing in log.
>>>>
>>>
>>> That's the root of your problem then. Keycloak server subsystem doesn't
>>> seem to be initialized at all.
>>> From your config files it follows that your
>>> 'authentication-server-demosetup' server is using 'group-authentication'
>>> group, and 'group-authentication' group is using 'idbt-ha' profile, and
>>> 'idbt-ha' profile contains keycloak-server subsystem declaration ...
>>>
>>> I see no reason for Keycloak server to not get initialized.
>>>
>>> I'm sorry to say, but I'm out of ideas. If I were you I would try from
>>> scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server
>>> without any additional applications deployed, following the instructions I
>>> described previously - just get server-one, and server-two using the same
>>> group tied to full-ha profile. That way you should get Keycloak up and
>>> running. Then I would slowly evolve the configuration towards what you have
>>> now. Somewhere during that process there must be a step, that breaks
>>> things, and it's not obvious what that step is.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151109/262e29d9/attachment-0001.html 

From mstrukel at redhat.com  Mon Nov  9 04:07:01 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 9 Nov 2015 10:07:01 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+28k2q=MomcUbDFOBhYFQjxhtDFFtoCSpVdDCYcFtZAew@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
	<CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
	<CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>
	<CALxJa+28k2q=MomcUbDFOBhYFQjxhtDFFtoCSpVdDCYcFtZAew@mail.gmail.com>
Message-ID: <CA+1OW+hnPpajBqar1J06YkDeH2Vznziz_USpPtPsJ7zKrQwSqw@mail.gmail.com>

If you use keycloak-overlay, or keycloak-server dist then if you want to
follow the above instructions to the letter, you also have to download and
unpack keycloak-wf9-adapter-dist.zip.

The point of this exercise it to get things up and running with as few
steps as possible to reduce the number of things that can go wrong since
you've been having a great deal of problems with it, and it seems like your
problems are the result of your particular way of wanting to set it up.

The point here is to show you that Keycloak server can be set up in domain
mode, and it works. Apparently it's been impossible for us to determine the
exact issue with your current set up, based on the information you have
provided, apart from the fact that Keycloak doesn't seem to be initialised
for you which is inconsistent with the configuration you have provided.

If you think there is something wrong with Keycloak then the only way for
us to do anything about it at this point is for you to create exact
instructions to reproduce the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151109/e57165cd/attachment.html 

From sthorger at redhat.com  Mon Nov  9 04:48:56 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Nov 2015 10:48:56 +0100
Subject: [keycloak-user] Revision in chapter 8 JAAS plugin
In-Reply-To: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEAC@DFEXCHSD005.corp.caixa.gov.br>
References: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEAC@DFEXCHSD005.corp.caixa.gov.br>
Message-ID: <CAJgngAfvDpReiL76mr2wmDR-ZnKrPaKsnHEY6ZPxf3RZZt0cZA@mail.gmail.com>

If I remember correctly we explicitly didn't document KeycloakLoginModule
as it's not that nice to use. Was that correct Marek?

On 3 November 2015 at 17:40, Victor Neves Evangelista <
victor.evangelista at caixa.gov.br> wrote:

> Come to knowledge
>
> Don't have informations about
> org.keycloak.adapters.jboss.KeycloakLoginModule .
>
> Dont exist references in user guide about JAAS plugin.
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151109/64a89f68/attachment.html 

From mposolda at redhat.com  Mon Nov  9 05:10:07 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 9 Nov 2015 11:10:07 +0100
Subject: [keycloak-user] Revision in chapter 8 JAAS plugin
In-Reply-To: <CAJgngAfvDpReiL76mr2wmDR-ZnKrPaKsnHEY6ZPxf3RZZt0cZA@mail.gmail.com>
References: <5A7ED0CDDCE1D7418FE8BA8938C6C524FBFEAC@DFEXCHSD005.corp.caixa.gov.br>
	<CAJgngAfvDpReiL76mr2wmDR-ZnKrPaKsnHEY6ZPxf3RZZt0cZA@mail.gmail.com>
Message-ID: <564070FF.40504@redhat.com>

KeycloakLoginModule is used mainly for propagation of security contexts 
from servlet layer to other layers like EJB. We have some documentation 
for that 
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter 
. But AFAIK we don't have any example.

Besides that, we have login modules I've added for fuse support ( 
DirectAccessGrantsLoginModule and BearerTokenLoginModule), which are 
documented here 
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter 
. Besides Fuse, those are useful for the environments, which rely on 
JAAS. For example someone used DirectAccessGrantsLoginModule in EJB 
remote client application. Those also don't have example (I am planning 
to add some and have JIRA for that open for year or so :-\ )

Marek


On 09/11/15 10:48, Stian Thorgersen wrote:
> If I remember correctly we explicitly didn't document 
> KeycloakLoginModule as it's not that nice to use. Was that correct Marek?
>
> On 3 November 2015 at 17:40, Victor Neves Evangelista 
> <victor.evangelista at caixa.gov.br 
> <mailto:victor.evangelista at caixa.gov.br>> wrote:
>
>     Come to knowledge
>
>     Don't have informations about
>     org.keycloak.adapters.jboss.KeycloakLoginModule .
>
>     Dont exist references in user guide about JAAS plugin.
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151109/103d5d8b/attachment.html 

From revanth at arvindinternet.com  Tue Nov 10 04:01:09 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 10 Nov 2015 14:31:09 +0530
Subject: [keycloak-user] Enable CORS
Message-ID: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>

Hi,

I am using keycloak1.5.0 to secure a few of my applications and i want to
request the keycloak's Login page from an ajax call. It is currently giving
me a CORS error. So i wanted to know how do i enable CORS support or add my
URL to allowed set??

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/bdeacceb/attachment.html 

From Tero.Ahonen at cybercom.com  Tue Nov 10 04:07:11 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Tue, 10 Nov 2015 09:07:11 +0000
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
Message-ID: <DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>

At least this worked for me, using laters version.

Enable cors in the client by setting enable-cors field to client app's keycloak.json (if u are using one)

    "enable-cors": true,


Then from admin console set realm?s client settings Web Origins setting to match your origins.

.t
> On 10 Nov 2015, at 11:01 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com> wrote:
> 
> Hi,
> 
> I am using keycloak1.5.0 to secure a few of my applications and i want to request the keycloak's Login page from an ajax call. It is currently giving me a CORS error. So i wanted to know how do i enable CORS support or add my URL to allowed set??
> 
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From revanth at arvindinternet.com  Tue Nov 10 04:11:10 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 10 Nov 2015 14:41:10 +0530
Subject: [keycloak-user] Enable CORS
In-Reply-To: <DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>
Message-ID: <CAA1skqXOdokJmwNG9etbu5Xpczns-2X-74J_-QxrmRoqaWYrGA@mail.gmail.com>

Hi,

Thanks for the quick reply. I wanted to know, as i am requesting the login
page of keycloak for a particular realm, which client in that realm should
i add this web origins to??

Thanks.

On Tue, Nov 10, 2015 at 2:37 PM, Tero Ahonen <Tero.Ahonen at cybercom.com>
wrote:

> At least this worked for me, using laters version.
>
> Enable cors in the client by setting enable-cors field to client app's
> keycloak.json (if u are using one)
>
>     "enable-cors": true,
>
>
> Then from admin console set realm?s client settings Web Origins setting to
> match your origins.
>
> .t
> > On 10 Nov 2015, at 11:01 AM, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
> >
> > Hi,
> >
> > I am using keycloak1.5.0 to secure a few of my applications and i want
> to request the keycloak's Login page from an ajax call. It is currently
> giving me a CORS error. So i wanted to know how do i enable CORS support or
> add my URL to allowed set??
> >
> > Thanks.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/b7ea75e9/attachment-0001.html 

From Tero.Ahonen at cybercom.com  Tue Nov 10 04:22:48 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Tue, 10 Nov 2015 09:22:48 +0000
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqXOdokJmwNG9etbu5Xpczns-2X-74J_-QxrmRoqaWYrGA@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>
	<CAA1skqXOdokJmwNG9etbu5Xpczns-2X-74J_-QxrmRoqaWYrGA@mail.gmail.com>
Message-ID: <45517E61-6039-4BD5-A15E-794CF20D4451@cybercom.com>

Hi,

I?m very new to with keycloak, but I think that u always have to define client in the keycloak config. in keycloak.json client is defined in field resource

.t

On 10 Nov 2015, at 11:11 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com<mailto:revanth at arvindinternet.com>> wrote:

Hi,

Thanks for the quick reply. I wanted to know, as i am requesting the login page of keycloak for a particular realm, which client in that realm should i add this web origins to??

Thanks.

On Tue, Nov 10, 2015 at 2:37 PM, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
At least this worked for me, using laters version.

Enable cors in the client by setting enable-cors field to client app's keycloak.json (if u are using one)

    "enable-cors": true,


Then from admin console set realm?s client settings Web Origins setting to match your origins.

.t
> On 10 Nov 2015, at 11:01 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com<mailto:revanth at arvindinternet.com>> wrote:
>
> Hi,
>
> I am using keycloak1.5.0 to secure a few of my applications and i want to request the keycloak's Login page from an ajax call. It is currently giving me a CORS error. So i wanted to know how do i enable CORS support or add my URL to allowed set??
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/eb1f544c/attachment.html 

From revanth at arvindinternet.com  Tue Nov 10 04:38:20 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 10 Nov 2015 15:08:20 +0530
Subject: [keycloak-user] Enable CORS
In-Reply-To: <45517E61-6039-4BD5-A15E-794CF20D4451@cybercom.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>
	<CAA1skqXOdokJmwNG9etbu5Xpczns-2X-74J_-QxrmRoqaWYrGA@mail.gmail.com>
	<45517E61-6039-4BD5-A15E-794CF20D4451@cybercom.com>
Message-ID: <CAA1skqVs0hU4M1be8dHmdMYSvr--k+YDgg7aDaKE-XGMK1mbRQ@mail.gmail.com>

Hi

Here is my case. I don't have an keycloak.json. I just have a single html
page, locally that makes an ajax call to a confidential application behind
keycloak to get a html page. So now i am redirected to another url and then
to a keycloak login Url. On requesting this url, it gives me a CORS error.
In the web origins of the confidential app i am trying to access, i have
added my local url. Is this supposed to work or am i to add the url else
where also??

Thanks.

On Tue, Nov 10, 2015 at 2:52 PM, Tero Ahonen <Tero.Ahonen at cybercom.com>
wrote:

> Hi,
>
> I?m very new to with keycloak, but I think that u always have to define
> client in the keycloak config. in keycloak.json client is defined in field
> resource
>
> .t
>
> On 10 Nov 2015, at 11:11 AM, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
> Hi,
>
> Thanks for the quick reply. I wanted to know, as i am requesting the login
> page of keycloak for a particular realm, which client in that realm should
> i add this web origins to??
>
> Thanks.
>
> On Tue, Nov 10, 2015 at 2:37 PM, Tero Ahonen <Tero.Ahonen at cybercom.com>
> wrote:
>
>> At least this worked for me, using laters version.
>>
>> Enable cors in the client by setting enable-cors field to client app's
>> keycloak.json (if u are using one)
>>
>>     "enable-cors": true,
>>
>>
>> Then from admin console set realm?s client settings Web Origins setting
>> to match your origins.
>>
>> .t
>> > On 10 Nov 2015, at 11:01 AM, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>> >
>> > Hi,
>> >
>> > I am using keycloak1.5.0 to secure a few of my applications and i want
>> to request the keycloak's Login page from an ajax call. It is currently
>> giving me a CORS error. So i wanted to know how do i enable CORS support or
>> add my URL to allowed set??
>> >
>> > Thanks.
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/407c27a7/attachment.html 

From Tero.Ahonen at cybercom.com  Tue Nov 10 04:45:18 2015
From: Tero.Ahonen at cybercom.com (Tero Ahonen)
Date: Tue, 10 Nov 2015 09:45:18 +0000
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqVs0hU4M1be8dHmdMYSvr--k+YDgg7aDaKE-XGMK1mbRQ@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<DEEEC8CD-CAFE-46FC-AE36-DC5509193D29@cybercom.com>
	<CAA1skqXOdokJmwNG9etbu5Xpczns-2X-74J_-QxrmRoqaWYrGA@mail.gmail.com>
	<45517E61-6039-4BD5-A15E-794CF20D4451@cybercom.com>
	<CAA1skqVs0hU4M1be8dHmdMYSvr--k+YDgg7aDaKE-XGMK1mbRQ@mail.gmail.com>
Message-ID: <F3564292-8A10-4BCD-83F5-7BFDB1BB60FB@cybercom.com>

I?m have a same king of test page. Single html page that gets token from keycloak and then access resource secured also with keycloak (bearer only). I use keycloak javascript client and that handles CORS stuff nice and smooth. In your case if realms client web origin settings are ok, it should work. Have u used Firebug etc. to check does your client make OPTIONS request for CORS ?

.t
On 10 Nov 2015, at 11:38 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com<mailto:revanth at arvindinternet.com>> wrote:

Hi

Here is my case. I don't have an keycloak.json. I just have a single html page, locally that makes an ajax call to a confidential application behind keycloak to get a html page. So now i am redirected to another url and then to a keycloak login Url. On requesting this url, it gives me a CORS error. In the web origins of the confidential app i am trying to access, i have added my local url. Is this supposed to work or am i to add the url else where also??

Thanks.

On Tue, Nov 10, 2015 at 2:52 PM, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
Hi,

I?m very new to with keycloak, but I think that u always have to define client in the keycloak config. in keycloak.json client is defined in field resource

.t

On 10 Nov 2015, at 11:11 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com<mailto:revanth at arvindinternet.com>> wrote:

Hi,

Thanks for the quick reply. I wanted to know, as i am requesting the login page of keycloak for a particular realm, which client in that realm should i add this web origins to??

Thanks.

On Tue, Nov 10, 2015 at 2:37 PM, Tero Ahonen <Tero.Ahonen at cybercom.com<mailto:Tero.Ahonen at cybercom.com>> wrote:
At least this worked for me, using laters version.

Enable cors in the client by setting enable-cors field to client app's keycloak.json (if u are using one)

    "enable-cors": true,


Then from admin console set realm?s client settings Web Origins setting to match your origins.

.t
> On 10 Nov 2015, at 11:01 AM, Revanth Ayalasomayajula <revanth at arvindinternet.com<mailto:revanth at arvindinternet.com>> wrote:
>
> Hi,
>
> I am using keycloak1.5.0 to secure a few of my applications and i want to request the keycloak's Login page from an ajax call. It is currently giving me a CORS error. So i wanted to know how do i enable CORS support or add my URL to allowed set??
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/1965f9bc/attachment-0001.html 

From sthorger at redhat.com  Tue Nov 10 05:42:27 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Nov 2015 11:42:27 +0100
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
Message-ID: <CAJgngAeZ3wBxU=Fjva9Y7ew+0R8KztL4LC0NmqRAV2cJQTm0yQ@mail.gmail.com>

The login page doesn't support cors request. You should redirect the users
to this page, that's the only way it will actually work.

On 10 November 2015 at 10:01, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi,
>
> I am using keycloak1.5.0 to secure a few of my applications and i want to
> request the keycloak's Login page from an ajax call. It is currently giving
> me a CORS error. So i wanted to know how do i enable CORS support or add my
> URL to allowed set??
>
> Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/f21d8744/attachment.html 

From revanth at arvindinternet.com  Tue Nov 10 06:03:23 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 10 Nov 2015 16:33:23 +0530
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAJgngAeZ3wBxU=Fjva9Y7ew+0R8KztL4LC0NmqRAV2cJQTm0yQ@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<CAJgngAeZ3wBxU=Fjva9Y7ew+0R8KztL4LC0NmqRAV2cJQTm0yQ@mail.gmail.com>
Message-ID: <CAA1skqXbCMX+fcqr2QoutrgCvDqzGPhF+mh2mAd3Zkipf9KWTQ@mail.gmail.com>

Hi, is there anyway for an application to request the login page and get it
shown in as modal or as an iframe.

I want to achieve the same thing as in the below link but i couldn't
understand as to what has to done, from this below thread.

http://lists.jboss.org/pipermail/keycloak-user/2015-February/001665.html

Thanks.

On Tue, Nov 10, 2015 at 4:12 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> The login page doesn't support cors request. You should redirect the users
> to this page, that's the only way it will actually work.
>
> On 10 November 2015 at 10:01, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
>> Hi,
>>
>> I am using keycloak1.5.0 to secure a few of my applications and i want to
>> request the keycloak's Login page from an ajax call. It is currently giving
>> me a CORS error. So i wanted to know how do i enable CORS support or add my
>> URL to allowed set??
>>
>> Thanks.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/a237bfba/attachment.html 

From sthorger at redhat.com  Tue Nov 10 07:22:02 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Nov 2015 13:22:02 +0100
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqXbCMX+fcqr2QoutrgCvDqzGPhF+mh2mAd3Zkipf9KWTQ@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
	<CAJgngAeZ3wBxU=Fjva9Y7ew+0R8KztL4LC0NmqRAV2cJQTm0yQ@mail.gmail.com>
	<CAA1skqXbCMX+fcqr2QoutrgCvDqzGPhF+mh2mAd3Zkipf9KWTQ@mail.gmail.com>
Message-ID: <CAJgngAfaLHqOuS5yHOJKxMF4sf5PLYTD4OrRu0kqet6G73HefA@mail.gmail.com>

We don't directly support loading as an iframe, but you can achieve it by
following the hints in that mailing list. You basically need to setup the
required HTTP headers to permit loading it as an iframe from another domain.

On 10 November 2015 at 12:03, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> Hi, is there anyway for an application to request the login page and get
> it shown in as modal or as an iframe.
>
> I want to achieve the same thing as in the below link but i couldn't
> understand as to what has to done, from this below thread.
>
> http://lists.jboss.org/pipermail/keycloak-user/2015-February/001665.html
>
> Thanks.
>
> On Tue, Nov 10, 2015 at 4:12 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> The login page doesn't support cors request. You should redirect the
>> users to this page, that's the only way it will actually work.
>>
>> On 10 November 2015 at 10:01, Revanth Ayalasomayajula <
>> revanth at arvindinternet.com> wrote:
>>
>>> Hi,
>>>
>>> I am using keycloak1.5.0 to secure a few of my applications and i want
>>> to request the keycloak's Login page from an ajax call. It is currently
>>> giving me a CORS error. So i wanted to know how do i enable CORS support or
>>> add my URL to allowed set??
>>>
>>> Thanks.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/38c7e992/attachment.html 

From lkrzyzan at redhat.com  Tue Nov 10 07:50:07 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 10 Nov 2015 13:50:07 +0100
Subject: [keycloak-user] Security implications when having long login action
	timeout
Message-ID: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>

Hi,
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
It?s possible to do it via setting "Login action timeout? to 3 days. This setting also change the timeout of link for forgot password AFAIK.

I?m thinking about security implications.

Can somebody steal such link in e-mail somehow and then steal identity because of doing ?forgot password? on target account? For example by listening SMTP protocol communication?

Thanks,

Libor Krzy?anek
jboss.org Development Team



From mposolda at redhat.com  Tue Nov 10 09:23:14 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Nov 2015 15:23:14 +0100
Subject: [keycloak-user] Security implications when having long login
 action timeout
In-Reply-To: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>
References: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>
Message-ID: <5641FDD2.2080108@redhat.com>

On 10/11/15 13:50, Libor Krzyzanek wrote:
> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
> It?s possible to do it via setting "Login action timeout? to 3 days. This setting also change the timeout of link for forgot password AFAIK.
>
> I?m thinking about security implications.
>
> Can somebody steal such link in e-mail somehow and then steal identity because of doing ?forgot password? on target account? For example by listening SMTP protocol communication?
AFAIK If you use TLS for SMTP protocol, the communication between 
Keycloak and SMTP server should be encrypted and hence nobody should be 
able to listen and get the content of message.

Another thing is the communication between SMTP server and POP3/IMAP 
server. I think it depends on the security of the POP3/IMAP server, the 
major vendors like GMail are likely using secure communication. But I 
don't know at 100%...

Thing is that "Forgot password" link can be used just once, so user will 
be able to recognize that somebody else clicked on the link instead of him.

Marek

>
> Thanks,
>
> Libor Krzy?anek
> jboss.org Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Tue Nov 10 09:27:26 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Nov 2015 15:27:26 +0100
Subject: [keycloak-user] Security implications when having long login
 action timeout
In-Reply-To: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>
References: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>
Message-ID: <CAJgngAcX1g0eJN9f4ZMffEX1e_ebLqW2LoWHuyUjpW=orwns_A@mail.gmail.com>

2-3 days for email verification seems OK to me, but I wouldn't do that for
password resets. So I think you need to request a feature to be able to
configure those independently.

On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan at redhat.com> wrote:

> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for
> e-mail verification during registration for better UX.
> It?s possible to do it via setting "Login action timeout? to 3 days. This
> setting also change the timeout of link for forgot password AFAIK.
>
> I?m thinking about security implications.
>
> Can somebody steal such link in e-mail somehow and then steal identity
> because of doing ?forgot password? on target account? For example by
> listening SMTP protocol communication?
>
> Thanks,
>
> Libor Krzy?anek
> jboss.org Development Team
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/5a581f65/attachment.html 

From bburke at redhat.com  Tue Nov 10 10:38:13 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Nov 2015 10:38:13 -0500
Subject: [keycloak-user] Enable CORS
In-Reply-To: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
References: <CAA1skqU8O0mhbDwpbZ-twnRXAxO7wyhAsdBjxC0A1e2M+LpSmg@mail.gmail.com>
Message-ID: <56420F65.9010404@redhat.com>

You are not going to be able to access the login page from an ajax call. 
  That's just not the way you're supposed to do non-browser login.

http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html


On 11/10/2015 4:01 AM, Revanth Ayalasomayajula wrote:
> Hi,
>
> I am using keycloak1.5.0 to secure a few of my applications and i want
> to request the keycloak's Login page from an ajax call. It is currently
> giving me a CORS error. So i wanted to know how do i enable CORS support
> or add my URL to allowed set??
>
> Thanks.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From lkrzyzan at redhat.com  Tue Nov 10 10:55:56 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 10 Nov 2015 16:55:56 +0100
Subject: [keycloak-user] Security implications when having long login
	action timeout
In-Reply-To: <CAJgngAcX1g0eJN9f4ZMffEX1e_ebLqW2LoWHuyUjpW=orwns_A@mail.gmail.com>
References: <2B50EC0D-4605-4AF5-821A-0A8063E5FBC1@redhat.com>
	<CAJgngAcX1g0eJN9f4ZMffEX1e_ebLqW2LoWHuyUjpW=orwns_A@mail.gmail.com>
Message-ID: <A3669CC2-8293-4376-8DD9-EE965C38852F@redhat.com>

Having such option makes sense for sure.
Jira issue: https://issues.jboss.org/browse/KEYCLOAK-2052 <https://issues.jboss.org/browse/KEYCLOAK-2052>

Thanks,

Libor Krzy?anek
jboss.org Development Team

> On Nov 10, 2015, at 3:27 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> 2-3 days for email verification seems OK to me, but I wouldn't do that for password resets. So I think you need to request a feature to be able to configure those independently.
> 
> On 10 November 2015 at 13:50, Libor Krzyzanek <lkrzyzan at redhat.com <mailto:lkrzyzan at redhat.com>> wrote:
> Hi,
> we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
> It?s possible to do it via setting "Login action timeout? to 3 days. This setting also change the timeout of link for forgot password AFAIK.
> 
> I?m thinking about security implications.
> 
> Can somebody steal such link in e-mail somehow and then steal identity because of doing ?forgot password? on target account? For example by listening SMTP protocol communication?
> 
> Thanks,
> 
> Libor Krzy?anek
> jboss.org <http://jboss.org/> Development Team
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151110/12b2f24d/attachment.html 

From ado.boj.83 at gmail.com  Wed Nov 11 05:11:14 2015
From: ado.boj.83 at gmail.com (Andrej P)
Date: Wed, 11 Nov 2015 11:11:14 +0100
Subject: [keycloak-user] Not working link generated via REST API - Send an
 email-verification email to the user
Message-ID: <CALxJa+3K0j8YP+Wecjc9u-R+gXAudr4CGh8iv2Sec2w7s1JqsQ@mail.gmail.com>

I am using Keycloak 1.6.1 Final.
I can generate Verify Email in two ways:

1.) via GUI it works fine - link in generated email.:

http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=p_CkD9WJl_Ui9hoEq8LRrs0YRWKsi6_ivEqBjX2sz6w.c7614796-d4d4-4dca-8191-b2441dc1e415&key=Qq3vlqsCak

2.) via REST API (Send an email-verification email to the user) - PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email

here is not working link in generated email:

http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929&code=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929

We are getting WE'RE SORRY ... screen.


Summary: in link generated via REST API is missing code (only key is
present), in GUI link are both code and key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/9f0d354d/attachment.html 

From ado.boj.83 at gmail.com  Wed Nov 11 06:29:40 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Wed, 11 Nov 2015 12:29:40 +0100
Subject: [keycloak-user] Not working link generated via REST API - Send
 an email-verification email to the user
In-Reply-To: <CALxJa+3K0j8YP+Wecjc9u-R+gXAudr4CGh8iv2Sec2w7s1JqsQ@mail.gmail.com>
References: <CALxJa+3K0j8YP+Wecjc9u-R+gXAudr4CGh8iv2Sec2w7s1JqsQ@mail.gmail.com>
Message-ID: <CALxJa+3geRmqwY9KxWLmnrfEEQof9kPy3F+zq6HWkKk9hQ3jSQ@mail.gmail.com>

Sorry, I attached to the point 2.) incorrect link.
Correct link in generated email via REST API is:
http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2

With same summary: in link generated via REST API is missing code (only key
is there present), in GUI link are both code and key


On Wed, Nov 11, 2015 at 11:11 AM, Andrej P <ado.boj.83 at gmail.com> wrote:

> I am using Keycloak 1.6.1 Final.
> I can generate Verify Email in two ways:
>
> 1.) via GUI it works fine - link in generated email.:
>
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=p_CkD9WJl_Ui9hoEq8LRrs0YRWKsi6_ivEqBjX2sz6w.c7614796-d4d4-4dca-8191-b2441dc1e415&key=Qq3vlqsCak
>
> 2.) via REST API (Send an email-verification email to the user) - PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>
> here is not working link in generated email:
>
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929&code=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929
>
> We are getting WE'RE SORRY ... screen.
>
>
> Summary: in link generated via REST API is missing code (only key is
> present), in GUI link are both code and key
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/74654512/attachment.html 

From sthorger at redhat.com  Wed Nov 11 08:00:26 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Nov 2015 14:00:26 +0100
Subject: [keycloak-user] Documentation on website
In-Reply-To: <A8BA4365-A125-4483-9A2F-73C756B1CE70@smartling.com>
References: <56336C1F.8090106@first8.nl>
	<CAJgngAdK19zRpvUraBJNQX0-rTEMdjS58KOEvH+AT48jZdgHFA@mail.gmail.com>
	<A8BA4365-A125-4483-9A2F-73C756B1CE70@smartling.com>
Message-ID: <CAJgngAepzjory_0fyneXtfL4y7-n026eEHxJMRjHq+5GsYa0tA@mail.gmail.com>

Thanks for letting me know - I've added
https://issues.jboss.org/browse/KEYCLOAK-2055

On 2 November 2015 at 21:00, Scott Rossillo <srossillo at smartling.com> wrote:

> The links for admin api and java docs don?t work from here:
>
> http://keycloak.github.io/docs/
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Latest News + Events]
> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Oct 30, 2015, at 9:14 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> We're having some issues with the website - in the mean time you can get
> the docs from http://keycloak.github.io/docs/index.html
>
> On 30 October 2015 at 13:09, Mark Hayen <m.hayen at first8.nl> wrote:
>
>> Hi guys,
>>
>> I tried to look into the documenation of keycloak, but suddenly the links
>> are dead.
>> On http://keycloak.jboss.org/ the documentation link is grey
>> and when googling I get a 404
>> How can I access the keycloak docs?
>>
>> Mark
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/21da0446/attachment.html 

From sthorger at redhat.com  Wed Nov 11 08:09:38 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Nov 2015 14:09:38 +0100
Subject: [keycloak-user] Fw: Can not make SAML2.0 work anyway.
In-Reply-To: <1933622655.1471472.1446949382709.JavaMail.yahoo@mail.yahoo.com>
References: <744518906.694629.1446783770600.JavaMail.yahoo.ref@mail.yahoo.com>
	<744518906.694629.1446783770600.JavaMail.yahoo@mail.yahoo.com>
	<1933622655.1471472.1446949382709.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAcoy9TW_oZ9nJGpwQ5dWP0a5VkoonM8yDiGPLrhJMJXBA@mail.gmail.com>

Tried the same and got an error as well. Can you create a JIRA issue?
Please include the full stack trace not just the snippet from above.

On 8 November 2015 at 03:23, Mai Zi <ornot2008 at yahoo.com> wrote:

> Hi,
>      Can anybody help me on this ?
>      Not sure why the post format  shown in forum is in a mess, so I
> attach the context as a text file .
>
>    T.I.A.
>
>
> ----- Forwarded Message -----
> *From:* Mai Zi <ornot2008 at yahoo.com>
> *To:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Friday, November 6, 2015 12:22 PM
> *Subject:* Can not make SAML2.0 work anyway.
>
> Hi,  there,
>
>    I am trying   version is 1.6.0  keycloak 's brokering.  I have
> imported  two realms :saml-broker-realm.json
> and saml-broker-authentication-realm.json
>    by following the readme in the broker example.  It works fine ( except
> failed logout somehow)
>
>   Now I decide to give more try and here is my steps:
>
>
> 1)  Create a realm named testsaml and the saml descriptor can be found
> here:
> http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor
> 2)  In the    saml-broker-authentication-realm,  create a new ID provider
> named saml  by importing the URL above:
> http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor
> 3)  Download  the SP metadata named "keycloak.xml" from the export tab
> page.
> 4)  Go to the testsaml reaml, and create a client by importing the
> downloaded "keycloak.xml"
> 5)  open the page :   http://localhost:8080/saml-broker-authentication and
> can see  the IDprovider named saml  on the left.
> 6)   login with the ID provider but finally get the errors as below:
>
> Context Path:
> /auth
> Servlet Path:
> Path Info:
> /realms/saml-broker-authentication-realm/broker/saml/endpoint
> Query String:
> null
> *Stack Trace*
> java.lang.RuntimeException: request path:
> /auth/realms/saml-broker-authentication-realm/broker/saml/endpoint
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
> ......
>
>
>
>
>
> So what happened for my configuration?   I missed something?
>
>
> T.I.A.
>
> Maizi
>
> .
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/1063471f/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 11 08:12:46 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Nov 2015 14:12:46 +0100
Subject: [keycloak-user] Additional jpaConnectionProvider for
 UserFederation via database
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <CAJgngAdNDpWdx=hDCTmh6-JsrqjC4_yy4sR71GReChSwfLaqNQ@mail.gmail.com>

At the moment when the provider is specified in keycloak-server.json we
only load that one provider. If you only need to use the
EntityManagerFactory within your user federation provider you don't need a
JpaConnectionProvider at all. Just create the EntityManagerFactory within
your UserFederationProviderFactory. We only use the JpaConnectionProvider
as we have multiple providers using the same EntityManagerFactory.

On 29 October 2015 at 13:57, Matuszak, Eduard <eduard.matuszak at atos.net>
wrote:

> Hello
>
> I am trying to implement a userfederation-provider based on a
> jpa-connection. My approach was:
>
> According to an additional datasource-defintion for  the federated DB in
> the standalone.xml
>
>                 <datasource jta="true" jndi-name="
> *java:jboss/datasources/CCPDS*" pool-name="CCPDS" enabled="true"
> use-ccm="true">
>                     <connection-url>jdbc:oracle:thin:@servername
> :1521:schemaname</connection-url>
> ..
>
> , I tried to register this datasource as an additional connectionJpa-entry
> in keycloak-server.json as follows:
>
> ..
>     "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/CCPKCDS",
>             "databaseSchema": "update"
>         }*,*
> *        "**FED**-**DB**": {*
> *            "dataSource": "java:jboss/datasources/CCPDS"*
> *        }*
>     },
> ..
>
> According to these configuration I hoped to be able to establish the
> appropriate entity manager by coding:
>
>         // Get the appropriate entity manager from the KeycloakSession
>         EntityManager em = session.getProvider(JpaConnectionProvider.
> *class*, "*FED**-**DB*").getEntityManager();
>
> This did not work, indeed there is still only one (default)
> JpaConnectionProvider available in the session (JpaConnectionProviderList
> size is 1):
>
>         Set<JpaConnectionProvider> *JpaConnectionProviderList* = session
> .getAllProviders(JpaConnectionProvider.*class*);
>
> My question is: isn?t it in principle possible to register a second
> jpaConnector additionally to the default one or is there something missing
> or wrong in my approach?
>
> Thanks for any help in advance.
>
> Best regards, Eduard Matuszak
>
> *Dr. Eduard Matuszak*
>
> Worldline, an atos company
> T  +49 (211)399 398 63
> M +49 (163)166 23 67
> F +49(211) 399 22 430
> *eduard.matuszak at atos.net* <eduard.matuszak at atos.net>
> Max-Stromeyer-Stra?e 116
> 78467 Konstanz
> Germany
> *de.worldline.com* <http://worldline.com/de/1/Home.html>
> *worldline.jobs.de* <http://worldline.jobs.de>
> *facebook.com/WorldlineKarriere*
> <http://www.facebook.com/WorldlineKarriere>
>
>
> Worldline GmbH
> Gesch?ftsf?hrer: Wolf Kunisch
> Aufsichtsratsvorsitzender: Christophe Duquenne
> Sitz der Gesellschaft: Frankfurt/Main
> Handelsregister: Frankfurt/Main HRB 40 417
>
> * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail by error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the internet, the Atos group liability
> cannot be triggered for the message content. Although the sender endeavors
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and shall not be liable for any damages
> resulting from any virus transmitted.
> * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/14d0ab1c/attachment.html 

From m.hayen at first8.nl  Wed Nov 11 08:15:11 2015
From: m.hayen at first8.nl (Mark Hayen)
Date: Wed, 11 Nov 2015 14:15:11 +0100
Subject: [keycloak-user] disable edit account after password reset
In-Reply-To: <CAJgngAemzYc8C3v9Lbqg_3xuqhbz8GP0T9bvqZ2=A6_urY-uqw@mail.gmail.com>
References: <5638D065.7070502@first8.nl>
	<CAJgngAemzYc8C3v9Lbqg_3xuqhbz8GP0T9bvqZ2=A6_urY-uqw@mail.gmail.com>
Message-ID: <56433F5F.5020807@first8.nl>

An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/21069ca8/attachment.html 

From mposolda at redhat.com  Wed Nov 11 09:26:05 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Nov 2015 15:26:05 +0100
Subject: [keycloak-user] Not working link generated via REST API - Send
 an email-verification email to the user
In-Reply-To: <CALxJa+3geRmqwY9KxWLmnrfEEQof9kPy3F+zq6HWkKk9hQ3jSQ@mail.gmail.com>
References: <CALxJa+3K0j8YP+Wecjc9u-R+gXAudr4CGh8iv2Sec2w7s1JqsQ@mail.gmail.com>
	<CALxJa+3geRmqwY9KxWLmnrfEEQof9kPy3F+zq6HWkKk9hQ3jSQ@mail.gmail.com>
Message-ID: <56434FFD.3090506@redhat.com>

Looks like a bug. Could you please create JIRA for it?

Thanks,
Marek

On 11/11/15 12:29, Andrej Prievalsky wrote:
> Sorry, I attached to the point 2.) incorrect link.
> Correct link in generated email via REST API is:
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>
> With same summary: in link generated via REST API is missing code 
> (only key is there present), in GUI link are both code and key
>
> On Wed, Nov 11, 2015 at 11:11 AM, Andrej P <ado.boj.83 at gmail.com 
> <mailto:ado.boj.83 at gmail.com>> wrote:
>
>     I am using Keycloak 1.6.1 Final.
>     I can generate Verify Email in two ways:
>
>     1.) via GUI it works fine - link in generated email.:
>
>     http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=p_CkD9WJl_Ui9hoEq8LRrs0YRWKsi6_ivEqBjX2sz6w.c7614796-d4d4-4dca-8191-b2441dc1e415&key=Qq3vlqsCak
>
>     2.) via REST API (Send an email-verification email to the user) -
>     PUT
>     http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>
>     here is not working link in generated email:
>
>     http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929&code=b4knIyCq_4Z_d5CqwzzLhAm5T3riPTWVUa6z5Mca-u4.22faad7a-64de-4792-9fbc-3ee4e6ca8929
>
>     We are getting WE'RE SORRY ... screen.
>
>
>     Summary: in link generated via REST API is missing code (only key
>     is present), in GUI link are both code and key
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/8e9c7121/attachment-0001.html 

From tgc at dma.dk  Wed Nov 11 09:27:23 2015
From: tgc at dma.dk (Tomas Groth Christensen)
Date: Wed, 11 Nov 2015 14:27:23 +0000
Subject: [keycloak-user] Native applications and federated login
Message-ID: <ED3D1DBA03D8BF4585D34701E35AC8A6178470DE@S000008.PROD.SITAD.DK>

Hi,

I have a question about how to use OpenId Connect and KeyCloak and hope that someone here will be able to help.
I'm part of a project where federated login will be used. We are planning to use Keycloak as Identity Broker and multiple Identity Providers will be set up, some Identity Providers will be Keycloak instances, others not. For now the assumption is that all the Identity Providers will support OpenId Connect.

One of the use cases we need to support is authentication of applications for communication to webservices (machine to machine communication), but it is causing us some trouble.
The webservices will be created as clients in the Keycloak Identity Broker. But how do we authenticate the applications?
The applications will not be browser based, so using the webinterface for authentication is not possible. There exists some guides (including this Keycloak blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html) that describes how this can be done when using Keycloak directly as Identity Provider, but I haven't been able to find any solutions to how to make it work when there is an Identity Broker involved.

Reading the Keycloak documentation I couldn't help notice the big fat warning in the chapter about Direct Access Grant (http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html) which discourages bypassing the webinterface. This leads me to think that this kind of federated authentication without a browser is not supported by OpenId Connect, or am I missing something?

I've had a look at offline tokens, but to generate them, manual browser based authentication is still needed, at least as far as I can see...

I hope someone on the list has an idea for a smart workaround :)

Best regards,
Tomas

From sthorger at redhat.com  Wed Nov 11 09:42:05 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Nov 2015 15:42:05 +0100
Subject: [keycloak-user] Native applications and federated login
In-Reply-To: <ED3D1DBA03D8BF4585D34701E35AC8A6178470DE@S000008.PROD.SITAD.DK>
References: <ED3D1DBA03D8BF4585D34701E35AC8A6178470DE@S000008.PROD.SITAD.DK>
Message-ID: <CAJgngAdcNbx9xaL_A4Z=WCZWU958UeE8e87Msx5jNFCOBry_Sw@mail.gmail.com>

On 11 November 2015 at 15:27, Tomas Groth Christensen <tgc at dma.dk> wrote:

> Hi,
>
> I have a question about how to use OpenId Connect and KeyCloak and hope
> that someone here will be able to help.
> I'm part of a project where federated login will be used. We are planning
> to use Keycloak as Identity Broker and multiple Identity Providers will be
> set up, some Identity Providers will be Keycloak instances, others not. For
> now the assumption is that all the Identity Providers will support OpenId
> Connect.
>
> One of the use cases we need to support is authentication of applications
> for communication to webservices (machine to machine communication), but it
> is causing us some trouble.
> The webservices will be created as clients in the Keycloak Identity
> Broker. But how do we authenticate the applications?
> The applications will not be browser based, so using the webinterface for
> authentication is not possible. There exists some guides (including this
> Keycloak blog post:
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html)
> that describes how this can be done when using Keycloak directly as
> Identity Provider, but I haven't been able to find any solutions to how to
> make it work when there is an Identity Broker involved.
>
> Reading the Keycloak documentation I couldn't help notice the big fat
> warning in the chapter about Direct Access Grant (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html)
> which discourages bypassing the webinterface. This leads me to think that
> this kind of federated authentication without a browser is not supported by
> OpenId Connect, or am I missing something?
>

Firstly identity brokering is not part of OpenID Connect, it's a feature
provided by Keycloak.

Direct access grants is for users not clients. We recommend using the web
based flows for users. Otherwise you don't get SSO and a bunch of other
features provided by Keycloak. It's also less secure as you are exposing
passwords directly to applications.

For clients (service accounts) on the other hand the client credential
grants is used, which is a different flow. It's not part of OpenID Connect,
but only OAuth 2.0.

Neither of the above flows have support for identity brokering in Keycloak
at the moment. We could potentially add support to use those flows and
provide a token from a brokered IdP instead of credentials. It should work
relatively well for user based flow, but I'm less sure about the client
credentials grants flow as it assumes there's a client in Keycloak (with a
linked user account) so this would be considerably more complex to support.


>
> I've had a look at offline tokens, but to generate them, manual browser
> based authentication is still needed, at least as far as I can see...
>
> I hope someone on the list has an idea for a smart workaround :)
>
> Best regards,
> Tomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/18c3bc5e/attachment.html 

From jeff.macomber at modernizingmedicine.com  Wed Nov 11 13:00:08 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Wed, 11 Nov 2015 13:00:08 -0500
Subject: [keycloak-user] Custom Authentication and Federation question
Message-ID: <CAByzN4RZvEJmk5z0eUccjjGkYhg694C76w5tQuU+dzNxgLNOUA@mail.gmail.com>

Hi,

I am trying to figure out how/if KeyCloak can be used for a project.  The
background is that we need three pieces of information to login a user
location, username, password.  The location is used to allow us to figure
out where that user record can be found in distributed environment.  We
have no single central user database but instead a number of different user
databases installed in logically/physically different locations.  We do not
want anything other than login from KeyClaok and we need to be able to
support SAML and eventually OAuth2.

Based on reading the documentation it seems i would need to do the
following:
1. Custom Authentication and AuthenticationFactory to handle validation of
the user credentials
2. Custom federation provider and factory to handle construction of the
user object

I then created the custom authentication and factory.  Packaged them and
placed them in the standalone.  I then saw the new option in the
Authentication Admin menu.  I created a new Flow by copying the Browser
flow and removed the default items and just required the new provider.
Saved, restarted.  Then using a SAML client i tried login but i dont get
the new login form (which i reference in the code for the authenticator).
What i get is still the default login page with the two normal fields.
When i submit that form it never attempts to execute the code in my custom
authenticator.

So my questions are:
1. Am i correct that i need a custom authentication and federation
providers? Is there additional items i need here?
2. How do i get the SAML login page to use my custom login page and how do
i route to the custom authentication code? and ideally how do i leave the
admin console login page alone since that will use local users not these
federated remote users.

Please let me know if i can provide more info for clarification.

Thanks
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/766d59f9/attachment.html 

From robin1233 at gmail.com  Wed Nov 11 13:19:13 2015
From: robin1233 at gmail.com (robinfernandes .)
Date: Wed, 11 Nov 2015 13:19:13 -0500
Subject: [keycloak-user] Clarification regarding Offline Token
Message-ID: <CAFOTW4ZUX9xmYF=aaZ_K_dZ6VU_74mj+cDSx3535JDUTFGmDUQ@mail.gmail.com>

Hi All,

Just wanted a clarification regarding generation of offline tokens.

1. Can we use the *grant_type = authorization_code* or* grant_type =
refresh_token* to get the offline tokens? Or is it only available for
grant_type = password & grant_type = client_credentials?

2. Is there a way to give offline token to a particular user without using
direct access grants?

Thanks,
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/4e80c2d4/attachment.html 

From harshmahey at gmail.com  Wed Nov 11 19:08:38 2015
From: harshmahey at gmail.com (harsh mahey)
Date: Wed, 11 Nov 2015 17:08:38 -0700
Subject: [keycloak-user] can not delete user using REST API -401
	unauthorized.
Message-ID: <CA+YyFz5qRtH+sJEOYetV6Jze7LVSPzeMwkXaZ47tBP93gtA_iw@mail.gmail.com>

I am getting 401 unAuthorized when im trying to delete a user.I was able to
create the user with this id.And i am able to delete the user using
Advanced REST Chrome client using same DELETE URL.

Can you guide what am i doing wrong here.


Thanks


*****************ERROR***********************************************************

org.springframework.web.client.HttpClientErrorException: 401 Unauthorized

at org.springframework.web.client.DefaultResponseErrorHandler.handleError(
DefaultResponseErrorHandler.java:91)

at org.springframework.web.client.RestTemplate.handleResponse(
RestTemplate.java:641)

at org.springframework.web.client.RestTemplate.doExecute(
RestTemplate.java:597)

at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557
)

at org.springframework.web.client.RestTemplate.delete(RestTemplate.java:429)

at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.deleteUser(
KeyCloakAdminAdapter.java:256)

at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.main(
KeyCloakAdminAdapter.java:55)

*****************CODE**************************************************************

public boolean deleteUser(String userId) {

AccessTokenResponse accessTokenResponse = getToken();

org.springframework.http.HttpEntity<String> entity = new
org.springframework.http.HttpEntity<String>(getHeaders(accessTokenResponse
.getToken()));

HttpHeaders httpHeaders=entity.getHeaders();

System.out.println(httpHeaders);

RestTemplate restTemplate = new RestTemplate();

String urlForDeleteUser = "http://XXXXX.com:XXXX
/auth/admin/realmsMyAppsRealm/users/" + userId;

System.out.println(urlForDeleteUser);

restTemplate.delete(urlForDeleteUser, entity);

System.out.println("done");


return true;

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/135ef9f5/attachment-0001.html 

From chenkeong.yap at izeno.com  Thu Nov 12 02:21:13 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 12 Nov 2015 15:21:13 +0800
Subject: [keycloak-user] Spring Security SAML Extension
Message-ID: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>

Hi Guys,

Did you manage to integrate Spring Security SAML Extension (
http://projects.spring.io/spring-security-saml/) with Keycloak instead of
using spring security adapter provided by Keycloak?

We have a requirement to use SAML auth with spring security but spring
security adapter provided by Keycloak only supports open id connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/2dfac4b7/attachment.html 

From mposolda at redhat.com  Thu Nov 12 03:24:09 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 12 Nov 2015 09:24:09 +0100
Subject: [keycloak-user] Clarification regarding Offline Token
In-Reply-To: <CAFOTW4ZUX9xmYF=aaZ_K_dZ6VU_74mj+cDSx3535JDUTFGmDUQ@mail.gmail.com>
References: <CAFOTW4ZUX9xmYF=aaZ_K_dZ6VU_74mj+cDSx3535JDUTFGmDUQ@mail.gmail.com>
Message-ID: <56444CA9.8090109@redhat.com>

You can use that in browser application with authorization_code too. 
That's not a problem.

For refresh_token you can't at this point. The offline token itself is 
special kind of refresh token (It's refresh token which never expires). 
So if you send refresh request with offline token, you will 
automatically receive new offline token. Otherwise if you send refresh 
request with "classic" refresh token, you will receive another classic 
refresh token. I suggest to look at documentation 
http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#offline-access 
and try the example (referenced from documentation). The example is 
browser application and it uses authorization_code .

Marek

On 11/11/15 19:19, robinfernandes . wrote:
> Hi All,
>
> Just wanted a clarification regarding generation of offline tokens.
>
> 1. Can we use the *grant_type = authorization_code* or*grant_type = 
> refresh_token* to get the offline tokens? Or is it only available for 
> grant_type = password & grant_type = client_credentials?
>
> 2. Is there a way to give offline token to a particular user without 
> using direct access grants?
>
> Thanks,
> Robin
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/46a26e0c/attachment.html 

From mposolda at redhat.com  Thu Nov 12 03:50:23 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 12 Nov 2015 09:50:23 +0100
Subject: [keycloak-user] can not delete user using REST API -401
 unauthorized.
In-Reply-To: <CA+YyFz5qRtH+sJEOYetV6Jze7LVSPzeMwkXaZ47tBP93gtA_iw@mail.gmail.com>
References: <CA+YyFz5qRtH+sJEOYetV6Jze7LVSPzeMwkXaZ47tBP93gtA_iw@mail.gmail.com>
Message-ID: <564452CF.5080708@redhat.com>

What's the output of the "System.out.println(httpHeaders);" command?

Basically you need to include Authorization header with the content like:

Authorization: Bearer your-access-token-here

TBH I am not familiar with spring http client library you're using, so 
not sure if you're sending headers correctly.

Marek

On 12/11/15 01:08, harsh mahey wrote:
>
> I am getting 401 unAuthorized when im trying to delete a user.I was 
> able to create the user with this id.And i am able to delete the user 
> using Advanced REST Chrome client using same DELETE URL.
>
> Can you guide what am i doing wrong here.
>
>
> Thanks
>
>
> *****************ERROR***********************************************************
>
> org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
>
> at 
> org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
>
> at 
> org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:641)
>
> at 
> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:597)
>
> at 
> org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
>
> at 
> org.springframework.web.client.RestTemplate.delete(RestTemplate.java:429)
>
> at 
> com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.deleteUser(KeyCloakAdminAdapter.java:256)
>
> at 
> com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.main(KeyCloakAdminAdapter.java:55)
>
> *****************CODE**************************************************************
>
> public boolean deleteUser(String userId) {
>
> AccessTokenResponse accessTokenResponse = getToken();
>
> org.springframework.http.HttpEntity<String> entity = new 
> org.springframework.http.HttpEntity<String>(getHeaders(accessTokenResponse.getToken()));
>
> HttpHeaders httpHeaders=entity.getHeaders();
>
> System.out.println(httpHeaders);
>
> RestTemplate restTemplate = new RestTemplate();
>
> String urlForDeleteUser= 
> "http://XXXXX.com:XXXX/auth/admin/realmsMyAppsRealm/users/"+ userId;
>
> System.out.println(urlForDeleteUser);
>
> restTemplate.delete(urlForDeleteUser, entity);
>
> System.out.println("done");
>
>
> returntrue;
>
> }
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/4647bc8b/attachment.html 

From ado.boj.83 at gmail.com  Thu Nov 12 04:03:47 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Thu, 12 Nov 2015 10:03:47 +0100
Subject: [keycloak-user] Generic keycloak function support
Message-ID: <CALxJa+0PqfEXvzkcNGAgrOdRwCHMz+YCdvEaaP8a-Dzazb+AQQ@mail.gmail.com>

Hi,

I would like to ask you if actually or in future will provide/support this
function:

1.) 2nd factor Authorization ?

2.) User Notifications via Email ?

Thanks for answer.
Andrej.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/921bf748/attachment.html 

From sthorger at redhat.com  Thu Nov 12 04:10:40 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 10:10:40 +0100
Subject: [keycloak-user] Generic keycloak function support
In-Reply-To: <CALxJa+0PqfEXvzkcNGAgrOdRwCHMz+YCdvEaaP8a-Dzazb+AQQ@mail.gmail.com>
References: <CALxJa+0PqfEXvzkcNGAgrOdRwCHMz+YCdvEaaP8a-Dzazb+AQQ@mail.gmail.com>
Message-ID: <CAJgngAdxQbHONXx5OJ3mqtPFge4GuV8WNMGWSWEQEokfgLF+CA@mail.gmail.com>

On 12 November 2015 at 10:03, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Hi,
>
> I would like to ask you if actually or in future will provide/support this
> function:
>
> 1.) 2nd factor Authorization ?
>

Yes, assuming you mean 2nd factor authentication. We have support for
FreeOTP or Google Authenticator. Custom 2nd factor authentication can be
added through the Authenticator SPI (
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
).

We are planning to add support for more types in the future, but I can't
give you any specific details on when that will be.


>
> 2.) User Notifications via Email ?
>

What type of notifications?


>
> Thanks for answer.
> Andrej.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/0fe45151/attachment.html 

From ado.boj.83 at gmail.com  Thu Nov 12 04:17:58 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Thu, 12 Nov 2015 10:17:58 +0100
Subject: [keycloak-user] Generic keycloak function support
In-Reply-To: <CAJgngAdxQbHONXx5OJ3mqtPFge4GuV8WNMGWSWEQEokfgLF+CA@mail.gmail.com>
References: <CALxJa+0PqfEXvzkcNGAgrOdRwCHMz+YCdvEaaP8a-Dzazb+AQQ@mail.gmail.com>
	<CAJgngAdxQbHONXx5OJ3mqtPFge4GuV8WNMGWSWEQEokfgLF+CA@mail.gmail.com>
Message-ID: <CALxJa+0YcPdqiA_2mDB3z12cXHsqZ=JCQonZHEd=ANQA_uEZFQ@mail.gmail.com>

To point 2.:
For example:
Send email to end user for changes made to account

On Thu, Nov 12, 2015 at 10:10 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

>
>
> On 12 November 2015 at 10:03, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Hi,
>>
>> I would like to ask you if actually or in future will provide/support
>> this function:
>>
>> 1.) 2nd factor Authorization ?
>>
>
> Yes, assuming you mean 2nd factor authentication. We have support for
> FreeOTP or Google Authenticator. Custom 2nd factor authentication can be
> added through the Authenticator SPI (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
> ).
>
> We are planning to add support for more types in the future, but I can't
> give you any specific details on when that will be.
>
>
>>
>> 2.) User Notifications via Email ?
>>
>
> What type of notifications?
>
>
>>
>> Thanks for answer.
>> Andrej.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/f880d858/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 04:31:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 10:31:42 +0100
Subject: [keycloak-user] Generic keycloak function support
In-Reply-To: <CALxJa+0YcPdqiA_2mDB3z12cXHsqZ=JCQonZHEd=ANQA_uEZFQ@mail.gmail.com>
References: <CALxJa+0PqfEXvzkcNGAgrOdRwCHMz+YCdvEaaP8a-Dzazb+AQQ@mail.gmail.com>
	<CAJgngAdxQbHONXx5OJ3mqtPFge4GuV8WNMGWSWEQEokfgLF+CA@mail.gmail.com>
	<CALxJa+0YcPdqiA_2mDB3z12cXHsqZ=JCQonZHEd=ANQA_uEZFQ@mail.gmail.com>
Message-ID: <CAJgngAfKugQzTgqzJa1idaCXykw+rOWH=kzsb3CB7GR=qTnxFA@mail.gmail.com>

We have that -
http://keycloak.github.io/docs/userguide/keycloak-server/html/events.html#d4e2401

On 12 November 2015 at 10:17, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> To point 2.:
> For example:
> Send email to end user for changes made to account
>
> On Thu, Nov 12, 2015 at 10:10 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>>
>>
>> On 12 November 2015 at 10:03, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I would like to ask you if actually or in future will provide/support
>>> this function:
>>>
>>> 1.) 2nd factor Authorization ?
>>>
>>
>> Yes, assuming you mean 2nd factor authentication. We have support for
>> FreeOTP or Google Authenticator. Custom 2nd factor authentication can be
>> added through the Authenticator SPI (
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>> ).
>>
>> We are planning to add support for more types in the future, but I can't
>> give you any specific details on when that will be.
>>
>>
>>>
>>> 2.) User Notifications via Email ?
>>>
>>
>> What type of notifications?
>>
>>
>>>
>>> Thanks for answer.
>>> Andrej.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/000b19ee/attachment.html 

From juraj.janosik77 at gmail.com  Thu Nov 12 04:32:58 2015
From: juraj.janosik77 at gmail.com (Juraj Janosik)
Date: Thu, 12 Nov 2015 10:32:58 +0100
Subject: [keycloak-user] Clarify "Create a new client" via Admin REST API
Message-ID: <CALQqei0b396xq1hx=HBDGT9qx9YroDSB2e31zh-O1ecEa8S7WA@mail.gmail.com>

Hi,
I want to clarify the "Create a new client" via REST API
especially for body parameter "id" from "ClientRepresentation".
If I set the parameter "id" in the request body (see example below),
the value is set to the client. No new id value is generated for the
client, which is the typically behavior of "Create a new role for the realm
or client
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for_the_realm_or_client>"
and "Create a new user
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
Is this a correct behavior?

Tested data example:
"Create Client":
"method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
"body":
"{
"id":"3",
"clientId":"testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3",
"enabled": true,
"redirectUris":[ "\\" ],
"publicClient": true
}"
"headers":
[["Content-Type","application/json"],
["Authorization","Bearer <ACCESS_TOKEN>]]

Output for GET clients looks like:
 {
        "*id": "3"*,
        "clientId": "testclient-3",
        "name": "testclient-3",
        "description": "TESTCLIENT-3",
        "surrogateAuthRequired": false,
        "enabled": true,
        "clientAuthenticatorType": "client-secret",
        "redirectUris":
        [
            "\"
        ],
        "webOrigins":
        [
        ],
        "notBefore": 0,
        "bearerOnly": false,
        "consentRequired": false,
        "serviceAccountsEnabled": false,
        "directGrantsOnly": false,
        "publicClient": true,
        "frontchannelLogout": false,
        "attributes":
        {
        },
...

Thanks a lot.

Best Regards,
Juraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/bd6c1251/attachment.html 

From bystrik.horvath at gmail.com  Thu Nov 12 04:34:22 2015
From: bystrik.horvath at gmail.com (Bystrik Horvath)
Date: Thu, 12 Nov 2015 10:34:22 +0100
Subject: [keycloak-user] Custom User Attributes - incorrect paths
Message-ID: <CADjGaadfyXe30dJPanTLTi=5v+Gt4oY6_N9sPYuoahbeA+SOAg@mail.gmail.com>

Hello,

I tried to create my own theme by the description in Keycloak Reference
Guide 1.6.1. There are incorrect path (at several places) in chapter 31. -
Custom User Attributes, e.g.:


   1. Create a new theme within the themes/admin/mytheme directory in your
   distribution. Where mytheme is whatever you want to name your theme.

should be:

   1. Create a new theme within the themes/mytheme/admin/ directory in your
   distribution. Where mytheme is whatever you want to name your theme.

or


   1. Copy the file
   themes/admin/base/resources/partials/user-attribute-entry.html into the
   a mirror directory ...

should be:

   1. Copy the file
   themes/base/admin/resources/partials/user-attribute-entry.html into the
   a mirror directory

Anyway, the file

   1. themes/base/admin/resources/partials/user-attribute-entry.html

 is not presented in the distribution, I found only

   1. themes/base/admin/resources/partials/user-attributes.html
   2.


There are several places in chapter 31 where incorrect paths are given as
an example.

Best regards,
Bystrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/42ebfabd/attachment.html 

From juraj.janosik77 at gmail.com  Thu Nov 12 04:58:06 2015
From: juraj.janosik77 at gmail.com (Juraj Janosik)
Date: Thu, 12 Nov 2015 10:58:06 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update the
 client" via Admin REST API
Message-ID: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>

Hi,

I want to announce an issue with "Update the client
<http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
via Admin REST API.

*Description:* I want to change the description for existing client #3.

*Note:* From the documentation ("Update the client
<http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
body parameter attributes
are required in schema "ClientRepresentation".
Description of schema "ClientRepresentation" notes for any mandatory
attribute.

Are some parameters mandatory for successfuly running of this scenario ?

*Tested scenario:*
*Tested data:*
"Update Client":
"method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
"headers":
[["Content-Type","application/json"],
["Authorization","Bearer <ACCESS_TOKEN>]]
"body":
"{
"id":"3",
"clientId":"testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3 v.2"
}"

*Test Result:* Status Code: 500 Internal Server Error

*Some parts from console logs:*
10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
Exception handling request to /auth/admin/realms/universities/clients/3:
java.lang.RuntimeException: request path:
/auth/admin/realms/universities/clients/3
...
    at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
    ... 29 more
*Caused by: java.lang.NullPointerException*
    at
org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)


Thanks a lot.

Best Regards,
Juraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/9c0a9d7d/attachment.html 

From sthorger at redhat.com  Thu Nov 12 05:40:17 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 11:40:17 +0100
Subject: [keycloak-user] Custom User Attributes - incorrect paths
In-Reply-To: <CADjGaadfyXe30dJPanTLTi=5v+Gt4oY6_N9sPYuoahbeA+SOAg@mail.gmail.com>
References: <CADjGaadfyXe30dJPanTLTi=5v+Gt4oY6_N9sPYuoahbeA+SOAg@mail.gmail.com>
Message-ID: <CAJgngAfF+nuo5ubHFq+hCVGSxjHi3Z6o7rBOMy5i9OupZxc7Aw@mail.gmail.com>

Can you create a JIRA please? If you could prepare a PR as well that'd be
even better :)

On 12 November 2015 at 10:34, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:

> Hello,
>
> I tried to create my own theme by the description in Keycloak Reference
> Guide 1.6.1. There are incorrect path (at several places) in chapter 31. -
> Custom User Attributes, e.g.:
>
>
>    1. Create a new theme within the themes/admin/mytheme directory in
>    your distribution. Where mytheme is whatever you want to name your
>    theme.
>
> should be:
>
>    1. Create a new theme within the themes/mytheme/admin/ directory in
>    your distribution. Where mytheme is whatever you want to name your
>    theme.
>
> or
>
>
>    1. Copy the file
>    themes/admin/base/resources/partials/user-attribute-entry.html into
>    the a mirror directory ...
>
> should be:
>
>    1. Copy the file
>    themes/base/admin/resources/partials/user-attribute-entry.html into
>    the a mirror directory
>
> Anyway, the file
>
>    1. themes/base/admin/resources/partials/user-attribute-entry.html
>
>  is not presented in the distribution, I found only
>
>    1. themes/base/admin/resources/partials/user-attributes.html
>    2.
>
>
> There are several places in chapter 31 where incorrect paths are given as
> an example.
>
> Best regards,
> Bystrik
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/847bd12e/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 05:42:59 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 11:42:59 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
Message-ID: <CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>

That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() ..)",
but serviceAccountsEnabled in the representation can be null, which would
result in this NPE.

Can you create a JIRA please? If you did a PR as well that'd be even better
:)

On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com>
wrote:

> Hi,
>
> I want to announce an issue with "Update the client
> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
> via Admin REST API.
>
> *Description:* I want to change the description for existing client #3.
>
> *Note:* From the documentation ("Update the client
> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
> body parameter attributes
> are required in schema "ClientRepresentation".
> Description of schema "ClientRepresentation" notes for any mandatory
> attribute.
>
> Are some parameters mandatory for successfuly running of this scenario ?
>
> *Tested scenario:*
> *Tested data:*
> "Update Client":
> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
> "headers":
> [["Content-Type","application/json"],
> ["Authorization","Bearer <ACCESS_TOKEN>]]
> "body":
> "{
> "id":"3",
> "clientId":"testclient-3",
> "name": "testclient-3",
> "description": "TESTCLIENT-3 v.2"
> }"
>
> *Test Result:* Status Code: 500 Internal Server Error
>
> *Some parts from console logs:*
> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
> Exception handling request to /auth/admin/realms/universities/clients/3:
> java.lang.RuntimeException: request path:
> /auth/admin/realms/universities/clients/3
> ...
>     at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>     ... 29 more
> *Caused by: java.lang.NullPointerException*
>     at
> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>
>
> Thanks a lot.
>
> Best Regards,
> Juraj
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/ac493f5c/attachment.html 

From ssilvert at redhat.com  Thu Nov 12 07:12:54 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 07:12:54 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
Message-ID: <56448246.90706@redhat.com>

Funny.  I just ran into that exact NPE yesterday but I thought it was a 
state that was caused by my new code.  So I only fixed it in that one 
representation class.  But I'm not ready to merge that yet.

We really need to go through all the representations and set defaults 
for all instance variables of type Boolean.  It's probably rare that we 
would want that default to be null.  Even if it should be null we should 
say so explicitly.

Stan

On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() 
> ..)", but serviceAccountsEnabled in the representation can be null, 
> which would result in this NPE.
>
> Can you create a JIRA please? If you did a PR as well that'd be even 
> better :)
>
> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com 
> <mailto:juraj.janosik77 at gmail.com>> wrote:
>
>     Hi,
>
>     I want to announce an issue with "Update the client
>     <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>     via Admin REST API.
>
>     _Description:_ I want to change the description for existing
>     client #3.
>
>     _Note:_ From the documentation ("Update the client
>     <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>     body parameter attributes
>     are required in schema "ClientRepresentation".
>     Description of schema "ClientRepresentation" notes for any
>     mandatory attribute.
>
>     Are some parameters mandatory for successfuly running of this
>     scenario ?
>
>     _Tested scenario:_
>     _Tested data:_
>     "Update Client":
>     "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>     "headers":
>     [["Content-Type","application/json"],
>     ["Authorization","Bearer <ACCESS_TOKEN>]]
>     "body":
>     "{
>     "id":"3",
>     "clientId":"testclient-3",
>     "name": "testclient-3",
>     "description": "TESTCLIENT-3 v.2"
>     }"
>
>     _Test Result:_ Status Code: 500 Internal Server Error
>
>     _Some parts from console logs:_
>     10:35:31,591 ERROR [io.undertow.request] (default task-18)
>     UT005023: Exception handling request to
>     /auth/admin/realms/universities/clients/3:
>     java.lang.RuntimeException: request path:
>     /auth/admin/realms/universities/clients/3
>     ...
>         at
>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>         ... 29 more
>     *Caused by: java.lang.NullPointerException*
>         at
>     org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>
>
>     Thanks a lot.
>
>     Best Regards,
>     Juraj
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/ca1ef9d9/attachment.html 

From sthorger at redhat.com  Thu Nov 12 07:39:09 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 13:39:09 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <56448246.90706@redhat.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
Message-ID: <CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>

On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com> wrote:

> Funny.  I just ran into that exact NPE yesterday but I thought it was a
> state that was caused by my new code.  So I only fixed it in that one
> representation class.  But I'm not ready to merge that yet.
>
> We really need to go through all the representations and set defaults for
> all instance variables of type Boolean.  It's probably rare that we would
> want that default to be null.  Even if it should be null we should say so
> explicitly.
>

-1 We want them to be null. We set defaults elsewhere


>
>
> Stan
>
>
> On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>
> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() ..)",
> but serviceAccountsEnabled in the representation can be null, which would
> result in this NPE.
>
> Can you create a JIRA please? If you did a PR as well that'd be even
> better :)
>
> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com>
> wrote:
>
>> Hi,
>>
>> I want to announce an issue with "Update the client
>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>> via Admin REST API.
>>
>> *Description:* I want to change the description for existing client #3.
>>
>> *Note:* From the documentation ("Update the client
>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>> body parameter attributes
>> are required in schema "ClientRepresentation".
>> Description of schema "ClientRepresentation" notes for any mandatory
>> attribute.
>>
>> Are some parameters mandatory for successfuly running of this scenario ?
>>
>> *Tested scenario:*
>> *Tested data:*
>> "Update Client":
>> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>> "headers":
>> [["Content-Type","application/json"],
>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>> "body":
>> "{
>> "id":"3",
>> "clientId":"testclient-3",
>> "name": "testclient-3",
>> "description": "TESTCLIENT-3 v.2"
>> }"
>>
>> *Test Result:* Status Code: 500 Internal Server Error
>>
>> *Some parts from console logs:*
>> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
>> Exception handling request to /auth/admin/realms/universities/clients/3:
>> java.lang.RuntimeException: request path:
>> /auth/admin/realms/universities/clients/3
>> ...
>>     at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>     ... 29 more
>> *Caused by: java.lang.NullPointerException*
>>     at
>> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>
>>
>> Thanks a lot.
>>
>> Best Regards,
>> Juraj
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/f2aff790/attachment-0001.html 

From velias at redhat.com  Thu Nov 12 08:15:57 2015
From: velias at redhat.com (Vlastimil Elias)
Date: Thu, 12 Nov 2015 14:15:57 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
Message-ID: <5644910D.9020100@redhat.com>

Hi,

I'd like to use long session authentication mechanism known from many
sites like google. facebook, linked in etc.
It is about really long user SSO sessions (eg. weeks or even months)
with reauthentication for important actions when last authentication
timestamp is older than some limit.

Is this somehow possible with current Keycloak server and Keycloak adapters?

I see few subquestions in this problem for our use:

*****
open-id connect protocol defines few auth request parameters to support
this use case, mainly max_age or prompt=login. Are they correctly
implemented in Keycloak server?


*****
Wildfly/EAP adapter - is it possible and is there some example how to
use "reauth if auth is older than 30min" action in Java app secured by
this adapter? Or is info about last auth timestamp somehow available in
the app?


*****
Keycloak user account application itself - it is part of the Keycloak
server, but it contains sensitive actions which typically require
reathentication in this long session scheme (password change, email
change, ...). Is it somehow possible to configure Keycloak to force
timeout reauth for this app?

Thanks in advance

Vl.

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team




From ssilvert at redhat.com  Thu Nov 12 08:20:01 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 08:20:01 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
Message-ID: <56449201.3080807@redhat.com>

On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     Funny.  I just ran into that exact NPE yesterday but I thought it
>     was a state that was caused by my new code.  So I only fixed it in
>     that one representation class.  But I'm not ready to merge that yet.
>
>     We really need to go through all the representations and set
>     defaults for all instance variables of type Boolean.  It's
>     probably rare that we would want that default to be null.  Even if
>     it should be null we should say so explicitly.
>
>
> -1 We want them to be null. We set defaults elsewhere
Where?
>
>
>
>     Stan
>
>
>     On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>     That's a bug. It's failing on "if (rep.isServiceAccountsEnabled()
>>     ..)", but serviceAccountsEnabled in the representation can be
>>     null, which would result in this NPE.
>>
>>     Can you create a JIRA please? If you did a PR as well that'd be
>>     even better :)
>>
>>     On 12 November 2015 at 10:58, Juraj Janosik
>>     <juraj.janosik77 at gmail.com <mailto:juraj.janosik77 at gmail.com>> wrote:
>>
>>         Hi,
>>
>>         I want to announce an issue with "Update the client
>>         <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>         via Admin REST API.
>>
>>         _Description:_ I want to change the description for existing
>>         client #3.
>>
>>         _Note:_ From the documentation ("Update the client
>>         <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>         body parameter attributes
>>         are required in schema "ClientRepresentation".
>>         Description of schema "ClientRepresentation" notes for any
>>         mandatory attribute.
>>
>>         Are some parameters mandatory for successfuly running of this
>>         scenario ?
>>
>>         _Tested scenario:_
>>         _Tested data:_
>>         "Update Client":
>>         "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>         "headers":
>>         [["Content-Type","application/json"],
>>         ["Authorization","Bearer <ACCESS_TOKEN>]]
>>         "body":
>>         "{
>>         "id":"3",
>>         "clientId":"testclient-3",
>>         "name": "testclient-3",
>>         "description": "TESTCLIENT-3 v.2"
>>         }"
>>
>>         _Test Result:_ Status Code: 500 Internal Server Error
>>
>>         _Some parts from console logs:_
>>         10:35:31,591 ERROR [io.undertow.request] (default task-18)
>>         UT005023: Exception handling request to
>>         /auth/admin/realms/universities/clients/3:
>>         java.lang.RuntimeException: request path:
>>         /auth/admin/realms/universities/clients/3
>>         ...
>>             at
>>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>             ... 29 more
>>         *Caused by: java.lang.NullPointerException*
>>             at
>>         org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>
>>
>>         Thanks a lot.
>>
>>         Best Regards,
>>         Juraj
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/46138190/attachment.html 

From sthorger at redhat.com  Thu Nov 12 08:33:05 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 14:33:05 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <56449201.3080807@redhat.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
Message-ID: <CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>

RepresentationToModel

On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>
>
>
> On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> Funny.  I just ran into that exact NPE yesterday but I thought it was a
>> state that was caused by my new code.  So I only fixed it in that one
>> representation class.  But I'm not ready to merge that yet.
>>
>> We really need to go through all the representations and set defaults for
>> all instance variables of type Boolean.  It's probably rare that we would
>> want that default to be null.  Even if it should be null we should say so
>> explicitly.
>>
>
> -1 We want them to be null. We set defaults elsewhere
>
> Where?
>
>
>
>>
>>
>> Stan
>>
>>
>> On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>
>> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() ..)",
>> but serviceAccountsEnabled in the representation can be null, which would
>> result in this NPE.
>>
>> Can you create a JIRA please? If you did a PR as well that'd be even
>> better :)
>>
>> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I want to announce an issue with "Update the client
>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>> via Admin REST API.
>>>
>>> *Description:* I want to change the description for existing client #3.
>>>
>>> *Note:* From the documentation ("Update the client
>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>> body parameter attributes
>>> are required in schema "ClientRepresentation".
>>> Description of schema "ClientRepresentation" notes for any mandatory
>>> attribute.
>>>
>>> Are some parameters mandatory for successfuly running of this scenario ?
>>>
>>> *Tested scenario:*
>>> *Tested data:*
>>> "Update Client":
>>> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>> "headers":
>>> [["Content-Type","application/json"],
>>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>>> "body":
>>> "{
>>> "id":"3",
>>> "clientId":"testclient-3",
>>> "name": "testclient-3",
>>> "description": "TESTCLIENT-3 v.2"
>>> }"
>>>
>>> *Test Result:* Status Code: 500 Internal Server Error
>>>
>>> *Some parts from console logs:*
>>> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
>>> Exception handling request to /auth/admin/realms/universities/clients/3:
>>> java.lang.RuntimeException: request path:
>>> /auth/admin/realms/universities/clients/3
>>> ...
>>>     at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>     ... 29 more
>>> *Caused by: java.lang.NullPointerException*
>>>     at
>>> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>
>>>
>>> Thanks a lot.
>>>
>>> Best Regards,
>>> Juraj
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/97e567e3/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 08:39:49 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 14:39:49 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <5644910D.9020100@redhat.com>
References: <5644910D.9020100@redhat.com>
Message-ID: <CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>

On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com> wrote:

> Hi,
>
> I'd like to use long session authentication mechanism known from many
> sites like google. facebook, linked in etc.
> It is about really long user SSO sessions (eg. weeks or even months)
> with reauthentication for important actions when last authentication
> timestamp is older than some limit.
>
> Is this somehow possible with current Keycloak server and Keycloak
> adapters?
>
> I see few subquestions in this problem for our use:
>
> *****
> open-id connect protocol defines few auth request parameters to support
> this use case, mainly max_age or prompt=login. Are they correctly
> implemented in Keycloak server?
>

We don't have support for max_age and we only support prompt=none so these
would have to be added


>
>
> *****
> Wildfly/EAP adapter - is it possible and is there some example how to
> use "reauth if auth is older than 30min" action in Java app secured by
> this adapter? Or is info about last auth timestamp somehow available in
> the app?
>

We don't set auth_time claim ATM so answer is no


>
>
> *****
> Keycloak user account application itself - it is part of the Keycloak
> server, but it contains sensitive actions which typically require
> reathentication in this long session scheme (password change, email
> change, ...). Is it somehow possible to configure Keycloak to force
> timeout reauth for this app?
>

Not at the moment - but if we add what you want it would also make sense to
add that. Would need to be configurable through the admin console. Would
also be nice to have the same for the admin console itself.


>
> Thanks in advance
>
> Vl.
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/23f5d042/attachment.html 

From ssilvert at redhat.com  Thu Nov 12 08:40:37 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 08:40:37 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
Message-ID: <564496D5.8030200@redhat.com>

On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
> RepresentationToModel
The bug happened before RepresentationToModel could be called. That's 
why we need to initialize variables properly.
>
> On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>
>>
>>     On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com
>>     <mailto:ssilvert at redhat.com>> wrote:
>>
>>         Funny.  I just ran into that exact NPE yesterday but I
>>         thought it was a state that was caused by my new code.  So I
>>         only fixed it in that one representation class.  But I'm not
>>         ready to merge that yet.
>>
>>         We really need to go through all the representations and set
>>         defaults for all instance variables of type Boolean.  It's
>>         probably rare that we would want that default to be null. 
>>         Even if it should be null we should say so explicitly.
>>
>>
>>     -1 We want them to be null. We set defaults elsewhere
>     Where?
>
>>
>>
>>         Stan
>>
>>
>>         On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>         That's a bug. It's failing on "if
>>>         (rep.isServiceAccountsEnabled() ..)",
>>>         but serviceAccountsEnabled in the representation can be
>>>         null, which would result in this NPE.
>>>
>>>         Can you create a JIRA please? If you did a PR as well that'd
>>>         be even better :)
>>>
>>>         On 12 November 2015 at 10:58, Juraj Janosik
>>>         <juraj.janosik77 at gmail.com
>>>         <mailto:juraj.janosik77 at gmail.com>> wrote:
>>>
>>>             Hi,
>>>
>>>             I want to announce an issue with "Update the client
>>>             <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>             via Admin REST API.
>>>
>>>             _Description:_ I want to change the description for
>>>             existing client #3.
>>>
>>>             _Note:_ From the documentation ("Update the client
>>>             <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>             body parameter attributes
>>>             are required in schema "ClientRepresentation".
>>>             Description of schema "ClientRepresentation" notes for
>>>             any mandatory attribute.
>>>
>>>             Are some parameters mandatory for successfuly running of
>>>             this scenario ?
>>>
>>>             _Tested scenario:_
>>>             _Tested data:_
>>>             "Update Client":
>>>             "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>             "headers":
>>>             [["Content-Type","application/json"],
>>>             ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>             "body":
>>>             "{
>>>             "id":"3",
>>>             "clientId":"testclient-3",
>>>             "name": "testclient-3",
>>>             "description": "TESTCLIENT-3 v.2"
>>>             }"
>>>
>>>             _Test Result:_ Status Code: 500 Internal Server Error
>>>
>>>             _Some parts from console logs:_
>>>             10:35:31,591 ERROR [io.undertow.request] (default
>>>             task-18) UT005023: Exception handling request to
>>>             /auth/admin/realms/universities/clients/3:
>>>             java.lang.RuntimeException: request path:
>>>             /auth/admin/realms/universities/clients/3
>>>             ...
>>>                 at
>>>             org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>                 ... 29 more
>>>             *Caused by: java.lang.NullPointerException*
>>>                 at
>>>             org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>
>>>
>>>             Thanks a lot.
>>>
>>>             Best Regards,
>>>             Juraj
>>>
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org
>>>             <mailto:keycloak-user at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/b8aaad9d/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 08:41:12 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 14:41:12 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <564496D5.8030200@redhat.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
Message-ID: <CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>

The bug is simply caused by not checking for null

On 12 November 2015 at 14:40, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>
> RepresentationToModel
>
> The bug happened before RepresentationToModel could be called.  That's why
> we need to initialize variables properly.
>
>
> On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>
>>
>>
>> On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com> wrote:
>>
>>> Funny.  I just ran into that exact NPE yesterday but I thought it was a
>>> state that was caused by my new code.  So I only fixed it in that one
>>> representation class.  But I'm not ready to merge that yet.
>>>
>>> We really need to go through all the representations and set defaults
>>> for all instance variables of type Boolean.  It's probably rare that we
>>> would want that default to be null.  Even if it should be null we should
>>> say so explicitly.
>>>
>>
>> -1 We want them to be null. We set defaults elsewhere
>>
>> Where?
>>
>>
>>
>>>
>>>
>>> Stan
>>>
>>>
>>> On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>
>>> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() ..)",
>>> but serviceAccountsEnabled in the representation can be null, which would
>>> result in this NPE.
>>>
>>> Can you create a JIRA please? If you did a PR as well that'd be even
>>> better :)
>>>
>>> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I want to announce an issue with "Update the client
>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>> via Admin REST API.
>>>>
>>>> *Description:* I want to change the description for existing client #3.
>>>>
>>>> *Note:* From the documentation ("Update the client
>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>> body parameter attributes
>>>> are required in schema "ClientRepresentation".
>>>> Description of schema "ClientRepresentation" notes for any mandatory
>>>> attribute.
>>>>
>>>> Are some parameters mandatory for successfuly running of this scenario ?
>>>>
>>>> *Tested scenario:*
>>>> *Tested data:*
>>>> "Update Client":
>>>> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>> "headers":
>>>> [["Content-Type","application/json"],
>>>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>> "body":
>>>> "{
>>>> "id":"3",
>>>> "clientId":"testclient-3",
>>>> "name": "testclient-3",
>>>> "description": "TESTCLIENT-3 v.2"
>>>> }"
>>>>
>>>> *Test Result:* Status Code: 500 Internal Server Error
>>>>
>>>> *Some parts from console logs:*
>>>> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
>>>> Exception handling request to /auth/admin/realms/universities/clients/3:
>>>> java.lang.RuntimeException: request path:
>>>> /auth/admin/realms/universities/clients/3
>>>> ...
>>>>     at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>     ... 29 more
>>>> *Caused by: java.lang.NullPointerException*
>>>>     at
>>>> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>
>>>>
>>>> Thanks a lot.
>>>>
>>>> Best Regards,
>>>> Juraj
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/b15e9757/attachment.html 

From ssilvert at redhat.com  Thu Nov 12 08:45:25 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 08:45:25 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
	<CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
Message-ID: <564497F5.9050907@redhat.com>

On 11/12/2015 8:41 AM, Stian Thorgersen wrote:
> The bug is simply caused by not checking for null
Seriously?  So every time you call a getter on a Representation you have 
to check for null?

If a Boolean should not be null then initialize it properly or use boolean.
>
> On 12 November 2015 at 14:40, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>>     RepresentationToModel
>     The bug happened before RepresentationToModel could be called. 
>     That's why we need to initialize variables properly.
>
>>
>>     On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com
>>     <mailto:ssilvert at redhat.com>> wrote:
>>
>>         On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>>
>>>
>>>         On 12 November 2015 at 13:12, Stan Silvert
>>>         <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>>
>>>             Funny.  I just ran into that exact NPE yesterday but I
>>>             thought it was a state that was caused by my new code. 
>>>             So I only fixed it in that one representation class. 
>>>             But I'm not ready to merge that yet.
>>>
>>>             We really need to go through all the representations and
>>>             set defaults for all instance variables of type
>>>             Boolean.  It's probably rare that we would want that
>>>             default to be null.  Even if it should be null we should
>>>             say so explicitly.
>>>
>>>
>>>         -1 We want them to be null. We set defaults elsewhere
>>         Where?
>>
>>>
>>>
>>>             Stan
>>>
>>>
>>>             On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>>             That's a bug. It's failing on "if
>>>>             (rep.isServiceAccountsEnabled() ..)",
>>>>             but serviceAccountsEnabled in the representation can be
>>>>             null, which would result in this NPE.
>>>>
>>>>             Can you create a JIRA please? If you did a PR as well
>>>>             that'd be even better :)
>>>>
>>>>             On 12 November 2015 at 10:58, Juraj Janosik
>>>>             <juraj.janosik77 at gmail.com
>>>>             <mailto:juraj.janosik77 at gmail.com>> wrote:
>>>>
>>>>                 Hi,
>>>>
>>>>                 I want to announce an issue with "Update the client
>>>>                 <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>>                 via Admin REST API.
>>>>
>>>>                 _Description:_ I want to change the description for
>>>>                 existing client #3.
>>>>
>>>>                 _Note:_ From the documentation ("Update the client
>>>>                 <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>>                 body parameter attributes
>>>>                 are required in schema "ClientRepresentation".
>>>>                 Description of schema "ClientRepresentation" notes
>>>>                 for any mandatory attribute.
>>>>
>>>>                 Are some parameters mandatory for successfuly
>>>>                 running of this scenario ?
>>>>
>>>>                 _Tested scenario:_
>>>>                 _Tested data:_
>>>>                 "Update Client":
>>>>                 "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>>                 "headers":
>>>>                 [["Content-Type","application/json"],
>>>>                 ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>>                 "body":
>>>>                 "{
>>>>                 "id":"3",
>>>>                 "clientId":"testclient-3",
>>>>                 "name": "testclient-3",
>>>>                 "description": "TESTCLIENT-3 v.2"
>>>>                 }"
>>>>
>>>>                 _Test Result:_ Status Code: 500 Internal Server Error
>>>>
>>>>                 _Some parts from console logs:_
>>>>                 10:35:31,591 ERROR [io.undertow.request] (default
>>>>                 task-18) UT005023: Exception handling request to
>>>>                 /auth/admin/realms/universities/clients/3:
>>>>                 java.lang.RuntimeException: request path:
>>>>                 /auth/admin/realms/universities/clients/3
>>>>                 ...
>>>>                     at
>>>>                 org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>                     ... 29 more
>>>>                 *Caused by: java.lang.NullPointerException*
>>>>                     at
>>>>                 org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>
>>>>
>>>>                 Thanks a lot.
>>>>
>>>>                 Best Regards,
>>>>                 Juraj
>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 keycloak-user mailing list
>>>>                 keycloak-user at lists.jboss.org
>>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             keycloak-user mailing list
>>>>             keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org
>>>             <mailto:keycloak-user at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/49201c0e/attachment-0001.html 

From velias at redhat.com  Thu Nov 12 08:49:18 2015
From: velias at redhat.com (Vlastimil Elias)
Date: Thu, 12 Nov 2015 14:49:18 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
References: <5644910D.9020100@redhat.com>
	<CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
Message-ID: <564498DE.6010805@redhat.com>

Thanks for quick reply Stian.

I'm going to create JIRAs for all these things. I can volunter to
implement some parts of this.

For the last one, it should be probably cool to have "reauthenticate
timeout" setting available in client section for every client (not only
internal admin console and account management). It should allow simple
implementation of "long user sso session" scheme even in environments
where some clients can't be updated to set max_age on protocol level.

Vl.

On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Hi,
>
>     I'd like to use long session authentication mechanism known from many
>     sites like google. facebook, linked in etc.
>     It is about really long user SSO sessions (eg. weeks or even months)
>     with reauthentication for important actions when last authentication
>     timestamp is older than some limit.
>
>     Is this somehow possible with current Keycloak server and Keycloak
>     adapters?
>
>     I see few subquestions in this problem for our use:
>
>     *****
>     open-id connect protocol defines few auth request parameters to
>     support
>     this use case, mainly max_age or prompt=login. Are they correctly
>     implemented in Keycloak server?
>
>
> We don't have support for max_age and we only support prompt=none so
> these would have to be added
>  
>
>
>
>     *****
>     Wildfly/EAP adapter - is it possible and is there some example how to
>     use "reauth if auth is older than 30min" action in Java app secured by
>     this adapter? Or is info about last auth timestamp somehow
>     available in
>     the app?
>
>
> We don't set auth_time claim ATM so answer is no
>  
>
>
>
>     *****
>     Keycloak user account application itself - it is part of the Keycloak
>     server, but it contains sensitive actions which typically require
>     reathentication in this long session scheme (password change, email
>     change, ...). Is it somehow possible to configure Keycloak to force
>     timeout reauth for this app?
>
>
> Not at the moment - but if we add what you want it would also make
> sense to add that. Would need to be configurable through the admin
> console. Would also be nice to have the same for the admin console itself.
>  
>
>
>     Thanks in advance
>
>     Vl.
>
>     --
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/ec68851c/attachment.html 

From sthorger at redhat.com  Thu Nov 12 08:50:45 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 14:50:45 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <564498DE.6010805@redhat.com>
References: <5644910D.9020100@redhat.com>
	<CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
	<564498DE.6010805@redhat.com>
Message-ID: <CAJgngAeqmxqvTCh546JhuevYkyXSEevhG5+cLOWBBJ+xcPRJoQ@mail.gmail.com>

On 12 November 2015 at 14:49, Vlastimil Elias <velias at redhat.com> wrote:

> Thanks for quick reply Stian.
>
> I'm going to create JIRAs for all these things. I can volunter to
> implement some parts of this.
>
> For the last one, it should be probably cool to have "reauthenticate
> timeout" setting available in client section for every client (not only
> internal admin console and account management). It should allow simple
> implementation of "long user sso session" scheme even in environments where
> some clients can't be updated to set max_age on protocol level.
>

Yep, that makes sense


>
> Vl.
>
>
> On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias < <velias at redhat.com>
> velias at redhat.com> wrote:
>
>> Hi,
>>
>> I'd like to use long session authentication mechanism known from many
>> sites like google. facebook, linked in etc.
>> It is about really long user SSO sessions (eg. weeks or even months)
>> with reauthentication for important actions when last authentication
>> timestamp is older than some limit.
>>
>> Is this somehow possible with current Keycloak server and Keycloak
>> adapters?
>>
>> I see few subquestions in this problem for our use:
>>
>> *****
>> open-id connect protocol defines few auth request parameters to support
>> this use case, mainly max_age or prompt=login. Are they correctly
>> implemented in Keycloak server?
>>
>
> We don't have support for max_age and we only support prompt=none so these
> would have to be added
>
>
>>
>>
>> *****
>> Wildfly/EAP adapter - is it possible and is there some example how to
>> use "reauth if auth is older than 30min" action in Java app secured by
>> this adapter? Or is info about last auth timestamp somehow available in
>> the app?
>>
>
> We don't set auth_time claim ATM so answer is no
>
>
>>
>>
>> *****
>> Keycloak user account application itself - it is part of the Keycloak
>> server, but it contains sensitive actions which typically require
>> reathentication in this long session scheme (password change, email
>> change, ...). Is it somehow possible to configure Keycloak to force
>> timeout reauth for this app?
>>
>
> Not at the moment - but if we add what you want it would also make sense
> to add that. Would need to be configurable through the admin console. Would
> also be nice to have the same for the admin console itself.
>
>
>>
>> Thanks in advance
>>
>> Vl.
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/7acc0797/attachment.html 

From sthorger at redhat.com  Thu Nov 12 08:59:41 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 14:59:41 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <564497F5.9050907@redhat.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
	<CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
	<564497F5.9050907@redhat.com>
Message-ID: <CAJgngAcP7pPe3RHrdH+Dn8kQNsgTjLkFieaDtBV4BVCvTnPaag@mail.gmail.com>

Not sure why this is turning into a lengthy discussion, but null in the
representation has a meaning. If you look at how it's implemented the lack
of a value (it's set to null) results in setting the default value only if
creating a new entity. If updating an existing entity a null value is
simply ignored. If you initialize these in the representation you will end
up overriding existing values. The idea is that someone can update a single
value without having to include all existing values.

On 12 November 2015 at 14:45, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/12/2015 8:41 AM, Stian Thorgersen wrote:
>
> The bug is simply caused by not checking for null
>
> Seriously?  So every time you call a getter on a Representation you have
> to check for null?
>
> If a Boolean should not be null then initialize it properly or use boolean.
>
>
> On 12 November 2015 at 14:40, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>>
>> RepresentationToModel
>>
>> The bug happened before RepresentationToModel could be called.  That's
>> why we need to initialize variables properly.
>>
>>
>> On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com> wrote:
>>
>>> On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>>
>>>
>>>
>>> On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com> wrote:
>>>
>>>> Funny.  I just ran into that exact NPE yesterday but I thought it was a
>>>> state that was caused by my new code.  So I only fixed it in that one
>>>> representation class.  But I'm not ready to merge that yet.
>>>>
>>>> We really need to go through all the representations and set defaults
>>>> for all instance variables of type Boolean.  It's probably rare that we
>>>> would want that default to be null.  Even if it should be null we should
>>>> say so explicitly.
>>>>
>>>
>>> -1 We want them to be null. We set defaults elsewhere
>>>
>>> Where?
>>>
>>>
>>>
>>>>
>>>>
>>>> Stan
>>>>
>>>>
>>>> On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>>
>>>> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled() ..)",
>>>> but serviceAccountsEnabled in the representation can be null, which would
>>>> result in this NPE.
>>>>
>>>> Can you create a JIRA please? If you did a PR as well that'd be even
>>>> better :)
>>>>
>>>> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I want to announce an issue with "Update the client
>>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>>> via Admin REST API.
>>>>>
>>>>> *Description:* I want to change the description for existing client
>>>>> #3.
>>>>>
>>>>> *Note:* From the documentation ("Update the client
>>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>>> body parameter attributes
>>>>> are required in schema "ClientRepresentation".
>>>>> Description of schema "ClientRepresentation" notes for any mandatory
>>>>> attribute.
>>>>>
>>>>> Are some parameters mandatory for successfuly running of this scenario
>>>>> ?
>>>>>
>>>>> *Tested scenario:*
>>>>> *Tested data:*
>>>>> "Update Client":
>>>>> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>>> "headers":
>>>>> [["Content-Type","application/json"],
>>>>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>>> "body":
>>>>> "{
>>>>> "id":"3",
>>>>> "clientId":"testclient-3",
>>>>> "name": "testclient-3",
>>>>> "description": "TESTCLIENT-3 v.2"
>>>>> }"
>>>>>
>>>>> *Test Result:* Status Code: 500 Internal Server Error
>>>>>
>>>>> *Some parts from console logs:*
>>>>> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
>>>>> Exception handling request to /auth/admin/realms/universities/clients/3:
>>>>> java.lang.RuntimeException: request path:
>>>>> /auth/admin/realms/universities/clients/3
>>>>> ...
>>>>>     at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>>     ... 29 more
>>>>> *Caused by: java.lang.NullPointerException*
>>>>>     at
>>>>> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>>
>>>>>
>>>>> Thanks a lot.
>>>>>
>>>>> Best Regards,
>>>>> Juraj
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/5296edf7/attachment-0001.html 

From velias at redhat.com  Thu Nov 12 09:00:57 2015
From: velias at redhat.com (Vlastimil Elias)
Date: Thu, 12 Nov 2015 15:00:57 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
References: <5644910D.9020100@redhat.com>
	<CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
Message-ID: <56449B99.2070006@redhat.com>

BTW even SAML2 protocol has ForceAuthn="true" attribute in the
AuthnRequest. Is it supported in Keycloak?

Vl.

On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     Hi,
>
>     I'd like to use long session authentication mechanism known from many
>     sites like google. facebook, linked in etc.
>     It is about really long user SSO sessions (eg. weeks or even months)
>     with reauthentication for important actions when last authentication
>     timestamp is older than some limit.
>
>     Is this somehow possible with current Keycloak server and Keycloak
>     adapters?
>
>     I see few subquestions in this problem for our use:
>
>     *****
>     open-id connect protocol defines few auth request parameters to
>     support
>     this use case, mainly max_age or prompt=login. Are they correctly
>     implemented in Keycloak server?
>
>
> We don't have support for max_age and we only support prompt=none so
> these would have to be added
>  
>
>
>
>     *****
>     Wildfly/EAP adapter - is it possible and is there some example how to
>     use "reauth if auth is older than 30min" action in Java app secured by
>     this adapter? Or is info about last auth timestamp somehow
>     available in
>     the app?
>
>
> We don't set auth_time claim ATM so answer is no
>  
>
>
>
>     *****
>     Keycloak user account application itself - it is part of the Keycloak
>     server, but it contains sensitive actions which typically require
>     reathentication in this long session scheme (password change, email
>     change, ...). Is it somehow possible to configure Keycloak to force
>     timeout reauth for this app?
>
>
> Not at the moment - but if we add what you want it would also make
> sense to add that. Would need to be configurable through the admin
> console. Would also be nice to have the same for the admin console itself.
>  
>
>
>     Thanks in advance
>
>     Vl.
>
>     --
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/28f65d9a/attachment.html 

From harshmahey at gmail.com  Thu Nov 12 09:16:58 2015
From: harshmahey at gmail.com (harsh mahey)
Date: Thu, 12 Nov 2015 07:16:58 -0700
Subject: [keycloak-user] can not delete user using REST API -401
	unauthorized.
In-Reply-To: <564452CF.5080708@redhat.com>
References: <CA+YyFz5qRtH+sJEOYetV6Jze7LVSPzeMwkXaZ47tBP93gtA_iw@mail.gmail.com>
	<564452CF.5080708@redhat.com>
Message-ID: <CA+YyFz4XqxP0EMtWQ3-Tg0e7P=1hQW9iwtEZAjHuT8aTTkwg8w@mail.gmail.com>

So this is what i see in my header

********

entity:<{Content-Type=[application/json], Authorization=[Bearer
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYjk2NTI0ZC0yYzY3LTRlY2YtOWRiYS1kMTNiYWZkZDc3OTIiLCJleHAiOjE0NDczMzgwODQsIm5iZiI6MCwiaWF0IjoxNDQ3MzM3Nzg0LCJpc3MiOiJodHRwOi8vc2Vuc2VucmVzcG9uZC5jb206OTkxMi9hdXRoL3JlYWxtcy9TbnJBcHBzUmVhbG0iLCJhdWQiOiJzbnJhcHBzLXdlYiIsInN1YiI6IjU1ODhmOWViLTg5ZDItNGVmMi04ZTM3LWVkM2RkY2RhMDdhMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNucmFwcHMtd2ViIiwic2Vzc2lvbl9zdGF0ZSI6ImVmZjFlY2Q0LWZjMTUtNGJjMi05MDgxLWM2YTA5NGMxODFmOCIsImNsaWVudF9zZXNzaW9uIjoiN2ZjZWU5ZDItN2I4Yi00ZmVmLTkzYjEtZjAwNzI3YWNkNzA2IiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImFkbWluIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InNucmFwcHMtd2ViIjp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsidmlldy1wcm9maWxlIiwibWFuYWdlLWFjY291bnQiXX0sInJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1yZWFsbSIsIm1hbmFnZS1jbGllbnRzIiwibWFuYWdlLWV2ZW50cyIsInZpZXctZXZlbnRzIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsImltcGVyc29uYXRpb24iLCJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtcmVhbG0iXX19LCJlbWFpbCI6ImhhcnNobWFoZXlAZ21haWwuY29tIiwibmFtZSI6IkNoYXJhbiBTaW5naCIsImZhbWlseV9uYW1lIjoiU2luZ2giLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzbnJhcHBzLXVzZXIiLCJnaXZlbl9uYW1lIjoiQ2hhcmFuIn0.eyyqyobdaYesLH13zoPSwxd1yj3HE5GsshLXgQIaucJ9uVs7LpoiXedB0NfLf2rMYVHW6Yo0tX9DA2o_tGdlmNnbFnNqh3GDXIIcqQwIrYTGGzTFQo8k-8TzWlg5GXjuc3_b0GRGdbUd_BgbqahcxhHyciXNTzOM9iuzObXwfmKjCTy8FU-QxNntC-yThOidFoUOYxjmUxyfubq13GH0VVm_1obxQcI5_B6WnIubNFBpyjb70SgZZSVjM1-22WDm_TRlqtKomDALqsD6SAep-fV1yAxR9RLXTJzJpMb5a6Zt2PGOiE2G0cBq_KyfEO33v6IsxYTmIke3_2oV939jbA]}>

*******

Here is my updated code

*********

public boolean deleteUser(String userId) {

AccessTokenResponse accessTokenResponse = getToken();


org.springframework.http.HttpEntity<String> entity = new
org.springframework.http.HttpEntity<String (getHeaders(accessTokenResponse
.getToken()));

System.out.println("entity:"+entity);

RestTemplate restTemplate = new RestTemplate();

String urlForDeleteUser = "http://XXXX.com:XXX
/auth/admin/realms/MyAppsRealm/users/" + userId;

System.out.println(urlForDeleteUser);

restTemplate.delete(urlForDeleteUser, entity,String.class);

System.out.println("done");


return true;

}

********

On Thu, Nov 12, 2015 at 1:50 AM, Marek Posolda <mposolda at redhat.com> wrote:

> What's the output of the "System.out.println(httpHeaders);" command?
>
> Basically you need to include Authorization header with the content like:
>
> Authorization: Bearer your-access-token-here
>
> TBH I am not familiar with spring http client library you're using, so not
> sure if you're sending headers correctly.
>
> Marek
>
> On 12/11/15 01:08, harsh mahey wrote:
>
> I am getting 401 unAuthorized when im trying to delete a user.I was able
> to create the user with this id.And i am able to delete the user using
> Advanced REST Chrome client using same DELETE URL.
>
> Can you guide what am i doing wrong here.
>
>
> Thanks
>
>
>
> *****************ERROR***********************************************************
>
> org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
>
> at org.springframework.web.client.DefaultResponseErrorHandler.handleError(
> DefaultResponseErrorHandler.java:91)
>
> at org.springframework.web.client.RestTemplate.handleResponse(
> RestTemplate.java:641)
>
> at org.springframework.web.client.RestTemplate.doExecute(
> RestTemplate.java:597)
>
> at org.springframework.web.client.RestTemplate.execute(
> RestTemplate.java:557)
>
> at org.springframework.web.client.RestTemplate.delete(
> RestTemplate.java:429)
>
> at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.deleteUser(
> KeyCloakAdminAdapter.java:256)
>
> at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.main(
> KeyCloakAdminAdapter.java:55)
>
>
> *****************CODE**************************************************************
>
> public boolean deleteUser(String userId) {
>
> AccessTokenResponse accessTokenResponse = getToken();
>
> org.springframework.http.HttpEntity<String> entity = new
> org.springframework.http.HttpEntity<String>(getHeaders(accessTokenResponse
> .getToken()));
>
> HttpHeaders httpHeaders=entity.getHeaders();
>
> System.out.println(httpHeaders);
>
> RestTemplate restTemplate = new RestTemplate();
>
> String urlForDeleteUser = "http://XXXXX.com:XXXX
> /auth/admin/realmsMyAppsRealm/users/" + userId;
>
> System.out.println(urlForDeleteUser);
>
> restTemplate.delete(urlForDeleteUser, entity);
>
> System.out.println("done");
>
>
> return true;
>
> }
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/81ad7966/attachment.html 

From ssilvert at redhat.com  Thu Nov 12 09:20:46 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 09:20:46 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAcP7pPe3RHrdH+Dn8kQNsgTjLkFieaDtBV4BVCvTnPaag@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
	<CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
	<564497F5.9050907@redhat.com>
	<CAJgngAcP7pPe3RHrdH+Dn8kQNsgTjLkFieaDtBV4BVCvTnPaag@mail.gmail.com>
Message-ID: <5644A03E.50209@redhat.com>

On 11/12/2015 8:59 AM, Stian Thorgersen wrote:
> Not sure why this is turning into a lengthy discussion, but null in 
> the representation has a meaning. If you look at how it's implemented 
> the lack of a value (it's set to null) results in setting the default 
> value only if creating a new entity. If updating an existing entity a 
> null value is simply ignored. If you initialize these in the 
> representation you will end up overriding existing values. The idea is 
> that someone can update a single value without having to include all 
> existing values.
So at the beginning I said it would be rare for us to want the default 
to be null.  That's where I was mistaken.  It's good that we had the 
discussion because I needed to know that null has that meaning.

Part of this is Java's fault.  A Boolean with three values isn't really 
Boolean.  George Boole is probably rolling over in his grave.
>
> On 12 November 2015 at 14:45, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     On 11/12/2015 8:41 AM, Stian Thorgersen wrote:
>>     The bug is simply caused by not checking for null
>     Seriously?  So every time you call a getter on a Representation
>     you have to check for null?
>
>     If a Boolean should not be null then initialize it properly or use
>     boolean.
>
>>
>>     On 12 November 2015 at 14:40, Stan Silvert <ssilvert at redhat.com
>>     <mailto:ssilvert at redhat.com>> wrote:
>>
>>         On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>>>         RepresentationToModel
>>         The bug happened before RepresentationToModel could be
>>         called. That's why we need to initialize variables properly.
>>
>>>
>>>         On 12 November 2015 at 14:20, Stan Silvert
>>>         <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>>
>>>             On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>>>
>>>>
>>>>             On 12 November 2015 at 13:12, Stan Silvert
>>>>             <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>>>
>>>>                 Funny.  I just ran into that exact NPE yesterday
>>>>                 but I thought it was a state that was caused by my
>>>>                 new code.  So I only fixed it in that one
>>>>                 representation class.  But I'm not ready to merge
>>>>                 that yet.
>>>>
>>>>                 We really need to go through all the
>>>>                 representations and set defaults for all instance
>>>>                 variables of type Boolean. It's probably rare that
>>>>                 we would want that default to be null. Even if it
>>>>                 should be null we should say so explicitly.
>>>>
>>>>
>>>>             -1 We want them to be null. We set defaults elsewhere
>>>             Where?
>>>
>>>>
>>>>
>>>>                 Stan
>>>>
>>>>
>>>>                 On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>>>                 That's a bug. It's failing on "if
>>>>>                 (rep.isServiceAccountsEnabled() ..)",
>>>>>                 but serviceAccountsEnabled in the representation
>>>>>                 can be null, which would result in this NPE.
>>>>>
>>>>>                 Can you create a JIRA please? If you did a PR as
>>>>>                 well that'd be even better :)
>>>>>
>>>>>                 On 12 November 2015 at 10:58, Juraj Janosik
>>>>>                 <juraj.janosik77 at gmail.com
>>>>>                 <mailto:juraj.janosik77 at gmail.com>> wrote:
>>>>>
>>>>>                     Hi,
>>>>>
>>>>>                     I want to announce an issue with "Update the
>>>>>                     client
>>>>>                     <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>>>                     via Admin REST API.
>>>>>
>>>>>                     _Description:_ I want to change the
>>>>>                     description for existing client #3.
>>>>>
>>>>>                     _Note:_ From the documentation ("Update the
>>>>>                     client
>>>>>                     <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>>>                     body parameter attributes
>>>>>                     are required in schema "ClientRepresentation".
>>>>>                     Description of schema "ClientRepresentation"
>>>>>                     notes for any mandatory attribute.
>>>>>
>>>>>                     Are some parameters mandatory for successfuly
>>>>>                     running of this scenario ?
>>>>>
>>>>>                     _Tested scenario:_
>>>>>                     _Tested data:_
>>>>>                     "Update Client":
>>>>>                     "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>>>                     "headers":
>>>>>                     [["Content-Type","application/json"],
>>>>>                     ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>>>                     "body":
>>>>>                     "{
>>>>>                     "id":"3",
>>>>>                     "clientId":"testclient-3",
>>>>>                     "name": "testclient-3",
>>>>>                     "description": "TESTCLIENT-3 v.2"
>>>>>                     }"
>>>>>
>>>>>                     _Test Result:_ Status Code: 500 Internal
>>>>>                     Server Error
>>>>>
>>>>>                     _Some parts from console logs:_
>>>>>                     10:35:31,591 ERROR [io.undertow.request]
>>>>>                     (default task-18) UT005023: Exception handling
>>>>>                     request to
>>>>>                     /auth/admin/realms/universities/clients/3:
>>>>>                     java.lang.RuntimeException: request path:
>>>>>                     /auth/admin/realms/universities/clients/3
>>>>>                     ...
>>>>>                         at
>>>>>                     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>>                         ... 29 more
>>>>>                     *Caused by: java.lang.NullPointerException*
>>>>>                         at
>>>>>                     org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>>
>>>>>
>>>>>                     Thanks a lot.
>>>>>
>>>>>                     Best Regards,
>>>>>                     Juraj
>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     keycloak-user mailing list
>>>>>                     keycloak-user at lists.jboss.org
>>>>>                     <mailto:keycloak-user at lists.jboss.org>
>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 keycloak-user mailing list
>>>>>                 keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 keycloak-user mailing list
>>>>                 keycloak-user at lists.jboss.org
>>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/9adade31/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 09:59:37 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 15:59:37 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <5644A03E.50209@redhat.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
	<CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
	<564497F5.9050907@redhat.com>
	<CAJgngAcP7pPe3RHrdH+Dn8kQNsgTjLkFieaDtBV4BVCvTnPaag@mail.gmail.com>
	<5644A03E.50209@redhat.com>
Message-ID: <CAJgngAf2cW3gRxJH5ZNG27WN4EK46kXFSozVB5mv26Nis39T+w@mail.gmail.com>

On 12 November 2015 at 15:20, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/12/2015 8:59 AM, Stian Thorgersen wrote:
>
> Not sure why this is turning into a lengthy discussion, but null in the
> representation has a meaning. If you look at how it's implemented the lack
> of a value (it's set to null) results in setting the default value only if
> creating a new entity. If updating an existing entity a null value is
> simply ignored. If you initialize these in the representation you will end
> up overriding existing values. The idea is that someone can update a single
> value without having to include all existing values.
>
> So at the beginning I said it would be rare for us to want the default to
> be null.  That's where I was mistaken.  It's good that we had the
> discussion because I needed to know that null has that meaning.
>
> Part of this is Java's fault.  A Boolean with three values isn't really
> Boolean.  George Boole is probably rolling over in his grave.
>

Not really. It's a object reference so can be set to null. It's incredible
useful and without it Java would be horrible. You'd have to have a separate
boolean (isMyBooleanSet?)


>
>
> On 12 November 2015 at 14:45, Stan Silvert <ssilvert at redhat.com> wrote:
>
>> On 11/12/2015 8:41 AM, Stian Thorgersen wrote:
>>
>> The bug is simply caused by not checking for null
>>
>> Seriously?  So every time you call a getter on a Representation you have
>> to check for null?
>>
>> If a Boolean should not be null then initialize it properly or use
>> boolean.
>>
>>
>> On 12 November 2015 at 14:40, Stan Silvert <ssilvert at redhat.com> wrote:
>>
>>> On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>>>
>>> RepresentationToModel
>>>
>>> The bug happened before RepresentationToModel could be called.  That's
>>> why we need to initialize variables properly.
>>>
>>>
>>> On 12 November 2015 at 14:20, Stan Silvert <ssilvert at redhat.com> wrote:
>>>
>>>> On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>>>
>>>>
>>>>
>>>> On 12 November 2015 at 13:12, Stan Silvert <ssilvert at redhat.com> wrote:
>>>>
>>>>> Funny.  I just ran into that exact NPE yesterday but I thought it was
>>>>> a state that was caused by my new code.  So I only fixed it in that one
>>>>> representation class.  But I'm not ready to merge that yet.
>>>>>
>>>>> We really need to go through all the representations and set defaults
>>>>> for all instance variables of type Boolean.  It's probably rare that we
>>>>> would want that default to be null.  Even if it should be null we should
>>>>> say so explicitly.
>>>>>
>>>>
>>>> -1 We want them to be null. We set defaults elsewhere
>>>>
>>>> Where?
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> Stan
>>>>>
>>>>>
>>>>> On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>>>
>>>>> That's a bug. It's failing on "if (rep.isServiceAccountsEnabled()
>>>>> ..)", but serviceAccountsEnabled in the representation can be null, which
>>>>> would result in this NPE.
>>>>>
>>>>> Can you create a JIRA please? If you did a PR as well that'd be even
>>>>> better :)
>>>>>
>>>>> On 12 November 2015 at 10:58, Juraj Janosik <juraj.janosik77 at gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I want to announce an issue with "Update the client
>>>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>>>> via Admin REST API.
>>>>>>
>>>>>> *Description:* I want to change the description for existing client
>>>>>> #3.
>>>>>>
>>>>>> *Note:* From the documentation ("Update the client
>>>>>> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>>>> body parameter attributes
>>>>>> are required in schema "ClientRepresentation".
>>>>>> Description of schema "ClientRepresentation" notes for any mandatory
>>>>>> attribute.
>>>>>>
>>>>>> Are some parameters mandatory for successfuly running of this
>>>>>> scenario ?
>>>>>>
>>>>>> *Tested scenario:*
>>>>>> *Tested data:*
>>>>>> "Update Client":
>>>>>>
>>>>>> "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>>>> "headers":
>>>>>> [["Content-Type","application/json"],
>>>>>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>>>> "body":
>>>>>> "{
>>>>>> "id":"3",
>>>>>> "clientId":"testclient-3",
>>>>>> "name": "testclient-3",
>>>>>> "description": "TESTCLIENT-3 v.2"
>>>>>> }"
>>>>>>
>>>>>> *Test Result:* Status Code: 500 Internal Server Error
>>>>>>
>>>>>> *Some parts from console logs:*
>>>>>> 10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
>>>>>> Exception handling request to /auth/admin/realms/universities/clients/3:
>>>>>> java.lang.RuntimeException: request path:
>>>>>> /auth/admin/realms/universities/clients/3
>>>>>> ...
>>>>>>     at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>>>     ... 29 more
>>>>>> *Caused by: java.lang.NullPointerException*
>>>>>>     at
>>>>>> org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>>>
>>>>>>
>>>>>> Thanks a lot.
>>>>>>
>>>>>> Best Regards,
>>>>>> Juraj
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/092c740c/attachment-0001.html 

From ssilvert at redhat.com  Thu Nov 12 10:06:58 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Nov 2015 10:06:58 -0500
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the client" via Admin REST API
In-Reply-To: <CAJgngAf2cW3gRxJH5ZNG27WN4EK46kXFSozVB5mv26Nis39T+w@mail.gmail.com>
References: <CALQqei2Doe9f+c0bw+AF-MoDd4TA=4Cc3Zyyu=R_uvW29Etzzg@mail.gmail.com>
	<CAJgngAdsczsJ0crhJLd7KYK=2-NYmu6gJEF0Kadp0o1Y-fr4DA@mail.gmail.com>
	<56448246.90706@redhat.com>
	<CAJgngAd4XKSOGJjcc0E1jkpSdSia69Qcn4uNfaP70t=G1geLVQ@mail.gmail.com>
	<56449201.3080807@redhat.com>
	<CAJgngAeiRGr_nKP8wczYovNdPxgVTMxcEEhtXWHC37yfTG3XyA@mail.gmail.com>
	<564496D5.8030200@redhat.com>
	<CAJgngAdKW6X3gPmrziWZR=ob+Co4wOYRosj14GrdMqXRHZ=T+g@mail.gmail.com>
	<564497F5.9050907@redhat.com>
	<CAJgngAcP7pPe3RHrdH+Dn8kQNsgTjLkFieaDtBV4BVCvTnPaag@mail.gmail.com>
	<5644A03E.50209@redhat.com>
	<CAJgngAf2cW3gRxJH5ZNG27WN4EK46kXFSozVB5mv26Nis39T+w@mail.gmail.com>
Message-ID: <5644AB12.1060901@redhat.com>

On 11/12/2015 9:59 AM, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 15:20, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     On 11/12/2015 8:59 AM, Stian Thorgersen wrote:
>>     Not sure why this is turning into a lengthy discussion, but null
>>     in the representation has a meaning. If you look at how it's
>>     implemented the lack of a value (it's set to null) results in
>>     setting the default value only if creating a new entity. If
>>     updating an existing entity a null value is simply ignored. If
>>     you initialize these in the representation you will end up
>>     overriding existing values. The idea is that someone can update a
>>     single value without having to include all existing values.
>     So at the beginning I said it would be rare for us to want the
>     default to be null.  That's where I was mistaken.  It's good that
>     we had the discussion because I needed to know that null has that
>     meaning.
>
>     Part of this is Java's fault.  A Boolean with three values isn't
>     really Boolean.  George Boole is probably rolling over in his grave.
>
>
> Not really. It's a object reference so can be set to null. It's 
> incredible useful and without it Java would be horrible. You'd have to 
> have a separate boolean (isMyBooleanSet?)
I was speaking tounge-in-cheek.  However, combined with autoboxing, it's 
error-prone.  That's the bug we saw here.
>
>
>>
>>     On 12 November 2015 at 14:45, Stan Silvert <ssilvert at redhat.com
>>     <mailto:ssilvert at redhat.com>> wrote:
>>
>>         On 11/12/2015 8:41 AM, Stian Thorgersen wrote:
>>>         The bug is simply caused by not checking for null
>>         Seriously?  So every time you call a getter on a
>>         Representation you have to check for null?
>>
>>         If a Boolean should not be null then initialize it properly
>>         or use boolean.
>>
>>>
>>>         On 12 November 2015 at 14:40, Stan Silvert
>>>         <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>>
>>>             On 11/12/2015 8:33 AM, Stian Thorgersen wrote:
>>>>             RepresentationToModel
>>>             The bug happened before RepresentationToModel could be
>>>             called.  That's why we need to initialize variables
>>>             properly.
>>>
>>>>
>>>>             On 12 November 2015 at 14:20, Stan Silvert
>>>>             <ssilvert at redhat.com <mailto:ssilvert at redhat.com>> wrote:
>>>>
>>>>                 On 11/12/2015 7:39 AM, Stian Thorgersen wrote:
>>>>>
>>>>>
>>>>>                 On 12 November 2015 at 13:12, Stan Silvert
>>>>>                 <ssilvert at redhat.com <mailto:ssilvert at redhat.com>>
>>>>>                 wrote:
>>>>>
>>>>>                     Funny.  I just ran into that exact NPE
>>>>>                     yesterday but I thought it was a state that
>>>>>                     was caused by my new code.  So I only fixed it
>>>>>                     in that one representation class.  But I'm not
>>>>>                     ready to merge that yet.
>>>>>
>>>>>                     We really need to go through all the
>>>>>                     representations and set defaults for all
>>>>>                     instance variables of type Boolean. It's
>>>>>                     probably rare that we would want that default
>>>>>                     to be null. Even if it should be null we
>>>>>                     should say so explicitly.
>>>>>
>>>>>
>>>>>                 -1 We want them to be null. We set defaults elsewhere
>>>>                 Where?
>>>>
>>>>>
>>>>>
>>>>>                     Stan
>>>>>
>>>>>
>>>>>                     On 11/12/2015 5:42 AM, Stian Thorgersen wrote:
>>>>>>                     That's a bug. It's failing on "if
>>>>>>                     (rep.isServiceAccountsEnabled() ..)",
>>>>>>                     but serviceAccountsEnabled in the
>>>>>>                     representation can be null, which would
>>>>>>                     result in this NPE.
>>>>>>
>>>>>>                     Can you create a JIRA please? If you did a PR
>>>>>>                     as well that'd be even better :)
>>>>>>
>>>>>>                     On 12 November 2015 at 10:58, Juraj Janosik
>>>>>>                     <juraj.janosik77 at gmail.com
>>>>>>                     <mailto:juraj.janosik77 at gmail.com>> wrote:
>>>>>>
>>>>>>                         Hi,
>>>>>>
>>>>>>                         I want to announce an issue with "Update
>>>>>>                         the client
>>>>>>                         <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
>>>>>>                         via Admin REST API.
>>>>>>
>>>>>>                         _Description:_ I want to change the
>>>>>>                         description for existing client #3.
>>>>>>
>>>>>>                         _Note:_ From the documentation ("Update
>>>>>>                         the client
>>>>>>                         <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
>>>>>>                         body parameter attributes
>>>>>>                         are required in schema
>>>>>>                         "ClientRepresentation".
>>>>>>                         Description of schema
>>>>>>                         "ClientRepresentation" notes for any
>>>>>>                         mandatory attribute.
>>>>>>
>>>>>>                         Are some parameters mandatory for
>>>>>>                         successfuly running of this scenario ?
>>>>>>
>>>>>>                         _Tested scenario:_
>>>>>>                         _Tested data:_
>>>>>>                         "Update Client":
>>>>>>                         "method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
>>>>>>                         "headers":
>>>>>>                         [["Content-Type","application/json"],
>>>>>>                         ["Authorization","Bearer <ACCESS_TOKEN>]]
>>>>>>                         "body":
>>>>>>                         "{
>>>>>>                         "id":"3",
>>>>>>                         "clientId":"testclient-3",
>>>>>>                         "name": "testclient-3",
>>>>>>                         "description": "TESTCLIENT-3 v.2"
>>>>>>                         }"
>>>>>>
>>>>>>                         _Test Result:_ Status Code: 500 Internal
>>>>>>                         Server Error
>>>>>>
>>>>>>                         _Some parts from console logs:_
>>>>>>                         10:35:31,591 ERROR [io.undertow.request]
>>>>>>                         (default task-18) UT005023: Exception
>>>>>>                         handling request to
>>>>>>                         /auth/admin/realms/universities/clients/3: java.lang.RuntimeException:
>>>>>>                         request path:
>>>>>>                         /auth/admin/realms/universities/clients/3
>>>>>>                         ...
>>>>>>                             at
>>>>>>                         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>>>>>                             ... 29 more
>>>>>>                         *Caused by: java.lang.NullPointerException*
>>>>>>                             at
>>>>>>                         org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
>>>>>>
>>>>>>
>>>>>>                         Thanks a lot.
>>>>>>
>>>>>>                         Best Regards,
>>>>>>                         Juraj
>>>>>>
>>>>>>
>>>>>>
>>>>>>                         _______________________________________________
>>>>>>                         keycloak-user mailing list
>>>>>>                         keycloak-user at lists.jboss.org
>>>>>>                         <mailto:keycloak-user at lists.jboss.org>
>>>>>>                         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     _______________________________________________
>>>>>>                     keycloak-user mailing list
>>>>>>                     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     keycloak-user mailing list
>>>>>                     keycloak-user at lists.jboss.org
>>>>>                     <mailto:keycloak-user at lists.jboss.org>
>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/9d25b84c/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 12 10:09:07 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 12 Nov 2015 16:09:07 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <56449B99.2070006@redhat.com>
References: <5644910D.9020100@redhat.com>
	<CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
	<56449B99.2070006@redhat.com>
Message-ID: <CAJgngAdrSnQmbbVRYb1kcZag_Q94WQdZmpOq1cb1wUfj6Z+=fA@mail.gmail.com>

Dunno ;)

On 12 November 2015 at 15:00, Vlastimil Elias <velias at redhat.com> wrote:

> BTW even SAML2 protocol has ForceAuthn="true" attribute in the
> AuthnRequest. Is it supported in Keycloak?
>
> Vl.
>
> On 12.11.2015 14:39, Stian Thorgersen wrote:
>
>
>
> On 12 November 2015 at 14:15, Vlastimil Elias < <velias at redhat.com>
> velias at redhat.com> wrote:
>
>> Hi,
>>
>> I'd like to use long session authentication mechanism known from many
>> sites like google. facebook, linked in etc.
>> It is about really long user SSO sessions (eg. weeks or even months)
>> with reauthentication for important actions when last authentication
>> timestamp is older than some limit.
>>
>> Is this somehow possible with current Keycloak server and Keycloak
>> adapters?
>>
>> I see few subquestions in this problem for our use:
>>
>> *****
>> open-id connect protocol defines few auth request parameters to support
>> this use case, mainly max_age or prompt=login. Are they correctly
>> implemented in Keycloak server?
>>
>
> We don't have support for max_age and we only support prompt=none so these
> would have to be added
>
>
>>
>>
>> *****
>> Wildfly/EAP adapter - is it possible and is there some example how to
>> use "reauth if auth is older than 30min" action in Java app secured by
>> this adapter? Or is info about last auth timestamp somehow available in
>> the app?
>>
>
> We don't set auth_time claim ATM so answer is no
>
>
>>
>>
>> *****
>> Keycloak user account application itself - it is part of the Keycloak
>> server, but it contains sensitive actions which typically require
>> reathentication in this long session scheme (password change, email
>> change, ...). Is it somehow possible to configure Keycloak to force
>> timeout reauth for this app?
>>
>
> Not at the moment - but if we add what you want it would also make sense
> to add that. Would need to be configurable through the admin console. Would
> also be nice to have the same for the admin console itself.
>
>
>>
>> Thanks in advance
>>
>> Vl.
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/06c5d466/attachment.html 

From srossillo at smartling.com  Thu Nov 12 10:33:55 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Thu, 12 Nov 2015 10:33:55 -0500
Subject: [keycloak-user] can not delete user using REST API -401
	unauthorized.
In-Reply-To: <CA+YyFz4XqxP0EMtWQ3-Tg0e7P=1hQW9iwtEZAjHuT8aTTkwg8w@mail.gmail.com>
References: <CA+YyFz5qRtH+sJEOYetV6Jze7LVSPzeMwkXaZ47tBP93gtA_iw@mail.gmail.com>
	<564452CF.5080708@redhat.com>
	<CA+YyFz4XqxP0EMtWQ3-Tg0e7P=1hQW9iwtEZAjHuT8aTTkwg8w@mail.gmail.com>
Message-ID: <780EE25E-31BE-4F89-B686-8DCC80F16A02@smartling.com>

urlForDeleteUser must match the same port the access token was issued for.  I?ll just say the token has port 9912 in it. Not sure if your real urlForDeleteUser URL does.

FYI - you tried to obscure your host info but access tokens are not encrypted.

 
Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Nov 12, 2015, at 9:16 AM, harsh mahey <harshmahey at gmail.com> wrote:
> 
> So this is what i see in my header
> 
> ********
> entity:<{Content-Type=[application/json], Authorization=[Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYjk2NTI0ZC0yYzY3LTRlY2YtOWRiYS1kMTNiYWZkZDc3OTIiLCJleHAiOjE0NDczMzgwODQsIm5iZiI6MCwiaWF0IjoxNDQ3MzM3Nzg0LCJpc3MiOiJodHRwOi8vc2Vuc2VucmVzcG9uZC5jb206OTkxMi9hdXRoL3JlYWxtcy9TbnJBcHBzUmVhbG0iLCJhdWQiOiJzbnJhcHBzLXdlYiIsInN1YiI6IjU1ODhmOWViLTg5ZDItNGVmMi04ZTM3LWVkM2RkY2RhMDdhMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNucmFwcHMtd2ViIiwic2Vzc2lvbl9zdGF0ZSI6ImVmZjFlY2Q0LWZjMTUtNGJjMi05MDgxLWM2YTA5NGMxODFmOCIsImNsaWVudF9zZXNzaW9uIjoiN2ZjZWU5ZDItN2I4Yi00ZmVmLTkzYjEtZjAwNzI3YWNkNzA2IiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImFkbWluIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InNucmFwcHMtd2ViIjp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsidmlldy1wcm9maWxlIiwibWFuYWdlLWFjY291bnQiXX0sInJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1yZWFsbSIsIm1hbmFnZS1jbGllbnRzIiwibWFuYWdlLWV2ZW50cyIsInZpZXctZXZlbnRzIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsImltcGVyc29uYXRpb24iLCJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtcmVhbG0iXX19LCJlbWFpbCI6ImhhcnNobWFoZXlAZ21haWwuY29tIiwibmFtZSI6IkNoYXJhbiBTaW5naCIsImZhbWlseV9uYW1lIjoiU2luZ2giLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzbnJhcHBzLXVzZXIiLCJnaXZlbl9uYW1lIjoiQ2hhcmFuIn0.eyyqyobdaYesLH13zoPSwxd1yj3HE5GsshLXgQIaucJ9uVs7LpoiXedB0NfLf2rMYVHW6Yo0tX9DA2o_tGdlmNnbFnNqh3GDXIIcqQwIrYTGGzTFQo8k-8TzWlg5GXjuc3_b0GRGdbUd_BgbqahcxhHyciXNTzOM9iuzObXwfmKjCTy8FU-QxNntC-yThOidFoUOYxjmUxyfubq13GH0VVm_1obxQcI5_B6WnIubNFBpyjb70SgZZSVjM1-22WDm_TRlqtKomDALqsD6SAep-fV1yAxR9RLXTJzJpMb5a6Zt2PGOiE2G0cBq_KyfEO33v6IsxYTmIke3_2oV939jbA]}>
> 
> 
> *******
> 
> Here is my updated code
> 
> *********
> public boolean deleteUser(String userId) {
> 
> AccessTokenResponse accessTokenResponse = getToken();
> 
> 
> 
> org.springframework.http.HttpEntity<String> entity = new org.springframework.http.HttpEntity<String (getHeaders(accessTokenResponse.getToken()));
> 
> 
> System.out.println("entity:"+entity);
> 
> 
> 
> RestTemplate restTemplate = new RestTemplate();
> 
> String urlForDeleteUser = "http://XXXX.com:XXX/auth/admin/realms/MyAppsRealm/users/" + userId;
> 
> System.out.println(urlForDeleteUser);
> 
> restTemplate.delete(urlForDeleteUser, entity,String.class);
> 
> 
> System.out.println("done");
> 
> 
> 
> return true;
> 
> }
> 
> 
> ********
> 
> On Thu, Nov 12, 2015 at 1:50 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> What's the output of the "System.out.println(httpHeaders);" command?
> 
> Basically you need to include Authorization header with the content like: 
> 
> Authorization: Bearer your-access-token-here
> 
> TBH I am not familiar with spring http client library you're using, so not sure if you're sending headers correctly.
> 
> Marek
> 
> On 12/11/15 01:08, harsh mahey wrote:
>> I am getting 401 unAuthorized when im trying to delete a user.I was able to create the user with this id.And i am able to delete the user using Advanced REST Chrome client using same DELETE URL.
>> 
>> Can you guide what am i doing wrong here.
>> 
>> 
>> Thanks
>> 
>> 
>> *****************ERROR***********************************************************
>> 
>> org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
>> 
>> at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
>> 
>> at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:641)
>> 
>> at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:597)
>> 
>> at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
>> 
>> at org.springframework.web.client.RestTemplate.delete(RestTemplate.java:429)
>> 
>> at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.deleteUser(KeyCloakAdminAdapter.java:256)
>> 
>> 
>> at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.main(KeyCloakAdminAdapter.java:55)
>> 
>> *****************CODE**************************************************************
>> 
>> public boolean deleteUser(String userId) {
>> 
>> AccessTokenResponse accessTokenResponse = getToken();
>> 
>> org.springframework.http.HttpEntity<String> entity = new org.springframework.http.HttpEntity<String>(getHeaders(accessTokenResponse.getToken()));
>> 
>> HttpHeaders httpHeaders=entity.getHeaders();
>> 
>> System.out.println(httpHeaders);
>> 
>> RestTemplate restTemplate = new RestTemplate();
>> 
>> String urlForDeleteUser = "http://XXXXX.com:XXXX/auth/admin/realmsMyAppsRealm/users/" + userId;
>> 
>> System.out.println(urlForDeleteUser);
>> 
>> restTemplate.delete(urlForDeleteUser, entity);
>> 
>> 
>> 
>> 
>> 
>> System.out.println("done");
>> 
>> 
>> return true;
>> 
>> }
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/a853a9ba/attachment-0001.html 

From tdudgeon.ml at gmail.com  Thu Nov 12 10:41:15 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Thu, 12 Nov 2015 15:41:15 +0000
Subject: [keycloak-user] tomcat libs dir
Message-ID: <5644B31B.2000807@gmail.com>

When deploying the Tomcat adapter (presumably the same applies to other 
containers) I find that the 3rd party libs needed by the Keycloak 
adapter can clash with different versions of the same libs deployed with 
a web app. For instance I just needed to spend quite a bit of time 
finding out why a webapp would not deploy, and it resulted from 
bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat 
lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the 
webapp's WEB-INF/lib dir.
Some of these 3rdparty libs are quite common and might be be expected in 
many web apps.

The docs state that the Keycloak libs must be deployed to the lib dir. 
Presumably there's no way round that and hence no way around potential 
conflicts?

Tim

From bburke at redhat.com  Thu Nov 12 15:06:42 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 12 Nov 2015 15:06:42 -0500
Subject: [keycloak-user] tomcat libs dir
In-Reply-To: <5644B31B.2000807@gmail.com>
References: <5644B31B.2000807@gmail.com>
Message-ID: <5644F152.6020700@redhat.com>

Honestly, I don't remember if the keycloak jars can be contained in your 
WAR as the different versions of Jetty and Tomcat are a blur to me at 
this time.  I do think I had to do it that way for Tomcat.  Keycloak 
runs as a valve and has to have visibility to other Tomcat system classes.



On 11/12/2015 10:41 AM, Tim Dudgeon wrote:
> When deploying the Tomcat adapter (presumably the same applies to other
> containers) I find that the 3rd party libs needed by the Keycloak
> adapter can clash with different versions of the same libs deployed with
> a web app. For instance I just needed to spend quite a bit of time
> finding out why a webapp would not deploy, and it resulted from
> bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat
> lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the
> webapp's WEB-INF/lib dir.
> Some of these 3rdparty libs are quite common and might be be expected in
> many web apps.
>
> The docs state that the Keycloak libs must be deployed to the lib dir.
> Presumably there's no way round that and hence no way around potential
> conflicts?
>

IIRC, there's not much classloader isolation you can do in Tomcat.  jars 
in WEB-INF/lib are supposed to take precedence over those in system 
classpath.

I don't remember exactly, but I believe that keycloak jars and 
dependencies needed to be in tomcat lib dir because Keycloak runs as a 
valve and has to have visibility to other Tomcat system classes.  I'm 
just not sure how else we can solve this issue.  If you have any 
suggestings that would be great.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tdudgeon.ml at gmail.com  Thu Nov 12 15:25:01 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Thu, 12 Nov 2015 20:25:01 +0000
Subject: [keycloak-user] tomcat libs dir
In-Reply-To: <5644F152.6020700@redhat.com>
References: <5644B31B.2000807@gmail.com> <5644F152.6020700@redhat.com>
Message-ID: <5644F59D.7020102@gmail.com>

Even if it can be moved inside the WAR that doesn't really solve the 
problem.
You still have the potential clash of xyzlib-0_1_2.jar (specified 
Keycloak) with xyzlib-0_1_3.jar (specified by webapp).

On 12/11/2015 20:06, Bill Burke wrote:
> Honestly, I don't remember if the keycloak jars can be contained in your
> WAR as the different versions of Jetty and Tomcat are a blur to me at
> this time.  I do think I had to do it that way for Tomcat.  Keycloak
> runs as a valve and has to have visibility to other Tomcat system classes.
>
>
>
> On 11/12/2015 10:41 AM, Tim Dudgeon wrote:
>> When deploying the Tomcat adapter (presumably the same applies to other
>> containers) I find that the 3rd party libs needed by the Keycloak
>> adapter can clash with different versions of the same libs deployed with
>> a web app. For instance I just needed to spend quite a bit of time
>> finding out why a webapp would not deploy, and it resulted from
>> bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat
>> lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the
>> webapp's WEB-INF/lib dir.
>> Some of these 3rdparty libs are quite common and might be be expected in
>> many web apps.
>>
>> The docs state that the Keycloak libs must be deployed to the lib dir.
>> Presumably there's no way round that and hence no way around potential
>> conflicts?
>>
> IIRC, there's not much classloader isolation you can do in Tomcat.  jars
> in WEB-INF/lib are supposed to take precedence over those in system
> classpath.
>
> I don't remember exactly, but I believe that keycloak jars and
> dependencies needed to be in tomcat lib dir because Keycloak runs as a
> valve and has to have visibility to other Tomcat system classes.  I'm
> just not sure how else we can solve this issue.  If you have any
> suggestings that would be great.
>
>


From bburke at redhat.com  Thu Nov 12 16:42:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 12 Nov 2015 16:42:20 -0500
Subject: [keycloak-user] tomcat libs dir
In-Reply-To: <5644F59D.7020102@gmail.com>
References: <5644B31B.2000807@gmail.com> <5644F152.6020700@redhat.com>
	<5644F59D.7020102@gmail.com>
Message-ID: <564507BC.8050909@redhat.com>

Like I said, there's not much you can do about that because Tomcat's 
classloader isolation is limited.  We don't have that problem with 
JBoss/Wildfly.  I'm not sure what you want us to do as we need these 
third-party libs for the adapter to function.  What you could do is 
attempt to replace our dependency with whatever version you are using. 
I do know that Jackson 1.x can coexist with Jackson 2.x.  Not sure about 
bouncycastle and Apache HTTP Client.

On 11/12/2015 3:25 PM, Tim Dudgeon wrote:
> Even if it can be moved inside the WAR that doesn't really solve the
> problem.
> You still have the potential clash of xyzlib-0_1_2.jar (specified
> Keycloak) with xyzlib-0_1_3.jar (specified by webapp).
>
> On 12/11/2015 20:06, Bill Burke wrote:
>> Honestly, I don't remember if the keycloak jars can be contained in your
>> WAR as the different versions of Jetty and Tomcat are a blur to me at
>> this time.  I do think I had to do it that way for Tomcat.  Keycloak
>> runs as a valve and has to have visibility to other Tomcat system classes.
>>
>>
>>
>> On 11/12/2015 10:41 AM, Tim Dudgeon wrote:
>>> When deploying the Tomcat adapter (presumably the same applies to other
>>> containers) I find that the 3rd party libs needed by the Keycloak
>>> adapter can clash with different versions of the same libs deployed with
>>> a web app. For instance I just needed to spend quite a bit of time
>>> finding out why a webapp would not deploy, and it resulted from
>>> bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat
>>> lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the
>>> webapp's WEB-INF/lib dir.
>>> Some of these 3rdparty libs are quite common and might be be expected in
>>> many web apps.
>>>
>>> The docs state that the Keycloak libs must be deployed to the lib dir.
>>> Presumably there's no way round that and hence no way around potential
>>> conflicts?
>>>
>> IIRC, there's not much classloader isolation you can do in Tomcat.  jars
>> in WEB-INF/lib are supposed to take precedence over those in system
>> classpath.
>>
>> I don't remember exactly, but I believe that keycloak jars and
>> dependencies needed to be in tomcat lib dir because Keycloak runs as a
>> valve and has to have visibility to other Tomcat system classes.  I'm
>> just not sure how else we can solve this issue.  If you have any
>> suggestings that would be great.
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Thu Nov 12 16:47:48 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Fri, 13 Nov 2015 05:47:48 +0800
Subject: [keycloak-user] Spring Security SAML Extension
In-Reply-To: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>
References: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>
Message-ID: <2CE7F27E-3D9D-43CD-A6A6-7297E4AED8EF@izeno.com>

hi bill,

can you advise?

Regards,
CK Yap

> On 12 Nov 2015, at 3:21 PM, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:
> 
> Hi Guys,
> 
> Did you manage to integrate Spring Security SAML Extension (http://projects.spring.io/spring-security-saml/) with Keycloak instead of using spring security adapter provided by Keycloak?
> 
> We have a requirement to use SAML auth with spring security but spring security adapter provided by Keycloak only supports open id connect 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/1d53c056/attachment.html 

From bburke at redhat.com  Thu Nov 12 16:49:48 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 12 Nov 2015 16:49:48 -0500
Subject: [keycloak-user] Spring Security SAML Extension
In-Reply-To: <2CE7F27E-3D9D-43CD-A6A6-7297E4AED8EF@izeno.com>
References: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>
	<2CE7F27E-3D9D-43CD-A6A6-7297E4AED8EF@izeno.com>
Message-ID: <5645097C.5010601@redhat.com>

You should be able to use their saml adapter with keycloak.

On 11/12/2015 4:47 PM, chenkeong.yap at izeno.com wrote:
> hi bill,
>
> can you advise?
>
> Regards,
> CK Yap
>
> On 12 Nov 2015, at 3:21 PM, Chen Keong Yap <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>> wrote:
>
>> Hi Guys,
>>
>> Did you manage to integrate Spring Security SAML Extension
>> (http://projects.spring.io/spring-security-saml/) with Keycloak
>> instead of using spring security adapter provided by Keycloak?
>>
>> We have a requirement to use SAML auth with spring security but spring
>> security adapter provided by Keycloak only supports open id connect
>>
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From chenkeong.yap at izeno.com  Thu Nov 12 17:47:39 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Fri, 13 Nov 2015 06:47:39 +0800
Subject: [keycloak-user] Spring Security SAML Extension
In-Reply-To: <5645097C.5010601@redhat.com>
References: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>
	<2CE7F27E-3D9D-43CD-A6A6-7297E4AED8EF@izeno.com>
	<5645097C.5010601@redhat.com>
Message-ID: <FEC5B450-2CA1-4802-90A8-9CA0102E636B@izeno.com>

hi bill,

but we need to extract username and roles from saml message and inject into userdetails inside spring security. do we need to create a custom auth provider when using saml adapter?

Regards,
CK Yap

> On 13 Nov 2015, at 5:49 AM, Bill Burke <bburke at redhat.com> wrote:
> 
> You should be able to use their saml adapter with keycloak.
> 
>> On 11/12/2015 4:47 PM, chenkeong.yap at izeno.com wrote:
>> hi bill,
>> 
>> can you advise?
>> 
>> Regards,
>> CK Yap
>> 
>> On 12 Nov 2015, at 3:21 PM, Chen Keong Yap <chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>> wrote:
>> 
>>> Hi Guys,
>>> 
>>> Did you manage to integrate Spring Security SAML Extension
>>> (http://projects.spring.io/spring-security-saml/) with Keycloak
>>> instead of using spring security adapter provided by Keycloak?
>>> 
>>> We have a requirement to use SAML auth with spring security but spring
>>> security adapter provided by Keycloak only supports open id connect
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com


From bburke at redhat.com  Thu Nov 12 17:56:18 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 12 Nov 2015 17:56:18 -0500
Subject: [keycloak-user] Spring Security SAML Extension
In-Reply-To: <FEC5B450-2CA1-4802-90A8-9CA0102E636B@izeno.com>
References: <CAC2UnuVLmSCAb=yqoyNcoo40Svr_+zSfNBB1CXm1q+qO=B+jdQ@mail.gmail.com>
	<2CE7F27E-3D9D-43CD-A6A6-7297E4AED8EF@izeno.com>
	<5645097C.5010601@redhat.com>
	<FEC5B450-2CA1-4802-90A8-9CA0102E636B@izeno.com>
Message-ID: <56451912.9020708@redhat.com>

I have never used the Spring SAML adapter, so I don't know what they 
support.  If they have a SAML adapter, I'm sure you can get it to work.

On 11/12/2015 5:47 PM, chenkeong.yap at izeno.com wrote:
> hi bill,
>
> but we need to extract username and roles from saml message and inject into userdetails inside spring security. do we need to create a custom auth provider when using saml adapter?
>
> Regards,
> CK Yap
>
>> On 13 Nov 2015, at 5:49 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>> You should be able to use their saml adapter with keycloak.
>>
>>> On 11/12/2015 4:47 PM, chenkeong.yap at izeno.com wrote:
>>> hi bill,
>>>
>>> can you advise?
>>>
>>> Regards,
>>> CK Yap
>>>
>>> On 12 Nov 2015, at 3:21 PM, Chen Keong Yap <chenkeong.yap at izeno.com
>>> <mailto:chenkeong.yap at izeno.com>> wrote:
>>>
>>>> Hi Guys,
>>>>
>>>> Did you manage to integrate Spring Security SAML Extension
>>>> (http://projects.spring.io/spring-security-saml/) with Keycloak
>>>> instead of using spring security adapter provided by Keycloak?
>>>>
>>>> We have a requirement to use SAML auth with spring security but spring
>>>> security adapter provided by Keycloak only supports open id connect
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jahenao at itroisolutions.com  Thu Nov 12 18:04:12 2015
From: jahenao at itroisolutions.com (Jairo Alonso Henao Rojas)
Date: Thu, 12 Nov 2015 23:04:12 +0000
Subject: [keycloak-user] How to validate required for custom fields
Message-ID: <BY1PR0401MB122487E85FF2F03E0E8ABF5ED0120@BY1PR0401MB1224.namprd04.prod.outlook.com>

Hello,

I added several custom fields in the registration form, how I can do for them to be required?

See attached fields in register form.

Thanks


Jairo Henao Rojas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/daf0b121/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: register.ftl
Type: application/octet-stream
Size: 12022 bytes
Desc: register.ftl
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151112/daf0b121/attachment.obj 

From velias at redhat.com  Fri Nov 13 02:04:47 2015
From: velias at redhat.com (Vlastimil Elias)
Date: Fri, 13 Nov 2015 08:04:47 +0100
Subject: [keycloak-user] How to implement long user sso sessions with
 reauthentication for important actions?
In-Reply-To: <CAJgngAdrSnQmbbVRYb1kcZag_Q94WQdZmpOq1cb1wUfj6Z+=fA@mail.gmail.com>
References: <5644910D.9020100@redhat.com>
	<CAJgngAcCkaCkA+X41AchBpNUaB5z=uAqTfn6bRX+XmjgJn-SyA@mail.gmail.com>
	<56449B99.2070006@redhat.com>
	<CAJgngAdrSnQmbbVRYb1kcZag_Q94WQdZmpOq1cb1wUfj6Z+=fA@mail.gmail.com>
Message-ID: <56458B8F.9020602@redhat.com>

I looked into source code and it looks like ForceAuthn is not supported .
Even isPassive (equivalent of prompt=none) looks like unsupported in
Keycloak SAML protocol endpoint.

Will do JIRAs for all these things, and maybe implement something ;-)

Vl.

On 12.11.2015 16:09, Stian Thorgersen wrote:
> Dunno ;)
>
> On 12 November 2015 at 15:00, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>     BTW even SAML2 protocol has ForceAuthn="true" attribute in the
>     AuthnRequest. Is it supported in Keycloak?
>
>     Vl.
>
>     On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>>     On 12 November 2015 at 14:15, Vlastimil Elias <velias at redhat.com
>>     <mailto:velias at redhat.com>> wrote:
>>
>>         Hi,
>>
>>         I'd like to use long session authentication mechanism known
>>         from many
>>         sites like google. facebook, linked in etc.
>>         It is about really long user SSO sessions (eg. weeks or even
>>         months)
>>         with reauthentication for important actions when last
>>         authentication
>>         timestamp is older than some limit.
>>
>>         Is this somehow possible with current Keycloak server and
>>         Keycloak adapters?
>>
>>         I see few subquestions in this problem for our use:
>>
>>         *****
>>         open-id connect protocol defines few auth request parameters
>>         to support
>>         this use case, mainly max_age or prompt=login. Are they correctly
>>         implemented in Keycloak server?
>>
>>
>>     We don't have support for max_age and we only support prompt=none
>>     so these would have to be added
>>      
>>
>>
>>
>>         *****
>>         Wildfly/EAP adapter - is it possible and is there some
>>         example how to
>>         use "reauth if auth is older than 30min" action in Java app
>>         secured by
>>         this adapter? Or is info about last auth timestamp somehow
>>         available in
>>         the app?
>>
>>
>>     We don't set auth_time claim ATM so answer is no
>>      
>>
>>
>>
>>         *****
>>         Keycloak user account application itself - it is part of the
>>         Keycloak
>>         server, but it contains sensitive actions which typically require
>>         reathentication in this long session scheme (password change,
>>         email
>>         change, ...). Is it somehow possible to configure Keycloak to
>>         force
>>         timeout reauth for this app?
>>
>>
>>     Not at the moment - but if we add what you want it would also
>>     make sense to add that. Would need to be configurable through the
>>     admin console. Would also be nice to have the same for the admin
>>     console itself.
>>      
>>
>>
>>         Thanks in advance
>>
>>         Vl.
>>
>>         --
>>         Vlastimil Elias
>>         Principal Software Engineer
>>         Developer Portal Engineering Team
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>     -- 
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/856966bf/attachment-0001.html 

From lkrzyzan at redhat.com  Fri Nov 13 05:47:19 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Fri, 13 Nov 2015 11:47:19 +0100
Subject: [keycloak-user] Login redirects in KC 1.6
Message-ID: <7EE4B962-9B1A-402B-8A86-C91E6D4AF44A@redhat.com>

Hi,
I just realized how many redirects happens when I hit login button.

On KC 1.2 there was just one http post and that?s it.

Now on KC 1.6 I see following redirects:

- POST /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1&execution=7eedb65f-1f55-4ca9-863a-8f4951a3d805

-> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1

-> /auth/realms/rhd/login-actions/required-action?code=x3p6FRPUGzSOEcwdfOdH_y87tFp6kdv3eMnBdAeNURk.bf31e3e7-291e-4af8-ba60-23c562813bd1

-> /auth/realms/rhd/account/login-redirect?code=x04AO-tQJB69EfKe6unU1UkHupW6bGkLxJ1Cov-Abf8.bf31e3e7-291e-4af8-ba60-23c562813bd1&state=0%2Ffdb40d87-d522-43a5-820a-66cdba051607

GET /auth/realms/rhd/account/


So I see 3 additional redirects.

Is it expected? Can it be somehow minimized to give better performance? Every redirect can generate in reality aprox 300 ms which is almost 1 second just because of redirects.

Thanks,

Libor Krzy?anek
jboss.org Development Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/d8787041/attachment.html 

From tdudgeon.ml at gmail.com  Fri Nov 13 05:50:53 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Fri, 13 Nov 2015 10:50:53 +0000
Subject: [keycloak-user] tomcat libs dir
In-Reply-To: <564507BC.8050909@redhat.com>
References: <5644B31B.2000807@gmail.com> <5644F152.6020700@redhat.com>
	<5644F59D.7020102@gmail.com> <564507BC.8050909@redhat.com>
Message-ID: <5645C08D.1020503@gmail.com>

Agreed. I don't think anything can be "done" about this. If using a 
value the classes need to be in Tomcat's lib dir, and will potentially 
clash with anything the webapps WEB-INF/lib.
Just something people need to be aware of.

On 12/11/2015 21:42, Bill Burke wrote:
> Like I said, there's not much you can do about that because Tomcat's
> classloader isolation is limited.  We don't have that problem with
> JBoss/Wildfly.  I'm not sure what you want us to do as we need these
> third-party libs for the adapter to function.  What you could do is
> attempt to replace our dependency with whatever version you are using.
> I do know that Jackson 1.x can coexist with Jackson 2.x.  Not sure about
> bouncycastle and Apache HTTP Client.
>
> On 11/12/2015 3:25 PM, Tim Dudgeon wrote:
>> Even if it can be moved inside the WAR that doesn't really solve the
>> problem.
>> You still have the potential clash of xyzlib-0_1_2.jar (specified
>> Keycloak) with xyzlib-0_1_3.jar (specified by webapp).
>>
>> On 12/11/2015 20:06, Bill Burke wrote:
>>> Honestly, I don't remember if the keycloak jars can be contained in your
>>> WAR as the different versions of Jetty and Tomcat are a blur to me at
>>> this time.  I do think I had to do it that way for Tomcat.  Keycloak
>>> runs as a valve and has to have visibility to other Tomcat system classes.
>>>
>>>
>>>
>>> On 11/12/2015 10:41 AM, Tim Dudgeon wrote:
>>>> When deploying the Tomcat adapter (presumably the same applies to other
>>>> containers) I find that the 3rd party libs needed by the Keycloak
>>>> adapter can clash with different versions of the same libs deployed with
>>>> a web app. For instance I just needed to spend quite a bit of time
>>>> finding out why a webapp would not deploy, and it resulted from
>>>> bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat
>>>> lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the
>>>> webapp's WEB-INF/lib dir.
>>>> Some of these 3rdparty libs are quite common and might be be expected in
>>>> many web apps.
>>>>
>>>> The docs state that the Keycloak libs must be deployed to the lib dir.
>>>> Presumably there's no way round that and hence no way around potential
>>>> conflicts?
>>>>
>>> IIRC, there's not much classloader isolation you can do in Tomcat.  jars
>>> in WEB-INF/lib are supposed to take precedence over those in system
>>> classpath.
>>>
>>> I don't remember exactly, but I believe that keycloak jars and
>>> dependencies needed to be in tomcat lib dir because Keycloak runs as a
>>> valve and has to have visibility to other Tomcat system classes.  I'm
>>> just not sure how else we can solve this issue.  If you have any
>>> suggestings that would be great.
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From bburke at redhat.com  Fri Nov 13 08:59:10 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 13 Nov 2015 08:59:10 -0500
Subject: [keycloak-user] Login redirects in KC 1.6
In-Reply-To: <7EE4B962-9B1A-402B-8A86-C91E6D4AF44A@redhat.com>
References: <7EE4B962-9B1A-402B-8A86-C91E6D4AF44A@redhat.com>
Message-ID: <5645ECAE.4080905@redhat.com>

Not sure if I can optimize it, I can try.  This change was instituted to 
fix the browser refresh button issues.  I'll forward you the email.

On 11/13/2015 5:47 AM, Libor Krzyzanek wrote:
> Hi,
> I just realized how many redirects happens when I hit login button.
>
> On KC 1.2 there was just one http post and that?s it.
>
> Now on KC 1.6 I see following redirects:
>
> - POST
> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1&execution=7eedb65f-1f55-4ca9-863a-8f4951a3d805
>
> ->
> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1
>
> ->
> /auth/realms/rhd/login-actions/required-action?code=x3p6FRPUGzSOEcwdfOdH_y87tFp6kdv3eMnBdAeNURk.bf31e3e7-291e-4af8-ba60-23c562813bd1
>
> ->
> /auth/realms/rhd/account/login-redirect?code=x04AO-tQJB69EfKe6unU1UkHupW6bGkLxJ1Cov-Abf8.bf31e3e7-291e-4af8-ba60-23c562813bd1&state=0%2Ffdb40d87-d522-43a5-820a-66cdba051607
>
> GET /auth/realms/rhd/account/
>
>
> So I see 3 additional redirects.
>
> Is it expected? Can it be somehow minimized to give better performance?
> Every redirect can generate in reality aprox 300 ms which is almost 1
> second just because of redirects.
>
> Thanks,
>
> Libor Krzy?anek
> jboss.org <http://jboss.org> Development Team
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ado.boj.83 at gmail.com  Fri Nov 13 09:17:19 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Fri, 13 Nov 2015 15:17:19 +0100
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update the
 events provider" via Admin REST API
Message-ID: <CALxJa+0wxDkmCaz_S-JbDW=hOHPmQdjKPmSxC4sLNKkZdD8f-g@mail.gmail.com>

I report an issue with "Update the events provider
<http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
via Admin REST API.

I want add Event Listeners: email. via
PUT http://<URL>:<PORT>/auth/admin/realms/universities/events/config

with body {"eventsListeners":[ "email" ]}

*But I got* Status Code: 500 Internal Server Error

*2015-11-13 15:06:53,182 ERROR [io.undertow.request] (default task-11)
UT005023: Exception handling request to
/auth/admin/realms/universities/events/config: java.lang.RuntimeException:
request path: /auth/admin/realms/universities/events/config*
*        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)*
*        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)*
*        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)*
*        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)*
*        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)*
*        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)*
*        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)*
*        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
*        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)*
*        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)*
*        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
*        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)*
*        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)*
*        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)*
*        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)*
*        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)*
*        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)*
*        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
*        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)*
*        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
*        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
*        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)*
*        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)*
*        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)*
*        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)*
*        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)*
*        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)*
*        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)*
*        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)*
*        at java.lang.Thread.run(Thread.java:745)*
*Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NullPointerException*
*        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)*
*        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)*
*        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)*
*        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)*
*        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)*
*        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)*
*        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)*
*        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)*
*        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)*
*        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)*
*        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)*
*        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)*
*        ... 29 more*
*Caused by: java.lang.NullPointerException*
*        at
org.keycloak.services.managers.RealmManager.updateRealmEventsConfig(RealmManager.java:225)*
*        at
org.keycloak.services.resources.admin.RealmAdminResource.updateRealmEventsConfig(RealmAdminResource.java:397)*
*        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
*        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)*
*        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
*        at java.lang.reflect.Method.invoke(Method.java:606)*
*        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)*
*        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)*
*        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)*
*        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)*
*        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)*
*        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)*
*        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)*
*        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)*
*        ... 37 more*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/3771521e/attachment-0001.html 

From bstoke69 at gmail.com  Fri Nov 13 22:29:27 2015
From: bstoke69 at gmail.com (David Hay)
Date: Fri, 13 Nov 2015 22:29:27 -0500
Subject: [keycloak-user] Hybrid flow
Message-ID: <CAFgz66Qj0OGD1pphitA6NYhVKyg=ZQGtBZv5WAds0zLpkK58OA@mail.gmail.com>

Hi,

Newbie here...

We're needing to secure an AngularJS application hitting our REST API (and
supporting customers hitting it directly).

I believe in this situation we need to utilize the Hybrid flow as there is
no way to secure the secret in AngularJS.

Does Keycloak support this?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151113/70ee7281/attachment.html 

From bburke at redhat.com  Sat Nov 14 08:45:14 2015
From: bburke at redhat.com (Bill Burke)
Date: Sat, 14 Nov 2015 08:45:14 -0500
Subject: [keycloak-user] Hybrid flow
In-Reply-To: <CAFgz66Qj0OGD1pphitA6NYhVKyg=ZQGtBZv5WAds0zLpkK58OA@mail.gmail.com>
References: <CAFgz66Qj0OGD1pphitA6NYhVKyg=ZQGtBZv5WAds0zLpkK58OA@mail.gmail.com>
Message-ID: <56473AEA.3030201@redhat.com>

We call these public clients and its the way our admin console works. 
Use our javascript adapter to obtain a token and make XHR requests to 
the server with the token.

On 11/13/2015 10:29 PM, David Hay wrote:
> Hi,
>
> Newbie here...
>
> We're needing to secure an AngularJS application hitting our REST API
> (and supporting customers hitting it directly).
>
> I believe in this situation we need to utilize the Hybrid flow as there
> is no way to secure the secret in AngularJS.
>
> Does Keycloak support this?
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sebastian.olscher at traveltainment.de  Mon Nov 16 03:50:26 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Mon, 16 Nov 2015 08:50:26 +0000
Subject: [keycloak-user] No email send out while creation of ne user
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252B0EE4@EX-TT-AC-02.traveltainment.int>

Hello,

when I create a new user in the admin console of keycloak no email is send out. Neither when I add "required user actions" such as "verify email" in the user creation dialog. The only possibility to send emails is, to change to the credentials dialog within the user profile and click the "send email" button.

Is this a wanted behaviour that no email is sended when the user is created or is this a bug? From my understanding it would be helpful to send the email directly while creating a user.

Thanks,
Sebastian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/09b6166c/attachment.html 

From sthorger at redhat.com  Mon Nov 16 03:56:39 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Nov 2015 09:56:39 +0100
Subject: [keycloak-user] No email send out while creation of ne user
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252B0EE4@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252B0EE4@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAfrDnyEwxxEPDMmijWQFg0bOhhiZBFE7SbFjWsKPV6d-w@mail.gmail.com>

On 16 November 2015 at 09:50, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> Hello,
>
>
>
> when I create a new user in the admin console of keycloak no email is send
> out. Neither when I add ?required user actions? such as ?verify email? in
> the user creation dialog. The only possibility to send emails is, to change
> to the credentials dialog within the user profile and click the ?send
> email? button.
>

Try to login with the newly created user. After the user has entered
username+password the verify email is sent and the user can't complete the
login until the email address is verified.


>
>
> Is this a wanted behaviour that no email is sended when the user is
> created or is this a bug? From my understanding it would be helpful to send
> the email directly while creating a user.
>

No, it's the expected behavior. Verify email and other actions have limited
life span so it makes little sense to send these out when the user is
created. It's much better to send these when the user is actually trying to
use the account.

BTW verify email is not a welcome or account created email, it's explicitly
about the user verifying the email alone. For a welcome email it would make
sense to send it when the user is created. We have an outstanding jira to
add that.

Rerq


>
>
> Thanks,
> Sebastian
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/04bcba40/attachment.html 

From sebastian.olscher at traveltainment.de  Mon Nov 16 05:32:42 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Mon, 16 Nov 2015 10:32:42 +0000
Subject: [keycloak-user] No email send out while creation of ne user
In-Reply-To: <CAJgngAfrDnyEwxxEPDMmijWQFg0bOhhiZBFE7SbFjWsKPV6d-w@mail.gmail.com>
References: <5C3DDBFAC4DBF04084678703EC0AC294252B0EE4@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfrDnyEwxxEPDMmijWQFg0bOhhiZBFE7SbFjWsKPV6d-w@mail.gmail.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252B1199@EX-TT-AC-02.traveltainment.int>

Hello,

if this is an expected behavior, I?m asking myself how do I get knowledge about some essential points:

?Try to login with the newly created user?

How does the user know at which time the account is created and ready for login?
How does the user know the username for the login?
How does the user know the password for the first login?
How does the user know where to login if their might be more than one instances of ?keycloak??

Thanks,
Sebastian

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, November 16, 2015 9:57 AM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] No email send out while creation of ne user


On 16 November 2015 at 09:50, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Hello,

when I create a new user in the admin console of keycloak no email is send out. Neither when I add ?required user actions? such as ?verify email? in the user creation dialog. The only possibility to send emails is, to change to the credentials dialog within the user profile and click the ?send email? button.

Try to login with the newly created user. After the user has entered username+password the verify email is sent and the user can't complete the login until the email address is verified.


Is this a wanted behaviour that no email is sended when the user is created or is this a bug? From my understanding it would be helpful to send the email directly while creating a user.

No, it's the expected behavior. Verify email and other actions have limited life span so it makes little sense to send these out when the user is created. It's much better to send these when the user is actually trying to use the account.

BTW verify email is not a welcome or account created email, it's explicitly about the user verifying the email alone. For a welcome email it would make sense to send it when the user is created. We have an outstanding jira to add that.

Rerq


Thanks,
Sebastian



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/f720be46/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 16 05:44:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Nov 2015 11:44:13 +0100
Subject: [keycloak-user] No email send out while creation of ne user
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252B1199@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252B0EE4@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfrDnyEwxxEPDMmijWQFg0bOhhiZBFE7SbFjWsKPV6d-w@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252B1199@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAc2ZSZT0L8q=tP+5uV0n=nb82qs9-n4=E5MU1NQuTnDxw@mail.gmail.com>

On 16 November 2015 at 11:32, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> Hello,
>
>
>
> if this is an expected behavior, I?m asking myself how do I get knowledge
> about some essential points:
>
>
>
> *?Try to login with the newly created user?*
>
>
>
> How does the user know at which time the account is created and ready for
> login?
>
> How does the user know the username for the login?
>
> How does the user know the password for the first login?
>
> How does the user know where to login if their might be more than one
> instances of ?keycloak??
>

As I said we don't have support for a "welcome mail" built in ATM. For
users manually created through admin console/endpoints you would have to
send out your own welcome mail ATM.


>
>
> Thanks,
> Sebastian
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Monday, November 16, 2015 9:57 AM
> *To:* Sebastian Olscher
> *C**c:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] No email send out while creation of ne user
>
>
>
>
>
> On 16 November 2015 at 09:50, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> Hello,
>
>
>
> when I create a new user in the admin console of keycloak no email is send
> out. Neither when I add ?required user actions? such as ?verify email? in
> the user creation dialog. The only possibility to send emails is, to change
> to the credentials dialog within the user profile and click the ?send
> email? button.
>
>
>
> Try to login with the newly created user. After the user has entered
> username+password the verify email is sent and the user can't complete the
> login until the email address is verified.
>
>
>
>
>
> Is this a wanted behaviour that no email is sended when the user is
> created or is this a bug? From my understanding it would be helpful to send
> the email directly while creating a user.
>
>
>
> No, it's the expected behavior. Verify email and other actions have
> limited life span so it makes little sense to send these out when the user
> is created. It's much better to send these when the user is actually trying
> to use the account.
>
>
>
> BTW verify email is not a welcome or account created email, it's
> explicitly about the user verifying the email alone. For a welcome email it
> would make sense to send it when the user is created. We have an
> outstanding jira to add that.
>
>
>
> Rerq
>
>
>
>
>
> Thanks,
> Sebastian
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/46006f5f/attachment.html 

From johan.heylen.public at gmail.com  Mon Nov 16 05:50:59 2015
From: johan.heylen.public at gmail.com (Johan Heylen)
Date: Mon, 16 Nov 2015 11:50:59 +0100
Subject: [keycloak-user] Forgot password flow + TOTP
Message-ID: <CADLc4EE3hLjfOb_Q7woabAuECu_Ovq7uRCiKGqn6sKd2Nk=0bQ@mail.gmail.com>

Hello,

we currently have a keycloak server setup with both TOTP and the forget
password (reset-credential) flow active.

When we organize a update password action for a user through the admin
panel, he gets an email with a link, and after choosing a new password, the
user has to enter the TOTP in the login screens before actually being
logged in.

When the user himself organizes a forget password on the login screen, he
gets an email with a link, and after choosing a new password, the user DOES
NOT have to enter the TOTP in the login screens before actually being
logged in.

We want both actions to be the same, or at least always want the TOTP be
entered in logging in.

Can this last part be changed, either through a configuration setting or
creating a whole new reset credential flow within the current Keycloak
version (1.6.0) or do I need a JIRA ticket for a feature request?

Tnx,

Johan Heylen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/a0393757/attachment.html 

From Jukka.Sirvio at mipro.fi  Mon Nov 16 06:49:01 2015
From: Jukka.Sirvio at mipro.fi (=?iso-8859-1?Q?Jukka_Sirvi=F6?=)
Date: Mon, 16 Nov 2015 11:49:01 +0000
Subject: [keycloak-user] Keycloak saml authentication and authorization
Message-ID: <f1a49a4657574cb794300620c364e876@MIPROEXCH01.mipro.local>


Hello all,
Is there any examples on how to get Keycloak SAML authorization up and running?
Keycloak SAML authentication is already up and running across two distinct web applications. My SAML authentication already includes a couple of user properties and attributes, but I'm not able to find any info about what is the right and correct way to establish authorization with keycloak saml, saml metadata perhaps?

Could you please point me to right direction? SAML authorization examples would be great, or is "picketlink-federation -saml-sp-with-metadata" example all that I need to know?

Reason for above question is that I want to get rid of our own web-application specific authorization mechanism!

Yes, and the answer to your follow-up question is, that our environment is wf 9.0.1 :) ==> wf saml adapter is in use..


Yours:
Jukka

________________________________

T?m? s?hk?postiviesti (liitteineen) saattaa sis?lt?? luottamuksellista tietoa, joka on tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin l?hett?j?lle tapahtuneesta
virheest? ja tuhoa viesti v?litt?m?sti. Viestin luvaton julkaiseminen, kopioiminen, jakelu tai muu
k?ytt? tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty.

This message (including any attachments) may contain confidential information intended for
the person or entity to which it is addressed. If you are not the intended recipient, notify the
sender and delete this message immediately. Notice that disclosing, copying, distributing or any
other use of the message and its information, or taking any action based on it, is strictly prohibited.

________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/ed1d623b/attachment.html 

From lkrzyzan at redhat.com  Mon Nov 16 08:13:29 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Mon, 16 Nov 2015 14:13:29 +0100
Subject: [keycloak-user] Login redirects in KC 1.6
In-Reply-To: <5645ECAE.4080905@redhat.com>
References: <7EE4B962-9B1A-402B-8A86-C91E6D4AF44A@redhat.com>
	<5645ECAE.4080905@redhat.com>
Message-ID: <12CE2EC3-67C5-47CF-BADB-2F01F0A4821F@redhat.com>

Thanks for looking at it.

Libor Krzy?anek
jboss.org Development Team

> On Nov 13, 2015, at 2:59 PM, Bill Burke <bburke at redhat.com> wrote:
> 
> Not sure if I can optimize it, I can try.  This change was instituted to 
> fix the browser refresh button issues.  I'll forward you the email.
> 
> On 11/13/2015 5:47 AM, Libor Krzyzanek wrote:
>> Hi,
>> I just realized how many redirects happens when I hit login button.
>> 
>> On KC 1.2 there was just one http post and that?s it.
>> 
>> Now on KC 1.6 I see following redirects:
>> 
>> - POST
>> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1&execution=7eedb65f-1f55-4ca9-863a-8f4951a3d805
>> 
>> ->
>> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1
>> 
>> ->
>> /auth/realms/rhd/login-actions/required-action?code=x3p6FRPUGzSOEcwdfOdH_y87tFp6kdv3eMnBdAeNURk.bf31e3e7-291e-4af8-ba60-23c562813bd1
>> 
>> ->
>> /auth/realms/rhd/account/login-redirect?code=x04AO-tQJB69EfKe6unU1UkHupW6bGkLxJ1Cov-Abf8.bf31e3e7-291e-4af8-ba60-23c562813bd1&state=0%2Ffdb40d87-d522-43a5-820a-66cdba051607
>> 
>> GET /auth/realms/rhd/account/
>> 
>> 
>> So I see 3 additional redirects.
>> 
>> Is it expected? Can it be somehow minimized to give better performance?
>> Every redirect can generate in reality aprox 300 ms which is almost 1
>> second just because of redirects.
>> 
>> Thanks,
>> 
>> Libor Krzy?anek
>> jboss.org <http://jboss.org/> <http://jboss.org <http://jboss.org/>> Development Team
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/384de81d/attachment-0001.html 

From Frank.vanVeen at planonsoftware.com  Mon Nov 16 08:25:12 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Mon, 16 Nov 2015 14:25:12 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E4924F830550@NL-MAIL02.planon-fm.com>

Hello,

I am trying to set-up a user federation. My project involves an external database.
Currently no user data has to be imported from the external database. Changes in keycloak need to be exported to the external database. We don't want to validate logins against the external database.
Could someone explain to me how to validate a user login against the keycloak database? This would be while using the "validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)" method.

Thanks in advance.

Sincerely,

Frank van Veen

From bburke at redhat.com  Mon Nov 16 09:10:16 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Nov 2015 09:10:16 -0500
Subject: [keycloak-user] Forgot password flow + TOTP
In-Reply-To: <CADLc4EE3hLjfOb_Q7woabAuECu_Ovq7uRCiKGqn6sKd2Nk=0bQ@mail.gmail.com>
References: <CADLc4EE3hLjfOb_Q7woabAuECu_Ovq7uRCiKGqn6sKd2Nk=0bQ@mail.gmail.com>
Message-ID: <5649E3C8.1070800@redhat.com>

You have total control of forgot password flow.  Go to 
Authentication->Flows.  See the reset-credentials flow.  You can build 
your own flow to get the behavior you want.

On 11/16/2015 5:50 AM, Johan Heylen wrote:
> Hello,
>
> we currently have a keycloak server setup with both TOTP and the forget
> password (reset-credential) flow active.
>
> When we organize a update password action for a user through the admin
> panel, he gets an email with a link, and after choosing a new password,
> the user has to enter the TOTP in the login screens before actually
> being logged in.
>
> When the user himself organizes a forget password on the login screen,
> he gets an email with a link, and after choosing a new password, the
> user DOES NOT have to enter the TOTP in the login screens before
> actually being logged in.
>
> We want both actions to be the same, or at least always want the TOTP be
> entered in logging in.
>
> Can this last part be changed, either through a configuration setting or
> creating a whole new reset credential flow within the current Keycloak
> version (1.6.0) or do I need a JIRA ticket for a feature request?
>
> Tnx,
>
> Johan Heylen
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jeff.macomber at modernizingmedicine.com  Mon Nov 16 09:10:45 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Mon, 16 Nov 2015 09:10:45 -0500
Subject: [keycloak-user] Accessing RelayState in login.ftl?
Message-ID: <CAByzN4QLriMs5zD9cwK4o9Frs7dPzDXfKvfj3K1FsoeuK=h9xA@mail.gmail.com>

Hi,

Is it possible to access the Saml RelayState information in the login.ftl?
I would like to pass forward information to allow pre-filling fields in
login.ftl (I have customized the login to add more than just user/pass).
Since SAML is redirect based query parameters will not work and it seems
RelayState might be the correct approach here but i cant figure out how i
would get at it in the login.ftl.  IF RelayState is not the correct
mechanism is there another approach for passing info from the client to the
login form?

Thanks
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/d89c3401/attachment.html 

From bburke at redhat.com  Mon Nov 16 09:14:36 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Nov 2015 09:14:36 -0500
Subject: [keycloak-user] Keycloak saml authentication and authorization
In-Reply-To: <f1a49a4657574cb794300620c364e876@MIPROEXCH01.mipro.local>
References: <f1a49a4657574cb794300620c364e876@MIPROEXCH01.mipro.local>
Message-ID: <5649E4CC.30403@redhat.com>

The only authorization that we can do right now is at the application 
through servlet security contraints and Java EE roles.  Keycloak now has 
a SAML client adapter derived from PL SAML SP.  There are ways to obtain 
the attributes propagated with the SAML assertion if you need something 
more:


http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html

Here are the examples that come with the distro:

https://github.com/keycloak/keycloak/tree/master/examples/saml

Ping the list if you need further assistance.

On 11/16/2015 6:49 AM, Jukka Sirvi? wrote:
> Hello all,
>
> Is there any examples on how to get Keycloak SAML authorization up and
> running?
>
> Keycloak SAML authentication is already up and running across two
> distinct web applications. My SAML authentication already includes a
> couple of user properties and attributes, but I?m not able to find any
> info about what is the right and correct way to establish authorization
> with keycloak saml, saml metadata perhaps?
>
> Could you please point me to right direction? SAML authorization
> examples would be great, or is ?picketlink-federation
> ?saml-sp-with-metadata? example all that I need to know?
>
> Reason for above question is that I want to get rid of our own
> web-application specific authorization mechanism!
>
> Yes, and the answer to your follow-up question is, that our environment
> is wf 9.0.1 J?wf saml adapter is in use..
>
> Yours:
> Jukka
>
>
> ------------------------------------------------------------------------
>
> T?m? s?hk?postiviesti (liitteineen) saattaa sis?lt?? luottamuksellista
> tietoa, joka on tarkoitettu
> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin
> l?hett?j?lle tapahtuneesta
> virheest? ja tuhoa viesti v?litt?m?sti. Viestin luvaton julkaiseminen,
> kopioiminen, jakelu tai muu
> k?ytt? tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
> kielletty.
>
> This message (including any attachments) may contain confidential
> information intended for
> the person or entity to which it is addressed. If you are not the
> intended recipient, notify the
> sender and delete this message immediately. Notice that disclosing,
> copying, distributing or any
> other use of the message and its information, or taking any action based
> on it, is strictly prohibited.
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 16 09:19:41 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Nov 2015 09:19:41 -0500
Subject: [keycloak-user] Accessing RelayState in login.ftl?
In-Reply-To: <CAByzN4QLriMs5zD9cwK4o9Frs7dPzDXfKvfj3K1FsoeuK=h9xA@mail.gmail.com>
References: <CAByzN4QLriMs5zD9cwK4o9Frs7dPzDXfKvfj3K1FsoeuK=h9xA@mail.gmail.com>
Message-ID: <5649E5FD.60903@redhat.com>

Relay state is stored in the ClientSessionModel:

clientSession.getNote("RelayState");

I don't think ClientSessionModel is visible from login.ftl.  You'll have 
to modify your Authenticator to store a form attribute.

On 11/16/2015 9:10 AM, Jeff Macomber wrote:
> Hi,
>
> Is it possible to access the Saml RelayState information in the
> login.ftl?  I would like to pass forward information to allow
> pre-filling fields in login.ftl (I have customized the login to add more
> than just user/pass).  Since SAML is redirect based query parameters
> will not work and it seems RelayState might be the correct approach here
> but i cant figure out how i would get at it in the login.ftl.  IF
> RelayState is not the correct mechanism is there another approach for
> passing info from the client to the login form?
>
> Thanks
> Jeff
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 16 09:23:57 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Nov 2015 09:23:57 -0500
Subject: [keycloak-user] (no subject)
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E4924F830550@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E4924F830550@NL-MAIL02.planon-fm.com>
Message-ID: <5649E6FD.8090707@redhat.com>

UserFederationProvider.getSupportedCredentialTypes() specifies which 
credential types your provider is responsible for validating.  Does that 
answer the question?

On 11/16/2015 8:25 AM, Frank van Veen wrote:
> Hello,
>
> I am trying to set-up a user federation. My project involves an external database.
> Currently no user data has to be imported from the external database. Changes in keycloak need to be exported to the external database. We don't want to validate logins against the external database.
> Could someone explain to me how to validate a user login against the keycloak database? This would be while using the "validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)" method.
>
> Thanks in advance.
>
> Sincerely,
>
> Frank van Veen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Frank.vanVeen at planonsoftware.com  Mon Nov 16 10:21:22 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Mon, 16 Nov 2015 16:21:22 +0100
Subject: [keycloak-user] (no subject)
In-Reply-To: <5649E6FD.8090707@redhat.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E4924F830550@NL-MAIL02.planon-fm.com>
	<5649E6FD.8090707@redhat.com>
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E4924F872047@NL-MAIL02.planon-fm.com>

Hello Bill,

Sorry if my previous mail was not very helpful in describing my problem.

I want to go through the following steps to login:

1. User "Frank" with password "welcome" wants to login using keycloak
2. Keycloak request a user exist on the external database. If this returns true =>
3. Validate the password "welcome" to the password saved in keycloak which belongs to user "Frank".

The problem is that I don't understand how to validate the password "welcome" with the password located in the keycloak database.

Is there a way to request a " UserCredentialModel " and use the value stored in this object to check  if passwords match?
Is there a method that I can call that is similar to "ChallengeCredentials(String aPasswordToValidate)" which returns a Boolean?

Sincerely,

Frank van Veen


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: maandag 16 november 2015 15:24
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] (no subject)

UserFederationProvider.getSupportedCredentialTypes() specifies which credential types your provider is responsible for validating.  Does that answer the question?

On 11/16/2015 8:25 AM, Frank van Veen wrote:
> Hello,
>
> I am trying to set-up a user federation. My project involves an external database.
> Currently no user data has to be imported from the external database. Changes in keycloak need to be exported to the external database. We don't want to validate logins against the external database.
> Could someone explain to me how to validate a user login against the keycloak database? This would be while using the "validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)" method.
>
> Thanks in advance.
>
> Sincerely,
>
> Frank van Veen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Mon Nov 16 11:03:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Nov 2015 11:03:04 -0500
Subject: [keycloak-user] (no subject)
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E4924F872047@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E4924F830550@NL-MAIL02.planon-fm.com>
	<5649E6FD.8090707@redhat.com>
	<16DCFFB91025EF4DB80D3ECCA6E097E4924F872047@NL-MAIL02.planon-fm.com>
Message-ID: <5649FE38.2020808@redhat.com>

I'm saying you don't need to do anything.  Just don't include password 
in the supported credential types of your UserFederationProvider.

On 11/16/2015 10:21 AM, Frank van Veen wrote:
> Hello Bill,
>
> Sorry if my previous mail was not very helpful in describing my problem.
>
> I want to go through the following steps to login:
>
> 1. User "Frank" with password "welcome" wants to login using keycloak
> 2. Keycloak request a user exist on the external database. If this returns true =>
> 3. Validate the password "welcome" to the password saved in keycloak which belongs to user "Frank".
>
> The problem is that I don't understand how to validate the password "welcome" with the password located in the keycloak database.
>
> Is there a way to request a " UserCredentialModel " and use the value stored in this object to check  if passwords match?
> Is there a method that I can call that is similar to "ChallengeCredentials(String aPasswordToValidate)" which returns a Boolean?
>
> Sincerely,
>
> Frank van Veen
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: maandag 16 november 2015 15:24
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] (no subject)
>
> UserFederationProvider.getSupportedCredentialTypes() specifies which credential types your provider is responsible for validating.  Does that answer the question?
>
> On 11/16/2015 8:25 AM, Frank van Veen wrote:
>> Hello,
>>
>> I am trying to set-up a user federation. My project involves an external database.
>> Currently no user data has to be imported from the external database. Changes in keycloak need to be exported to the external database. We don't want to validate logins against the external database.
>> Could someone explain to me how to validate a user login against the keycloak database? This would be while using the "validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input)" method.
>>
>> Thanks in advance.
>>
>> Sincerely,
>>
>> Frank van Veen
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From felipe.braun at intelbras.com.br  Mon Nov 16 12:13:10 2015
From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja)
Date: Mon, 16 Nov 2015 15:13:10 -0200
Subject: [keycloak-user] Error upgrading database, 1.2.0.Final to 1.6.1.Final
Message-ID: <564A0EA6.1090208@intelbras.com.br>

Hey all,

I'm trying to upgrade Keycloak in our test instance, but I'm getting a
really generic error while trying to start the service:

15:09:35,559 INFO
[org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
(ServerService Thread Pool -- 60) HHH000397: Using ASTQueryTranslatorFactory
15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 60) HV000001: Hibernate Validator 5.1.3.Final
15:09:38,643 ERROR [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 60) Failed to migrate datamodel:
java.lang.NullPointerException
         at
org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
         at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
         at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
         at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
         at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
(...)

Is there any way to increase logging level on the migration part, so
that I can try and understand where's the problem with our database?


Thanks!
--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.


From sthorger at redhat.com  Mon Nov 16 13:13:52 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Nov 2015 19:13:52 +0100
Subject: [keycloak-user] Error upgrading database,
	1.2.0.Final to 1.6.1.Final
In-Reply-To: <564A0EA6.1090208@intelbras.com.br>
References: <564A0EA6.1090208@intelbras.com.br>
Message-ID: <CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>

Hi,

There's an issue with upgrading to 1.6 from 1.2. It will be fixed in 1.7,
but you can bypass the issue by first upgrading to 1.5 then to 1.6

On 16 November 2015 at 18:13, Felipe Braun Azambuja <
felipe.braun at intelbras.com.br> wrote:

> Hey all,
>
> I'm trying to upgrade Keycloak in our test instance, but I'm getting a
> really generic error while trying to start the service:
>
> 15:09:35,559 INFO
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 60) HHH000397: Using
> ASTQueryTranslatorFactory
> 15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 60) HV000001: Hibernate Validator 5.1.3.Final
> 15:09:38,643 ERROR [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 60) Failed to migrate datamodel:
> java.lang.NullPointerException
>          at
>
> org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>          at
>
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>          at
>
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>          at
>
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>          at
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> (...)
>
> Is there any way to increase logging level on the migration part, so
> that I can try and understand where's the problem with our database?
>
>
> Thanks!
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
> por engano, por favor informe o remetente respondendo imediatamente a este
> e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her work
> or by virtue thereof, and the institution accepts no liability from its
> undue use. If you have received this message by mistake, please notify us
> immediately by returning the e-mail and deleting this message from your
> system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/26292c0a/attachment.html 

From Jukka.Sirvio at mipro.fi  Mon Nov 16 13:26:47 2015
From: Jukka.Sirvio at mipro.fi (=?iso-8859-1?Q?Jukka_Sirvi=F6?=)
Date: Mon, 16 Nov 2015 18:26:47 +0000
Subject: [keycloak-user] Keycloak saml authentication and authorization
In-Reply-To: <5649E4CC.30403@redhat.com>
References: <f1a49a4657574cb794300620c364e876@MIPROEXCH01.mipro.local>
	<5649E4CC.30403@redhat.com>
Message-ID: <6175bf96e430423a9f5a457aca3e55e0@MIPROEXCH01.mipro.local>


thank you Bill for a quick response, 
I will continue using our current SP level authorization functionality, it is easily integrated with Keycloak SAML with the help of additional attributes, as you pointed (please see screenshot). EE roles and constraints will be used where appropriate. 
Those mentioned examples I'm quite familiar with, and also the client adapter documentation is reasonably well studied.

thanks,

Yours:
Jukka


-----Alkuper?inen viesti-----
L?hett?j?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Puolesta Bill Burke
L?hetetty: 16. marraskuuta 2015 16:15
Vastaanottaja: keycloak-user at lists.jboss.org
Aihe: Re: [keycloak-user] Keycloak saml authentication and authorization

The only authorization that we can do right now is at the application through servlet security contraints and Java EE roles.  Keycloak now has a SAML client adapter derived from PL SAML SP.  There are ways to obtain the attributes propagated with the SAML assertion if you need something
more:


http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html

Here are the examples that come with the distro:

https://github.com/keycloak/keycloak/tree/master/examples/saml

Ping the list if you need further assistance.

On 11/16/2015 6:49 AM, Jukka Sirvi? wrote:
> Hello all,
>
> Is there any examples on how to get Keycloak SAML authorization up and 
> running?
>
> Keycloak SAML authentication is already up and running across two 
> distinct web applications. My SAML authentication already includes a 
> couple of user properties and attributes, but I'm not able to find any 
> info about what is the right and correct way to establish 
> authorization with keycloak saml, saml metadata perhaps?
>
> Could you please point me to right direction? SAML authorization 
> examples would be great, or is "picketlink-federation 
> -saml-sp-with-metadata" example all that I need to know?
>
> Reason for above question is that I want to get rid of our own 
> web-application specific authorization mechanism!
>
> Yes, and the answer to your follow-up question is, that our 
> environment is wf 9.0.1 J?wf saml adapter is in use..
>
> Yours:
> Jukka
>
>
> ----------------------------------------------------------------------
> --
>
> T?m? s?hk?postiviesti (liitteineen) saattaa sis?lt?? luottamuksellista 
> tietoa, joka on tarkoitettu vain vastaanottajalleen. Jos et ole oikea 
> vastaanottaja, ilmoita viestin l?hett?j?lle tapahtuneesta virheest? ja 
> tuhoa viesti v?litt?m?sti. Viestin luvaton julkaiseminen, kopioiminen, 
> jakelu tai muu k?ytt? tai toimenpiteisiin ryhtyminen sen perusteella 
> on ehdottomasti kielletty.
>
> This message (including any attachments) may contain confidential 
> information intended for the person or entity to which it is 
> addressed. If you are not the intended recipient, notify the sender 
> and delete this message immediately. Notice that disclosing, copying, 
> distributing or any other use of the message and its information, or 
> taking any action based on it, is strictly prohibited.
>
> ----------------------------------------------------------------------
> --
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2015-11-16 20_12_25-Keycloak Admin Console.png
Type: image/png
Size: 54955 bytes
Desc: 2015-11-16 20_12_25-Keycloak Admin Console.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151116/e9691c74/attachment-0001.png 

From felipe.braun at intelbras.com.br  Mon Nov 16 14:18:16 2015
From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja)
Date: Mon, 16 Nov 2015 17:18:16 -0200
Subject: [keycloak-user] Error upgrading database,
 1.2.0.Final to 1.6.1.Final
In-Reply-To: <CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
Message-ID: <564A2BF8.8040301@intelbras.com.br>

Great! Thanks for the quick reply. Upgraded now :)

Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
> Hi,
>
> There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
> 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
>
> On 16 November 2015 at 18:13, Felipe Braun Azambuja
> <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
> wrote:
>
>     Hey all,
>
>     I'm trying to upgrade Keycloak in our test instance, but I'm getting a
>     really generic error while trying to start the service:
>
>     15:09:35,559 INFO
>     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
>     (ServerService Thread Pool -- 60) HHH000397: Using
>     ASTQueryTranslatorFactory
>     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
>     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
>     5.1.3.Final
>     15:09:38,643 ERROR [org.keycloak.services.resources.KeycloakApplication]
>     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
>     java.lang.NullPointerException
>               at
>     org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>               at
>     org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>               at
>     org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>               at
>     org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>               at
>     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>     (...)
>
>     Is there any way to increase logging level on the migration part, so
>     that I can try and understand where's the problem with our database?
>
>
>     Thanks!
>     --
>     Felipe Braun Azambuja
>     DBA
>     Tecnologia da Informa??o e Comunica??o
>     (48) 3281 9577
>     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
>     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>     recebido esta mensagem por engano, por favor informe o remetente
>     respondendo imediatamente a este e-mail, e em seguida apague-a do
>     seu computador.
>
>     The information contained in this e-mail and its attachments are
>     protected by law, subjected to privilege and/or confidentiality and
>     cannot be retransmitted, filed, disclosed or copied without
>     authorization from the sender. The sender uses the electronic mail
>     in the exercise of his/her work or by virtue thereof, and the
>     institution accepts no liability from its undue use. If you have
>     received this message by mistake, please notify us immediately by
>     returning the e-mail and deleting this message from your system.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.


From kalc04 at gmail.com  Tue Nov 17 02:39:21 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 17 Nov 2015 13:09:21 +0530
Subject: [keycloak-user] Error upgrading database,
	1.2.0.Final to 1.6.1.Final
In-Reply-To: <564A2BF8.8040301@intelbras.com.br>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
Message-ID: <CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>

Had the exact problem a few moments ago, thanks for clarifying.

Regards,
Lohitha.

On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja <
felipe.braun at intelbras.com.br> wrote:

> Great! Thanks for the quick reply. Upgraded now :)
>
> Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
> > Hi,
> >
> > There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
> > 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
> >
> > On 16 November 2015 at 18:13, Felipe Braun Azambuja
> > <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
> > wrote:
> >
> >     Hey all,
> >
> >     I'm trying to upgrade Keycloak in our test instance, but I'm getting
> a
> >     really generic error while trying to start the service:
> >
> >     15:09:35,559 INFO
> >     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> >     (ServerService Thread Pool -- 60) HHH000397: Using
> >     ASTQueryTranslatorFactory
> >     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
> >     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
> >     5.1.3.Final
> >     15:09:38,643 ERROR
> [org.keycloak.services.resources.KeycloakApplication]
> >     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
> >     java.lang.NullPointerException
> >               at
> >
>  org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
> >               at
> >
>  org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
> >               at
> >
>  org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
> >               at
> >
>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
> >               at
> >     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> >     (...)
> >
> >     Is there any way to increase logging level on the migration part, so
> >     that I can try and understand where's the problem with our database?
> >
> >
> >     Thanks!
> >     --
> >     Felipe Braun Azambuja
> >     DBA
> >     Tecnologia da Informa??o e Comunica??o
> >     (48) 3281 9577
> >     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
> >     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
> >     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
> >     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
> >     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
> >     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
> >     qualquer responsabilidade por utiliza??o indevida. Caso tenha
> >     recebido esta mensagem por engano, por favor informe o remetente
> >     respondendo imediatamente a este e-mail, e em seguida apague-a do
> >     seu computador.
> >
> >     The information contained in this e-mail and its attachments are
> >     protected by law, subjected to privilege and/or confidentiality and
> >     cannot be retransmitted, filed, disclosed or copied without
> >     authorization from the sender. The sender uses the electronic mail
> >     in the exercise of his/her work or by virtue thereof, and the
> >     institution accepts no liability from its undue use. If you have
> >     received this message by mistake, please notify us immediately by
> >     returning the e-mail and deleting this message from your system.
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
> por engano, por favor informe o remetente respondendo imediatamente a este
> e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her work
> or by virtue thereof, and the institution accepts no liability from its
> undue use. If you have received this message by mistake, please notify us
> immediately by returning the e-mail and deleting this message from your
> system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/2ae755b4/attachment.html 

From kalc04 at gmail.com  Tue Nov 17 06:02:40 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 17 Nov 2015 16:32:40 +0530
Subject: [keycloak-user] Replacement for deprecated
	'/realms/{realm}/tokens/grants/access' endpoint
Message-ID: <CAPj1eSwSEZzDzjmt3V3tW9sMAxO_D20J=hTHr1AwWfB-BZui5g@mail.gmail.com>

Hi,

I could not find the replacement endpoint for the direct access granting
API (/realms/{realm}/tokens/grants/access). I'm currently using
1.6.1.Final. Could someone point me in the right direction?


Regards,
Lohitha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/f7a0a503/attachment.html 

From bruno at abstractj.org  Tue Nov 17 06:23:41 2015
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 17 Nov 2015 11:23:41 +0000
Subject: [keycloak-user] Issue (500 Internal Server Error) with "Update
 the events provider" via Admin REST API
In-Reply-To: <CALxJa+0wxDkmCaz_S-JbDW=hOHPmQdjKPmSxC4sLNKkZdD8f-g@mail.gmail.com>
References: <CALxJa+0wxDkmCaz_S-JbDW=hOHPmQdjKPmSxC4sLNKkZdD8f-g@mail.gmail.com>
Message-ID: <CAM5SUC6mxYckUwBPmXrrktx-5mof36NEhOe4YhMmq3qy0mJCsw@mail.gmail.com>

Ahoy, I've created the following Jira to fix it
https://issues.jboss.org/browse/KEYCLOAK-2100

On Fri, Nov 13, 2015 at 12:17 PM Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> I report an issue with "Update the events provider
> <http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
> via Admin REST API.
>
> I want add Event Listeners: email. via
> PUT http://<URL>:<PORT>/auth/admin/realms/universities/events/config
>
> with body {"eventsListeners":[ "email" ]}
>
> *But I got* Status Code: 500 Internal Server Error
>
> *2015-11-13 15:06:53,182 ERROR [io.undertow.request] (default task-11)
> UT005023: Exception handling request to
> /auth/admin/realms/universities/events/config: java.lang.RuntimeException:
> request path: /auth/admin/realms/universities/events/config*
> *        at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)*
> *        at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)*
> *        at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)*
> *        at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)*
> *        at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)*
> *        at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)*
> *        at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)*
> *        at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
> *        at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)*
> *        at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)*
> *        at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
> *        at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)*
> *        at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)*
> *        at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)*
> *        at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)*
> *        at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)*
> *        at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)*
> *        at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
> *        at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)*
> *        at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
> *        at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)*
> *        at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)*
> *        at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)*
> *        at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)*
> *        at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)*
> *        at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)*
> *        at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)*
> *        at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)*
> *        at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)*
> *        at java.lang.Thread.run(Thread.java:745)*
> *Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NullPointerException*
> *        at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)*
> *        at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)*
> *        at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)*
> *        at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)*
> *        at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)*
> *        at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)*
> *        at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)*
> *        at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)*
> *        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)*
> *        at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)*
> *        at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)*
> *        at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)*
> *        ... 29 more*
> *Caused by: java.lang.NullPointerException*
> *        at
> org.keycloak.services.managers.RealmManager.updateRealmEventsConfig(RealmManager.java:225)*
> *        at
> org.keycloak.services.resources.admin.RealmAdminResource.updateRealmEventsConfig(RealmAdminResource.java:397)*
> *        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
> *        at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)*
> *        at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
> *        at java.lang.reflect.Method.invoke(Method.java:606)*
> *        at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)*
> *        at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)*
> *        at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)*
> *        at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)*
> *        at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)*
> *        at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)*
> *        at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)*
> *        at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)*
> *        ... 37 more*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/f5d80a25/attachment-0001.html 

From sthorger at redhat.com  Tue Nov 17 06:23:52 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 17 Nov 2015 12:23:52 +0100
Subject: [keycloak-user] Replacement for deprecated
 '/realms/{realm}/tokens/grants/access' endpoint
In-Reply-To: <CAPj1eSwSEZzDzjmt3V3tW9sMAxO_D20J=hTHr1AwWfB-BZui5g@mail.gmail.com>
References: <CAPj1eSwSEZzDzjmt3V3tW9sMAxO_D20J=hTHr1AwWfB-BZui5g@mail.gmail.com>
Message-ID: <CAJgngAeZjqtTqLWmu1VYP=bR+J5qxkrrWvMRoKYTQ9qUbN9Tfw@mail.gmail.com>

Look at:
http://localhost:8080/auth/realms/{realm}/.well-known/openid-configuration

You want token_endpoint

On 17 November 2015 at 12:02, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Hi,
>
> I could not find the replacement endpoint for the direct access granting
> API (/realms/{realm}/tokens/grants/access). I'm currently using
> 1.6.1.Final. Could someone point me in the right direction?
>
>
> Regards,
> Lohitha
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/7ea5b51c/attachment.html 

From atx at binaryninja.de  Tue Nov 17 06:30:58 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 17 Nov 2015 12:30:58 +0100
Subject: [keycloak-user] Custom Login
Message-ID: <564B0FF2.4060003@binaryninja.de>

Hello,

I need to build a custom login where the user inputs more than username 
and pw. Also I need the pw checked against a custom service. Is this 
possible with keycloak?

My first attempt was to modify the 
"org.keycloak.examples.authenticator.SecretQuestionAuthenticator" but 
then i realised i need an already loggedin user, which i then 
authenticate with an additional step.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/17e5a1b0/attachment.html 

From alex_orl1079 at yahoo.it  Tue Nov 17 07:35:49 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Tue, 17 Nov 2015 12:35:49 +0000 (UTC)
Subject: [keycloak-user] Keycloak WildFly9 Adapter ClassNotFoundException
 for org.keycloak.adapters.spi.HttpFacade
References: <818724157.9732125.1447763749898.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <818724157.9732125.1447763749898.JavaMail.yahoo@mail.yahoo.com>

hi to all,i'm facing up to a class loading issue after i migrated from keycloak 1.5.0 final to keycloak 1.6.1 final.My application server is jboss WF9.Specifically i developed my multitenant module following your example.On Keycloak 1.5.0 adapter i saw that interface?
org.keycloak.adapters.spi.HttpFacade
was in the keycloak-adapter-core dependency while in the 1.6.1 ?it was moved into?keycloak-adapter-spi.
I've referenced these depencencies as provided scoped in my project pom (as showed in the example too):
? ? ? ? ?<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-adapter-core</artifactId> <version>1.6.1.Final</version> <scope>provided</scope> </dependency>  ?? ? ? ? <dependency>? ? ? ? ? ? <groupId>org.keycloak</groupId>? ? ? ? ? ? <artifactId>keycloak-adapter-spi</artifactId>? ? ? ? ? ? <version>1.6.1.Final</version>? ? ? ? ? ? <scope>provided</scope>? ? ? ? </dependency>
I have installed the wf9 adapter adding:<extensions>????<extension module="org.keycloak.keycloak-adapter-subsystem"/>????????...</extensions>...?????<profile>????<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>????...</profile>

and?
<server xmlns="urn:jboss:domain:1.4">????<subsystem xmlns="urn:jboss:domain:security:1.2">????????<security-domains>????????...????????<security-domain name="keycloak">????????<authentication>????????????<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>????????</authentication>????</security-domain></security-domains>
and eventually by copying the modules folder into the wf9 modules directory.When i deploy my
org.keycloak.adapters.KeycloakConfigResolver

implementation i get this error:
? ? ? ? ...]13:02:55,997 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.deployment.unit."myapp.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."myapp.war".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "myapp.war"? ? ? ? at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:163)? ? ? ? at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)? ? ? ? at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting reflective information for class multitenancy.keycloak.PathBasedKeycloakConfigResolver with ClassLoader ModuleClassLoader for Module "deployment.myapp.war:main" from Service Module Loader? ? ? ? at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70)? ? ? ? at org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:107)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:92)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:77)? ? ? ? at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:156)? ? ? ? ... 5 moreCaused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/HttpFacade$Request? ? ? ? at java.lang.Class.getDeclaredMethods0(Native Method)? ? ? ? at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)? ? ? ? at java.lang.Class.getDeclaredMethods(Class.java:1975)? ? ? ? at org.jboss.as.server.deployment.reflect.ClassReflectionIndex.<init>(ClassReflectionIndex.java:65)? ? ? ? at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66)? ? ? ? ... 10 moreCaused by: java.lang.ClassNotFoundException: org.keycloak.adapters.spi.HttpFacade$Request from [Module "deployment.myapp.war:main" from Service Module Loader]? ? ? ? at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:455)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:404)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:385)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:130)? ? ? ? ... 15 more

Why the?keycloak-adapter-spi-1.6.1.Final.jar is not loaded by?keycloak-adapter-spi module?
If i decide to include the jar inside the myapp.war archive...after deployment i get a Linkage exception error.What am i doing wrong?
thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/f76e7d03/attachment-0001.html 

From alex_orl1079 at yahoo.it  Tue Nov 17 08:38:25 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Tue, 17 Nov 2015 13:38:25 +0000 (UTC)
Subject: [keycloak-user] Keycloak WildFly9 Adapter
 ClassNotFoundException for org.keycloak.adapters.spi.HttpFacade
In-Reply-To: <818724157.9732125.1447763749898.JavaMail.yahoo@mail.yahoo.com>
References: <818724157.9732125.1447763749898.JavaMail.yahoo.ref@mail.yahoo.com>
	<818724157.9732125.1447763749898.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1219398056.9877238.1447767505813.JavaMail.yahoo@mail.yahoo.com>

i got jboss deployment descriptor:
<jboss-deployment-structure>? ? <deployment>? ? ? ? <dependencies>? ? ? ? ? ? <module name="org.keycloak.keycloak-adapter-spi"/>? ? ? ? </dependencies>? ? </deployment></jboss-deployment-structure>
should be the answer. 


     Il Marted? 17 Novembre 2015 13:35, alex orl <alex_orl1079 at yahoo.it> ha scritto:
   

 hi to all,i'm facing up to a class loading issue after i migrated from keycloak 1.5.0 final to keycloak 1.6.1 final.My application server is jboss WF9.Specifically i developed my multitenant module following your example.On Keycloak 1.5.0 adapter i saw that interface?
org.keycloak.adapters.spi.HttpFacade
was in the keycloak-adapter-core dependency while in the 1.6.1 ?it was moved into?keycloak-adapter-spi.
I've referenced these depencencies as provided scoped in my project pom (as showed in the example too):
? ? ? ? ?<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-adapter-core</artifactId> <version>1.6.1.Final</version> <scope>provided</scope> </dependency>  ?? ? ? ? <dependency>? ? ? ? ? ? <groupId>org.keycloak</groupId>? ? ? ? ? ? <artifactId>keycloak-adapter-spi</artifactId>? ? ? ? ? ? <version>1.6.1.Final</version>? ? ? ? ? ? <scope>provided</scope>? ? ? ? </dependency>
I have installed the wf9 adapter adding:<extensions>????<extension module="org.keycloak.keycloak-adapter-subsystem"/>????????...</extensions>...?????<profile>????<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>????...</profile>

and?
<server xmlns="urn:jboss:domain:1.4">????<subsystem xmlns="urn:jboss:domain:security:1.2">????????<security-domains>????????...????????<security-domain name="keycloak">????????<authentication>????????????<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>????????</authentication>????</security-domain></security-domains>
and eventually by copying the modules folder into the wf9 modules directory.When i deploy my
org.keycloak.adapters.KeycloakConfigResolver

implementation i get this error:
? ? ? ? ...]13:02:55,997 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.deployment.unit."myapp.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."myapp.war".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "myapp.war"? ? ? ? at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:163)? ? ? ? at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)? ? ? ? at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting reflective information for class multitenancy.keycloak.PathBasedKeycloakConfigResolver with ClassLoader ModuleClassLoader for Module "deployment.myapp.war:main" from Service Module Loader? ? ? ? at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70)? ? ? ? at org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:107)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:92)? ? ? ? at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:77)? ? ? ? at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:156)? ? ? ? ... 5 moreCaused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/HttpFacade$Request? ? ? ? at java.lang.Class.getDeclaredMethods0(Native Method)? ? ? ? at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)? ? ? ? at java.lang.Class.getDeclaredMethods(Class.java:1975)? ? ? ? at org.jboss.as.server.deployment.reflect.ClassReflectionIndex.<init>(ClassReflectionIndex.java:65)? ? ? ? at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66)? ? ? ? ... 10 moreCaused by: java.lang.ClassNotFoundException: org.keycloak.adapters.spi.HttpFacade$Request from [Module "deployment.myapp.war:main" from Service Module Loader]? ? ? ? at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:455)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:404)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:385)? ? ? ? at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:130)? ? ? ? ... 15 more

Why the?keycloak-adapter-spi-1.6.1.Final.jar is not loaded by?keycloak-adapter-spi module?
If i decide to include the jar inside the myapp.war archive...after deployment i get a Linkage exception error.What am i doing wrong?
thanks

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/b67cddf5/attachment.html 

From kalc04 at gmail.com  Tue Nov 17 08:41:47 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 17 Nov 2015 19:11:47 +0530
Subject: [keycloak-user] Replacement for deprecated
 '/realms/{realm}/tokens/grants/access' endpoint
In-Reply-To: <CAJgngAeZjqtTqLWmu1VYP=bR+J5qxkrrWvMRoKYTQ9qUbN9Tfw@mail.gmail.com>
References: <CAPj1eSwSEZzDzjmt3V3tW9sMAxO_D20J=hTHr1AwWfB-BZui5g@mail.gmail.com>
	<CAJgngAeZjqtTqLWmu1VYP=bR+J5qxkrrWvMRoKYTQ9qUbN9Tfw@mail.gmail.com>
Message-ID: <CAPj1eSwMSfXSJxLStoHDownwwCJmkvk_nq1aJvbjtXes+wkEQA@mail.gmail.com>

Thanks Stian, working fine.

On Tue, Nov 17, 2015 at 4:53 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Look at:
> http://localhost:8080/auth/realms/{realm}/.well-known/openid-configuration
>
> You want token_endpoint
>
> On 17 November 2015 at 12:02, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Hi,
>>
>> I could not find the replacement endpoint for the direct access granting
>> API (/realms/{realm}/tokens/grants/access). I'm currently using
>> 1.6.1.Final. Could someone point me in the right direction?
>>
>>
>> Regards,
>> Lohitha
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/adbfc804/attachment-0001.html 

From atx at binaryninja.de  Tue Nov 17 09:04:58 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 17 Nov 2015 15:04:58 +0100
Subject: [keycloak-user] Custom Login
In-Reply-To: <564B0FF2.4060003@binaryninja.de>
References: <564B0FF2.4060003@binaryninja.de>
Message-ID: <564B340A.2040003@binaryninja.de>

Got it, thanks!

missed one line:

public boolean requiresUser() {   return true;     }

changed it to:

public boolean requiresUser() {   return false;    }
this did the job.


Am 17.11.15 um 12:30 schrieb Ataraxus:
> Hello,
>
> I need to build a custom login where the user inputs more than 
> username and pw. Also I need the pw checked against a custom service. 
> Is this possible with keycloak?
>
> My first attempt was to modify the 
> "org.keycloak.examples.authenticator.SecretQuestionAuthenticator" but 
> then i realised i need an already loggedin user, which i then 
> authenticate with an additional step.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/4cf7a248/attachment.html 

From johan.heylen.public at gmail.com  Tue Nov 17 09:40:06 2015
From: johan.heylen.public at gmail.com (Johan Heylen)
Date: Tue, 17 Nov 2015 15:40:06 +0100
Subject: [keycloak-user] Users losing realm roles without a valid reason
Message-ID: <CADLc4EGwEXuAYj7TrELBjQ0vyJjDtik4aKp7fRneJ7h7agR0oQ@mail.gmail.com>

Hallo,

we have noticed a strange behaviour in our Keycloak setup:

After a while, some users lose one of their assigned realm roles, without
anyone actually requesting this from the keycloak server (We see no admin
events who can explain this behaviour).
Could it be that something is wrong in some cache implementation or an in
issue in concurrency?
When I make a dump of the database, the role can also no longer be found
there in the user export, so it actually gets removed from there as well.

One specific thing we do, is managing the realm settings using the admin
REST API, which PUTs the realm config JSON every X minutes (X is currently
5 to 2 minutes), so the PUT call happens a lot (I can see it in the admin
events).

To exclude this as possible culprit, I've disable this constant updating of
the realm. I'll send an update wether this has had any impact, but either
way, the issue should not occur.

Has anyone already encountered this issue?
I can provide you with more config of the keycloak server and realm if
required... We are one 1.6.0

Could you help me with enabling the correct logging, so I might be able to
trace where the problem occurs or see what causes the drop of a realm role
on a user (His other realms roles remain untouched...)

Currently I am not able to reproduce this with a testcase, it just occurs
from time to time on a test platform, so I did not create a JIRA ticket yet

Tnx,

Johan Heylen
DNS Belgium
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/daf34177/attachment.html 

From johan.heylen.public at gmail.com  Tue Nov 17 09:52:45 2015
From: johan.heylen.public at gmail.com (Johan Heylen)
Date: Tue, 17 Nov 2015 15:52:45 +0100
Subject: [keycloak-user] Forgot password flow + TOTP
Message-ID: <CADLc4EE8ZgPP9o=c9RfdHeE6Q=v-w7jqDvCjnye3fGaqsWHgkA@mail.gmail.com>

Tnx Bill,

I've attached two screenshots of my current settings.

We haven't done any custom flows (yet) just, only some changes from
optional to disabled or required in existings out of the box flows, which
worked as expected.

To be able to do the customization I need, should I add the 'OTP Form' used
in browser flow to the last part of the reset credential flow? Do I need to
add the Forms element as well?

You think that's possible in keycloak 1.6 or do I need to create a ticket?

Johan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/839367c5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-11-17 at 15.45.21.png
Type: image/png
Size: 51581 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/839367c5/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-11-17 at 15.46.05.png
Type: image/png
Size: 57482 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/839367c5/attachment-0003.png 

From bstoke69 at gmail.com  Tue Nov 17 10:17:34 2015
From: bstoke69 at gmail.com (David Hay)
Date: Tue, 17 Nov 2015 10:17:34 -0500
Subject: [keycloak-user] Hybrid flow
In-Reply-To: <56473AEA.3030201@redhat.com>
References: <CAFgz66Qj0OGD1pphitA6NYhVKyg=ZQGtBZv5WAds0zLpkK58OA@mail.gmail.com>
	<56473AEA.3030201@redhat.com>
Message-ID: <CAFgz66RwLKv-kr+AHMoPCSfFhyGCNz1k97Z0f42kJZTvo1Didg@mail.gmail.com>

Ok, thanks...are there any outstanding security concerns are there around
that, as long as I use TLS?

On Sat, Nov 14, 2015 at 8:45 AM, Bill Burke <bburke at redhat.com> wrote:

> We call these public clients and its the way our admin console works.
> Use our javascript adapter to obtain a token and make XHR requests to
> the server with the token.
>
> On 11/13/2015 10:29 PM, David Hay wrote:
> > Hi,
> >
> > Newbie here...
> >
> > We're needing to secure an AngularJS application hitting our REST API
> > (and supporting customers hitting it directly).
> >
> > I believe in this situation we need to utilize the Hybrid flow as there
> > is no way to secure the secret in AngularJS.
> >
> > Does Keycloak support this?
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/4ab4e38d/attachment.html 

From bburke at redhat.com  Tue Nov 17 10:31:27 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 17 Nov 2015 10:31:27 -0500
Subject: [keycloak-user] Forgot password flow + TOTP
In-Reply-To: <CADLc4EE8ZgPP9o=c9RfdHeE6Q=v-w7jqDvCjnye3fGaqsWHgkA@mail.gmail.com>
References: <CADLc4EE8ZgPP9o=c9RfdHeE6Q=v-w7jqDvCjnye3fGaqsWHgkA@mail.gmail.com>
Message-ID: <564B484F.2020900@redhat.com>

I'm not sure what exactly you want to do.  You should be able to pull in 
the OTP form into the reset credential flow if you want to.

On 11/17/2015 9:52 AM, Johan Heylen wrote:
> Tnx Bill,
>
> I've attached two screenshots of my current settings.
>
> We haven't done any custom flows (yet) just, only some changes from
> optional to disabled or required in existings out of the box flows,
> which worked as expected.
>
> To be able to do the customization I need, should I add the 'OTP Form'
> used in browser flow to the last part of the reset credential flow? Do I
> need to add the Forms element as well?
>
> You think that's possible in keycloak 1.6 or do I need to create a ticket?
>
> Johan
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From johan.heylen.public at gmail.com  Tue Nov 17 10:57:04 2015
From: johan.heylen.public at gmail.com (Johan Heylen)
Date: Tue, 17 Nov 2015 16:57:04 +0100
Subject: [keycloak-user] Forgot password flow + TOTP
Message-ID: <CADLc4EHtYtx469AV1JaDzTRe4wLKfgFv5YujRGR1rRtcN2MKww@mail.gmail.com>

Bill,

I've indeed managed to get it working, when using the forget password
functionality you now have to enter your OTP key first before being able to
choose a new password.

See screenshot

Tnx,

Johan Heylen
DNS Belgium
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/a746f0b7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-11-17 at 16.55.06.png
Type: image/png
Size: 67540 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/a746f0b7/attachment-0001.png 

From ismail117 at gmail.com  Tue Nov 17 11:12:07 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 10:12:07 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs start up
	issue
Message-ID: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>

Hi,
This is Ismail , I am trying to set up SSO using the key cloak , I
extracted the a *keycloak-overlay-eap6-1.6.1.Final  *to my Jboss Home
 which has the version 6.2.3. EAP and when I try to start the server I am
getting the below exception

se configuration

at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at org.jboss.as.server.ServerService.boot(ServerService.java:324)
[jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]

Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[2,1]

Message: Unexpected element '{urn:jboss:domain:1.7}server'

at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
[staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]

at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]

at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

... 3 more


09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot Thread)
JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
previous messages for details.

09:27:24,784 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
JBoss EAP 6.2.3.GA <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
stopped in 4ms

I am running the server using below command.

bash standalone.sh --server-config=standalone-keycloak.xml


I am using the MAC OS

-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/c2cf6173/attachment.html 

From mstrukel at redhat.com  Tue Nov 17 11:24:41 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 17 Nov 2015 17:24:41 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
Message-ID: <CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>

You should use EAP 6.4.x. We only support that.

On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com> wrote:

> Hi,
> This is Ismail , I am trying to set up SSO using the key cloak , I
> extracted the a *keycloak-overlay-eap6-1.6.1.Final  *to my Jboss Home
>  which has the version 6.2.3. EAP and when I try to start the server I am
> getting the below exception
>
> se configuration
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
> Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[2,1]
>
> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
> at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> ... 3 more
>
>
> 09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot Thread)
> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
> previous messages for details.
>
> 09:27:24,784 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
> JBoss EAP 6.2.3.GA <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
> stopped in 4ms
>
> I am running the server using below command.
>
> bash standalone.sh --server-config=standalone-keycloak.xml
>
>
> I am using the MAC OS
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/50f56b82/attachment.html 

From ismail117 at gmail.com  Tue Nov 17 11:46:03 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 10:46:03 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
Message-ID: <CALC-Kvhjq2jktbEZqHFaZu=S9hugBMVTP=P+AsoRQKBKftkG-g@mail.gmail.com>

Thank you Marko.

On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com>
wrote:

> You should use EAP 6.4.x. We only support that.
>
> On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com> wrote:
>
>> Hi,
>> This is Ismail , I am trying to set up SSO using the key cloak , I
>> extracted the a *keycloak-overlay-eap6-1.6.1.Final  *to my Jboss Home
>>  which has the version 6.2.3. EAP and when I try to start the server I am
>> getting the below exception
>>
>> se configuration
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>
>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>> [row,col]:[2,1]
>>
>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> ... 3 more
>>
>>
>> 09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>> previous messages for details.
>>
>> 09:27:24,784 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>> JBoss EAP 6.2.3.GA <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>> stopped in 4ms
>>
>> I am running the server using below command.
>>
>> bash standalone.sh --server-config=standalone-keycloak.xml
>>
>>
>> I am using the MAC OS
>>
>> --
>> Thanks,
>> Ismail Shaik - 908 922 9571
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/21f187c2/attachment.html 

From ismail117 at gmail.com  Tue Nov 17 12:15:30 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 11:15:30 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-Kvhjq2jktbEZqHFaZu=S9hugBMVTP=P+AsoRQKBKftkG-g@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-Kvhjq2jktbEZqHFaZu=S9hugBMVTP=P+AsoRQKBKftkG-g@mail.gmail.com>
Message-ID: <CALC-KvhkzKWeNzbATYR_nWhHO4Tc04DZoON76Yddo5AE3SNs=Q@mail.gmail.com>

Hi Marko,

Now I am working on the Jboss EAP 6.4 , I am able to start the server
successfully with key cloak , But When I login I am getting the following
issue with Blank page under Admin Console

[org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint]
(http-/127.0.0.1:8080-2) Invoking deprecated endpoint
http://localhost:8080/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=3fd78c2f-34e2-47f6-b95f-24a66ded43ad&response_type=code


Can you please let me know the work around if possible.




On Tue, Nov 17, 2015 at 10:46 AM, Ismail Shaik <ismail117 at gmail.com> wrote:

> Thank you Marko.
>
> On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> You should use EAP 6.4.x. We only support that.
>>
>> On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com>
>> wrote:
>>
>>> Hi,
>>> This is Ismail , I am trying to set up SSO using the key cloak , I
>>> extracted the a *keycloak-overlay-eap6-1.6.1.Final  *to my Jboss Home
>>>  which has the version 6.2.3. EAP and when I try to start the server I am
>>> getting the below exception
>>>
>>> se configuration
>>>
>>> at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>
>>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>> [row,col]:[2,1]
>>>
>>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>>
>>> at
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>
>>> at
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>
>>> at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> ... 3 more
>>>
>>>
>>> 09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>> previous messages for details.
>>>
>>> 09:27:24,784 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>>> JBoss EAP 6.2.3.GA <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>> stopped in 4ms
>>>
>>> I am running the server using below command.
>>>
>>> bash standalone.sh --server-config=standalone-keycloak.xml
>>>
>>>
>>> I am using the MAC OS
>>>
>>> --
>>> Thanks,
>>> Ismail Shaik - 908 922 9571
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/ae7e9a94/attachment-0001.html 

From ismail117 at gmail.com  Tue Nov 17 14:07:23 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 13:07:23 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
Message-ID: <CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>

Marko,

Can you please let me know Which version of key cloak is good for Jboss EAP
6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.

On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com>
wrote:

> You should use EAP 6.4.x. We only support that.
>
> On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com> wrote:
>
>> Hi,
>> This is Ismail , I am trying to set up SSO using the key cloak , I
>> extracted the a *keycloak-overlay-eap6-1.6.1.Final  *to my Jboss Home
>>  which has the version 6.2.3. EAP and when I try to start the server I am
>> getting the below exception
>>
>> se configuration
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>
>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>> [row,col]:[2,1]
>>
>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> ... 3 more
>>
>>
>> 09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>> previous messages for details.
>>
>> 09:27:24,784 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>> JBoss EAP 6.2.3.GA <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>> stopped in 4ms
>>
>> I am running the server using below command.
>>
>> bash standalone.sh --server-config=standalone-keycloak.xml
>>
>>
>> I am using the MAC OS
>>
>> --
>> Thanks,
>> Ismail Shaik - 908 922 9571
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/2e62b9d1/attachment.html 

From bburke at redhat.com  Tue Nov 17 14:24:15 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 17 Nov 2015 14:24:15 -0500
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
Message-ID: <564B7EDF.5040909@redhat.com>

Is there a reason we don't work on 6.2.3?

On 11/17/2015 2:07 PM, Ismail Shaik wrote:
> Marko,
>
> Can you please let me know Which version of key cloak is good for Jboss
> EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
>
> On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com
> <mailto:mstrukel at redhat.com>> wrote:
>
>     You should use EAP 6.4.x. We only support that.
>
>     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com
>     <mailto:ismail117 at gmail.com>> wrote:
>
>         Hi,
>         This is Ismail , I am trying to set up SSO using the key cloak ,
>         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
>         Jboss Home  which has the version 6.2.3. EAP and when I try to
>         start the server I am getting the below exception
>
>         se configuration
>
>         at
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at
>         org.jboss.as.server.ServerService.boot(ServerService.java:324)
>         [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at
>         org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
>         Caused by: javax.xml.stream.XMLStreamException: ParseError at
>         [row,col]:[2,1]
>
>         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
>         at
>         org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
>         at
>         org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
>         at
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         ... 3 more
>
>
>         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>         Thread) JBAS015957: Server boot has failed in an unrecoverable
>         manner; exiting. See previous messages for details.
>
>         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC
>         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>
>
>         I am running the server using below command.
>
>         bash standalone.sh --server-config=standalone-keycloak.xml
>
>
>         I am using the MAC OS
>
>
>         --
>         Thanks,
>         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ismail117 at gmail.com  Tue Nov 17 14:29:11 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 13:29:11 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B7EDF.5040909@redhat.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
Message-ID: <CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>

Bill,

Yes if I change the server I need to migrate all my 7 applications to new
jboss  EAP. Which is why I would like to have the version compatible with
jboss eap 6.2.x.
Thank you for quick reply.
On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com> wrote:

> Is there a reason we don't work on 6.2.3?
>
> On 11/17/2015 2:07 PM, Ismail Shaik wrote:
> > Marko,
> >
> > Can you please let me know Which version of key cloak is good for Jboss
> > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
> >
> > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com
> > <mailto:mstrukel at redhat.com>> wrote:
> >
> >     You should use EAP 6.4.x. We only support that.
> >
> >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com
> >     <mailto:ismail117 at gmail.com>> wrote:
> >
> >         Hi,
> >         This is Ismail , I am trying to set up SSO using the key cloak ,
> >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
> >         Jboss Home  which has the version 6.2.3. EAP and when I try to
> >         start the server I am getting the below exception
> >
> >         se configuration
> >
> >         at
> >
>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >
> >         at
> >         org.jboss.as.server.ServerService.boot(ServerService.java:324)
> >
>  [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >
> >         at
> >
>  org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >
> >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
> >
> >         Caused by: javax.xml.stream.XMLStreamException: ParseError at
> >         [row,col]:[2,1]
> >
> >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
> >
> >         at
> >
>  org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >
> >         at
> >
>  org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >
> >         at
> >
>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >
> >         ... 3 more
> >
> >
> >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
> >         Thread) JBAS015957: Server boot has failed in an unrecoverable
> >         manner; exiting. See previous messages for details.
> >
> >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC
> >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
> >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in
> 4ms
> >
> >
> >         I am running the server using below command.
> >
> >         bash standalone.sh --server-config=standalone-keycloak.xml
> >
> >
> >         I am using the MAC OS
> >
> >
> >         --
> >         Thanks,
> >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
> >
> >         _______________________________________________
> >         keycloak-user mailing list
> >         keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >         https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > --
> > Thanks,
> > Ismail Shaik - 908 922 9571
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/a298fe46/attachment-0001.html 

From atx at binaryninja.de  Tue Nov 17 14:39:15 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 17 Nov 2015 20:39:15 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
Message-ID: <564B8263.6060800@binaryninja.de>

I recently bisected that. Version 1.1 of keycloak is working with EAP 6.2.x
Bill stated, that technicaly it could work. I think the main reason is 
that the server overlay is not working. I didn't try to install keycloak 
manually though...

Am 17.11.15 um 20:07 schrieb Ismail Shaik:
> Marko,
>
> Can you please let me know Which version of key cloak is good for 
> Jboss EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
>
> On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj <mstrukel at redhat.com 
> <mailto:mstrukel at redhat.com>> wrote:
>
>     You should use EAP 6.4.x. We only support that.
>
>     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik <ismail117 at gmail.com
>     <mailto:ismail117 at gmail.com>> wrote:
>
>         Hi,
>         This is Ismail , I am trying to set up SSO using the key cloak
>         , I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
>         Jboss Home  which has the version 6.2.3. EAP and when I try to
>         start the server I am getting the below exception
>
>         se configuration
>
>         at
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at
>         org.jboss.as.server.ServerService.boot(ServerService.java:324)
>         [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at
>         org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
>         Caused by: javax.xml.stream.XMLStreamException: ParseError at
>         [row,col]:[2,1]
>
>         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
>         at
>         org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
>         at
>         org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
>         at
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
>         ... 3 more
>
>
>         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>         Thread) JBAS015957: Server boot has failed in an unrecoverable
>         manner; exiting. See previous messages for details.
>
>         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC
>         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>
>
>         I am running the server using below command.
>
>         bash standalone.sh --server-config=standalone-keycloak.xml
>
>
>         I am using the MAC OS
>
>
>         -- 
>         Thanks,
>         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> -- 
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/2bac6556/attachment.html 

From bburke at redhat.com  Tue Nov 17 14:43:35 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 17 Nov 2015 14:43:35 -0500
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
Message-ID: <564B8367.7050103@redhat.com>

You don't need to migrate your 7 applications.  The client adapter 
should still work on EAP 6.2.  If it doesn't thats something we would 
fix.  Its the server that we won't support on anything earlier.

On 11/17/2015 2:29 PM, Ismail Shaik wrote:
> Bill,
>
> Yes if I change the server I need to migrate all my 7 applications to
> new jboss  EAP. Which is why I would like to have the version compatible
> with jboss eap 6.2.x.
> Thank you for quick reply.
>
> On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Is there a reason we don't work on 6.2.3?
>
>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>      > Marko,
>      >
>      > Can you please let me know Which version of key cloak is good for
>     Jboss
>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
>      >
>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
>      >
>      >     You should use EAP 6.4.x. We only support that.
>      >
>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>> wrote:
>      >
>      >         Hi,
>      >         This is Ismail , I am trying to set up SSO using the key
>     cloak ,
>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>     try to
>      >         start the server I am getting the below exception
>      >
>      >         se configuration
>      >
>      >         at
>      >
>       org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>      >
>       [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>      >
>      >         at
>      >
>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>      >
>       [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>      >
>      >         at
>      >
>       org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>      >
>       [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>      >
>      >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>      >
>      >         Caused by: javax.xml.stream.XMLStreamException: ParseError at
>      >         [row,col]:[2,1]
>      >
>      >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>      >
>      >         at
>      >
>       org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>      >
>      >         at
>      >
>       org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>      >
>      >         at
>      >
>       org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>      >
>       [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>      >
>      >         ... 3 more
>      >
>      >
>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>      >         Thread) JBAS015957: Server boot has failed in an
>     unrecoverable
>      >         manner; exiting. See previous messages for details.
>      >
>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>     <http://org.jboss.as/>] (MSC
>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>     <http://6.2.3.GA>
>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>     stopped in 4ms
>      >
>      >
>      >         I am running the server using below command.
>      >
>      >         bash standalone.sh --server-config=standalone-keycloak.xml
>      >
>      >
>      >         I am using the MAC OS
>      >
>      >
>      >         --
>      >         Thanks,
>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>     <tel:908%20922%209571>
>      >
>      >         _______________________________________________
>      >         keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>      >
>      >
>      >
>      > --
>      > Thanks,
>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From atx at binaryninja.de  Tue Nov 17 14:45:55 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 17 Nov 2015 20:45:55 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B8367.7050103@redhat.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
Message-ID: <564B83F3.8070909@binaryninja.de>

Is there any manual how to install keycloak manually?

Am 17.11.15 um 20:43 schrieb Bill Burke:
> You don't need to migrate your 7 applications.  The client adapter
> should still work on EAP 6.2.  If it doesn't thats something we would
> fix.  Its the server that we won't support on anything earlier.
>
> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>> Bill,
>>
>> Yes if I change the server I need to migrate all my 7 applications to
>> new jboss  EAP. Which is why I would like to have the version compatible
>> with jboss eap 6.2.x.
>> Thank you for quick reply.
>>
>> On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>      Is there a reason we don't work on 6.2.3?
>>
>>      On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>       > Marko,
>>       >
>>       > Can you please let me know Which version of key cloak is good for
>>      Jboss
>>       > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
>>       >
>>       > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>      <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>       > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
>>       >
>>       >     You should use EAP 6.4.x. We only support that.
>>       >
>>       >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>      <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>       >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>> wrote:
>>       >
>>       >         Hi,
>>       >         This is Ismail , I am trying to set up SSO using the key
>>      cloak ,
>>       >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
>>       >         Jboss Home  which has the version 6.2.3. EAP and when I
>>      try to
>>       >         start the server I am getting the below exception
>>       >
>>       >         se configuration
>>       >
>>       >         at
>>       >
>>        org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>       >
>>        [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>       >
>>       >         at
>>       >
>>        org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>       >
>>        [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>       >
>>       >         at
>>       >
>>        org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>       >
>>        [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>       >
>>       >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>       >
>>       >         Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>       >         [row,col]:[2,1]
>>       >
>>       >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>       >
>>       >         at
>>       >
>>        org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>       >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>       >
>>       >         at
>>       >
>>        org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>       >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>       >
>>       >         at
>>       >
>>        org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>       >
>>        [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>       >
>>       >         ... 3 more
>>       >
>>       >
>>       >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>>       >         Thread) JBAS015957: Server boot has failed in an
>>      unrecoverable
>>       >         manner; exiting. See previous messages for details.
>>       >
>>       >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>      <http://org.jboss.as/>] (MSC
>>       >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>      <http://6.2.3.GA>
>>       >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>      stopped in 4ms
>>       >
>>       >
>>       >         I am running the server using below command.
>>       >
>>       >         bash standalone.sh --server-config=standalone-keycloak.xml
>>       >
>>       >
>>       >         I am using the MAC OS
>>       >
>>       >
>>       >         --
>>       >         Thanks,
>>       >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>      <tel:908%20922%209571>
>>       >
>>       >         _______________________________________________
>>       >         keycloak-user mailing list
>>       > keycloak-user at lists.jboss.org
>>      <mailto:keycloak-user at lists.jboss.org>
>>      <mailto:keycloak-user at lists.jboss.org
>>      <mailto:keycloak-user at lists.jboss.org>>
>>       > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>       >
>>       >
>>       >
>>       >
>>       >
>>       > --
>>       > Thanks,
>>       > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>       >
>>       >
>>       > _______________________________________________
>>       > keycloak-user mailing list
>>       > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>       > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>       >
>>
>>      --
>>      Bill Burke
>>      JBoss, a division of Red Hat
>>      http://bill.burkecentral.com
>>      _______________________________________________
>>      keycloak-user mailing list
>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From ismail117 at gmail.com  Tue Nov 17 14:51:17 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 13:51:17 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B83F3.8070909@binaryninja.de>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com> <564B83F3.8070909@binaryninja.de>
Message-ID: <CALC-Kvj79eyphCXgb+AjjjG-11ttYw5gnmN09AZY2y0HbtZ0gw@mail.gmail.com>

Please refer this :

http://keycloak.github.io/docs/userguide/keycloak-server/pdf/keycloak-reference-guide-en-US.pdf

you will see chapter
Chapter 3. Installation and Configuration of Keycloak Server

please follow these instructions and also you can verify the folder
structure for both the extracted zip file as well as your local Jboss home
(if you are using the existing Jboss). hope this helps.

On Tue, Nov 17, 2015 at 1:45 PM, Ataraxus <atx at binaryninja.de> wrote:

> Is there any manual how to install keycloak manually?
>
> Am 17.11.15 um 20:43 schrieb Bill Burke:
> > You don't need to migrate your 7 applications.  The client adapter
> > should still work on EAP 6.2.  If it doesn't thats something we would
> > fix.  Its the server that we won't support on anything earlier.
> >
> > On 11/17/2015 2:29 PM, Ismail Shaik wrote:
> >> Bill,
> >>
> >> Yes if I change the server I need to migrate all my 7 applications to
> >> new jboss  EAP. Which is why I would like to have the version compatible
> >> with jboss eap 6.2.x.
> >> Thank you for quick reply.
> >>
> >> On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
> >> <mailto:bburke at redhat.com>> wrote:
> >>
> >>      Is there a reason we don't work on 6.2.3?
> >>
> >>      On 11/17/2015 2:07 PM, Ismail Shaik wrote:
> >>       > Marko,
> >>       >
> >>       > Can you please let me know Which version of key cloak is good
> for
> >>      Jboss
> >>       > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
> advance.
> >>       >
> >>       > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
> >>      <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
> >>       > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>
> wrote:
> >>       >
> >>       >     You should use EAP 6.4.x. We only support that.
> >>       >
> >>       >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
> >>      <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
> >>       >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
> wrote:
> >>       >
> >>       >         Hi,
> >>       >         This is Ismail , I am trying to set up SSO using the key
> >>      cloak ,
> >>       >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final
> *to my
> >>       >         Jboss Home  which has the version 6.2.3. EAP and when I
> >>      try to
> >>       >         start the server I am getting the below exception
> >>       >
> >>       >         se configuration
> >>       >
> >>       >         at
> >>       >
> >>
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> >>       >
> >>
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >>       >
> >>       >         at
> >>       >
> >>        org.jboss.as.server.ServerService.boot(ServerService.java:324)
> >>       >
> >>
> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >>       >
> >>       >         at
> >>       >
> >>
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> >>       >
> >>
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >>       >
> >>       >         at java.lang.Thread.run(Thread.java:745)
> [rt.jar:1.7.0_75]
> >>       >
> >>       >         Caused by: javax.xml.stream.XMLStreamException:
> ParseError at
> >>       >         [row,col]:[2,1]
> >>       >
> >>       >         Message: Unexpected element
> '{urn:jboss:domain:1.7}server'
> >>       >
> >>       >         at
> >>       >
> >>
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> >>       >
>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >>       >
> >>       >         at
> >>       >
> >>
> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> >>       >
>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >>       >
> >>       >         at
> >>       >
> >>
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> >>       >
> >>
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >>       >
> >>       >         ... 3 more
> >>       >
> >>       >
> >>       >         09:27:24,775 FATAL [org.jboss.as.server] (Controller
> Boot
> >>       >         Thread) JBAS015957: Server boot has failed in an
> >>      unrecoverable
> >>       >         manner; exiting. See previous messages for details.
> >>       >
> >>       >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
> >>      <http://org.jboss.as/>] (MSC
> >>       >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
> >>      <http://6.2.3.GA>
> >>       >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
> >>      stopped in 4ms
> >>       >
> >>       >
> >>       >         I am running the server using below command.
> >>       >
> >>       >         bash standalone.sh
> --server-config=standalone-keycloak.xml
> >>       >
> >>       >
> >>       >         I am using the MAC OS
> >>       >
> >>       >
> >>       >         --
> >>       >         Thanks,
> >>       >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
> >>      <tel:908%20922%209571>
> >>       >
> >>       >         _______________________________________________
> >>       >         keycloak-user mailing list
> >>       > keycloak-user at lists.jboss.org
> >>      <mailto:keycloak-user at lists.jboss.org>
> >>      <mailto:keycloak-user at lists.jboss.org
> >>      <mailto:keycloak-user at lists.jboss.org>>
> >>       > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>       >
> >>       >
> >>       >
> >>       >
> >>       >
> >>       > --
> >>       > Thanks,
> >>       > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
> >>       >
> >>       >
> >>       > _______________________________________________
> >>       > keycloak-user mailing list
> >>       > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >>       > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>       >
> >>
> >>      --
> >>      Bill Burke
> >>      JBoss, a division of Red Hat
> >>      http://bill.burkecentral.com
> >>      _______________________________________________
> >>      keycloak-user mailing list
> >>      keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >>      https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/b267a287/attachment.html 

From ismail117 at gmail.com  Tue Nov 17 14:55:44 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 13:55:44 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B8367.7050103@redhat.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
Message-ID: <CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>

Hi Bill,

This is the Issue I am getting when I start the Server using the  *" bash
standalone.sh --server-config=standalone-keycloak.xml"*


Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
--server-config=standalone-keycloak.xml

=========================================================================


  JBoss Bootstrap Environment


  JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2


  JAVA:
/Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java


  JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
-XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true


=========================================================================


13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
1.3.3.Final-redhat-1

13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
1.0.4.GA-redhat-1

13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting

13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
JBAS015956: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
JBAS014676: Failed to parse configuration

at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at org.jboss.as.server.ServerService.boot(ServerService.java:324)
[jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]

Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[2,1]

Message: Unexpected element '{urn:jboss:domain:1.7}server'

at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
[staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]

at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]

at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
[jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]

... 3 more


13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
previous messages for details.

13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15) JBAS015950:
JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms

Ismails-MacBook-Pro:bin ismailshaik$


On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com> wrote:

> You don't need to migrate your 7 applications.  The client adapter should
> still work on EAP 6.2.  If it doesn't thats something we would fix.  Its
> the server that we won't support on anything earlier.
>
> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>
>> Bill,
>>
>> Yes if I change the server I need to migrate all my 7 applications to
>> new jboss  EAP. Which is why I would like to have the version compatible
>> with jboss eap 6.2.x.
>> Thank you for quick reply.
>>
>> On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Is there a reason we don't work on 6.2.3?
>>
>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>      > Marko,
>>      >
>>      > Can you please let me know Which version of key cloak is good for
>>     Jboss
>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in advance.
>>      >
>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
>>      >
>>      >     You should use EAP 6.4.x. We only support that.
>>      >
>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>> wrote:
>>      >
>>      >         Hi,
>>      >         This is Ismail , I am trying to set up SSO using the key
>>     cloak ,
>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to my
>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>     try to
>>      >         start the server I am getting the below exception
>>      >
>>      >         se configuration
>>      >
>>      >         at
>>      >
>>
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>      >
>>
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>      >
>>      >         at
>>      >
>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>      >
>>
>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>      >
>>      >         at
>>      >
>>
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>      >
>>
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>      >
>>      >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>      >
>>      >         Caused by: javax.xml.stream.XMLStreamException: ParseError
>> at
>>      >         [row,col]:[2,1]
>>      >
>>      >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>      >
>>      >         at
>>      >
>>
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>      >
>>      >         at
>>      >
>>
>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>      >
>>      >         at
>>      >
>>
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>      >
>>
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>      >
>>      >         ... 3 more
>>      >
>>      >
>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>>      >         Thread) JBAS015957: Server boot has failed in an
>>     unrecoverable
>>      >         manner; exiting. See previous messages for details.
>>      >
>>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>     <http://org.jboss.as/>] (MSC
>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>     <http://6.2.3.GA>
>>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>     stopped in 4ms
>>      >
>>      >
>>      >         I am running the server using below command.
>>      >
>>      >         bash standalone.sh --server-config=standalone-keycloak.xml
>>      >
>>      >
>>      >         I am using the MAC OS
>>      >
>>      >
>>      >         --
>>      >         Thanks,
>>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>     <tel:908%20922%209571>
>>      >
>>      >         _______________________________________________
>>      >         keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>      >
>>      >
>>      >
>>      >
>>      > --
>>      > Thanks,
>>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/91ad7d58/attachment-0001.html 

From ismail117 at gmail.com  Tue Nov 17 15:25:17 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 14:25:17 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
Message-ID: <CALC-KvjP0Ys9TH_ffkLP6Bzrv1bs-PsiOsv3eMzHRuDoWwL97A@mail.gmail.com>

Hi Bill,

the below element in standalone-keycloak.xml is causing the issue .

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<server xmlns="urn:jboss:domain:1.7">

If there is any idea please share with the me , i just pause at this point.
appreciate your help.

Thanks,
Ismail Shaik.

On Tue, Nov 17, 2015 at 1:55 PM, Ismail Shaik <ismail117 at gmail.com> wrote:

> Hi Bill,
>
> This is the Issue I am getting when I start the Server using the  *" bash
> standalone.sh --server-config=standalone-keycloak.xml"*
>
>
> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
> --server-config=standalone-keycloak.xml
>
> =========================================================================
>
>
>   JBoss Bootstrap Environment
>
>
>   JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>
>
>   JAVA:
> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
>
> =========================================================================
>
>
> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.3.3.Final-redhat-1
>
> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
> 1.0.4.GA-redhat-1
>
> 13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>
> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
> JBAS015956: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> JBAS014676: Failed to parse configuration
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
> Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[2,1]
>
> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
> at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> ... 3 more
>
>
> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
> previous messages for details.
>
> 13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15) JBAS015950:
> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>
> Ismails-MacBook-Pro:bin ismailshaik$
>
>
> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> You don't need to migrate your 7 applications.  The client adapter should
>> still work on EAP 6.2.  If it doesn't thats something we would fix.  Its
>> the server that we won't support on anything earlier.
>>
>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>
>>> Bill,
>>>
>>> Yes if I change the server I need to migrate all my 7 applications to
>>> new jboss  EAP. Which is why I would like to have the version compatible
>>> with jboss eap 6.2.x.
>>> Thank you for quick reply.
>>>
>>> On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     Is there a reason we don't work on 6.2.3?
>>>
>>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>>      > Marko,
>>>      >
>>>      > Can you please let me know Which version of key cloak is good for
>>>     Jboss
>>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>> advance.
>>>      >
>>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
>>>      >
>>>      >     You should use EAP 6.4.x. We only support that.
>>>      >
>>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>>> wrote:
>>>      >
>>>      >         Hi,
>>>      >         This is Ismail , I am trying to set up SSO using the key
>>>     cloak ,
>>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to
>>> my
>>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>>     try to
>>>      >         start the server I am getting the below exception
>>>      >
>>>      >         se configuration
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at
>>>      >
>>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>      >
>>>
>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>      >
>>>      >         Caused by: javax.xml.stream.XMLStreamException:
>>> ParseError at
>>>      >         [row,col]:[2,1]
>>>      >
>>>      >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         ... 3 more
>>>      >
>>>      >
>>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>>>      >         Thread) JBAS015957: Server boot has failed in an
>>>     unrecoverable
>>>      >         manner; exiting. See previous messages for details.
>>>      >
>>>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>>     <http://org.jboss.as/>] (MSC
>>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>>     <http://6.2.3.GA>
>>>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>>     stopped in 4ms
>>>      >
>>>      >
>>>      >         I am running the server using below command.
>>>      >
>>>      >         bash standalone.sh --server-config=standalone-keycloak.xml
>>>      >
>>>      >
>>>      >         I am using the MAC OS
>>>      >
>>>      >
>>>      >         --
>>>      >         Thanks,
>>>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>     <tel:908%20922%209571>
>>>      >
>>>      >         _______________________________________________
>>>      >         keycloak-user mailing list
>>>      > keycloak-user at lists.jboss.org
>>>     <mailto:keycloak-user at lists.jboss.org>
>>>     <mailto:keycloak-user at lists.jboss.org
>>>     <mailto:keycloak-user at lists.jboss.org>>
>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      >
>>>      >
>>>      >
>>>      >
>>>      >
>>>      > --
>>>      > Thanks,
>>>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>      >
>>>      >
>>>      > _______________________________________________
>>>      > keycloak-user mailing list
>>>      > keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      >
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/2105cc70/attachment-0001.html 

From atx at binaryninja.de  Tue Nov 17 15:28:20 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 17 Nov 2015 21:28:20 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
Message-ID: <564B8DE4.8010603@binaryninja.de>

Hi Ismail,

I'm able of installing keycloak via the documentation. The documentation 
tells one how to install keycloak via the server overlay. The error you 
get and posted here states (please correct me, if i'm wrong), that jboss 
is not able to parse the configuration, since its not compatible with 
the old versions.

So I was asking if there is a "manual" of installing keycloak "manually" 
without relying on the server overlay aka configuration. By droping jars 
or wars in some jboss folders ;)

Am 17.11.15 um 20:55 schrieb Ismail Shaik:
> Hi Bill,
>
> This is the Issue I am getting when I start the Server using the *" 
> bash standalone.sh --server-config=standalone-keycloak.xml"*
> *
> *
>
> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh 
> --server-config=standalone-keycloak.xml
>
> =========================================================================
>
>
> JBoss Bootstrap Environment
>
>
> JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>
>
> JAVA: 
> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>
>
> JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m 
> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true 
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
>
> =========================================================================
>
>
> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version 
> 1.3.3.Final-redhat-1
>
> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version 
> 1.0.4.GA-redhat-1
>
> 13:53:50,303 INFO  [org.jboss.as <http://org.jboss.as>] (MSC service 
> thread 1-6) JBAS015899: JBoss EAP 6.2.3.GA <http://6.2.3.GA> (AS 
> 7.3.3.Final-redhat-SNAPSHOT) starting
>
> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread) 
> JBAS015956: Caught exception during boot: 
> org.jboss.as.controller.persistence.ConfigurationPersistenceException: 
> JBAS014676: Failed to parse configuration
>
> at 
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141) 
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at org.jboss.as.server.ServerService.boot(ServerService.java:324) 
> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at 
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253) 
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
> Caused by: javax.xml.stream.XMLStreamException: ParseError at 
> [row,col]:[2,1]
>
> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
> at 
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108) 
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at 
> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at 
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133) 
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> ... 3 more
>
>
> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread) 
> JBAS015957: Server boot has failed in an unrecoverable manner; 
> exiting. See previous messages for details.
>
> 13:53:50,825 INFO  [org.jboss.as <http://org.jboss.as>] (MSC service 
> thread 1-15) JBAS015950: JBoss EAP 6.2.3.GA <http://6.2.3.GA> (AS 
> 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>
> Ismails-MacBook-Pro:bin ismailshaik$
>
>
>
> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     You don't need to migrate your 7 applications.  The client adapter
>     should still work on EAP 6.2.  If it doesn't thats something we
>     would fix.  Its the server that we won't support on anything earlier.
>
>     On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>
>         Bill,
>
>         Yes if I change the server I need to migrate all my 7
>         applications to
>         new jboss  EAP. Which is why I would like to have the version
>         compatible
>         with jboss eap 6.2.x.
>         Thank you for quick reply.
>
>         On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>             Is there a reason we don't work on 6.2.3?
>
>             On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>              > Marko,
>              >
>              > Can you please let me know Which version of key cloak
>         is good for
>             Jboss
>              > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks
>         in advance.
>              >
>              > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>             <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>         <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>
>              > <mailto:mstrukel at redhat.com
>         <mailto:mstrukel at redhat.com> <mailto:mstrukel at redhat.com
>         <mailto:mstrukel at redhat.com>>>> wrote:
>              >
>              >     You should use EAP 6.4.x. We only support that.
>              >
>              >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>             <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>         <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>
>              >     <mailto:ismail117 at gmail.com
>         <mailto:ismail117 at gmail.com> <mailto:ismail117 at gmail.com
>         <mailto:ismail117 at gmail.com>>>> wrote:
>              >
>              >         Hi,
>              >         This is Ismail , I am trying to set up SSO
>         using the key
>             cloak ,
>              >         I extracted the a
>         *keycloak-overlay-eap6-1.6.1.Final *to my
>              >         Jboss Home  which has the version 6.2.3. EAP
>         and when I
>             try to
>              >         start the server I am getting the below exception
>              >
>              >         se configuration
>              >
>              >         at
>              >
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>              >
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>              >
>              >         at
>              >
>         org.jboss.as.server.ServerService.boot(ServerService.java:324)
>              >
>         [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>              >
>              >         at
>              >
>         org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>              >
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>              >
>              >         at java.lang.Thread.run(Thread.java:745)
>         [rt.jar:1.7.0_75]
>              >
>              >         Caused by: javax.xml.stream.XMLStreamException:
>         ParseError at
>              >         [row,col]:[2,1]
>              >
>              >         Message: Unexpected element
>         '{urn:jboss:domain:1.7}server'
>              >
>              >         at
>              >
>         org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>              >  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>              >
>              >         at
>              >
>         org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>              >  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>              >
>              >         at
>              >
>         org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>              >
>         [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>              >
>              >         ... 3 more
>              >
>              >
>              >         09:27:24,775 FATAL [org.jboss.as.server]
>         (Controller Boot
>              >         Thread) JBAS015957: Server boot has failed in an
>             unrecoverable
>              >         manner; exiting. See previous messages for details.
>              >
>              >         09:27:24,784 INFO  [org.jboss.as
>         <http://org.jboss.as> <http://org.jboss.as>
>             <http://org.jboss.as/>] (MSC
>              >         service thread 1-7) JBAS015950: JBoss EAP
>         6.2.3.GA <http://6.2.3.GA>
>             <http://6.2.3.GA>
>              >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>             stopped in 4ms
>              >
>              >
>              >         I am running the server using below command.
>              >
>              >         bash standalone.sh
>         --server-config=standalone-keycloak.xml
>              >
>              >
>              >         I am using the MAC OS
>              >
>              >
>              >         --
>              >         Thanks,
>              >         Ismail Shaik - 908 922 9571
>         <tel:908%20922%209571> <tel:908%20922%209571>
>             <tel:908%20922%209571>
>              >
>              >  _______________________________________________
>              >         keycloak-user mailing list
>              > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>             <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>             <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>             <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>              > https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >
>              >
>              >
>              >
>              >
>              > --
>              > Thanks,
>              > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>         <tel:908%20922%209571>
>              >
>              >
>              > _______________________________________________
>              > keycloak-user mailing list
>              > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              > https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >
>
>             --
>             Bill Burke
>             JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>             _______________________________________________
>             keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>
>
> -- 
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/65b7e6ba/attachment-0001.html 

From ismail117 at gmail.com  Tue Nov 17 15:38:55 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Tue, 17 Nov 2015 14:38:55 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B8DE4.8010603@binaryninja.de>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
	<564B8DE4.8010603@binaryninja.de>
Message-ID: <CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>

Hi Ataraxic,

there is no manual process unless we compare and put them manually like
 standalone folder and bin folder . Its available on with older versions .
If you go to Beta version once you extract the
*keycloak-war-dist-all-1.1.0.Beta2.zip*
you will see deployment folder then just place that extracted deployment
folder into your existing jboss standalone/deployment folder .


On Tue, Nov 17, 2015 at 2:28 PM, Ataraxus <atx at binaryninja.de> wrote:

> Hi Ismail,
>
> I'm able of installing keycloak via the documentation. The documentation
> tells one how to install keycloak via the server overlay. The error you get
> and posted here states (please correct me, if i'm wrong), that jboss is not
> able to parse the configuration, since its not compatible with the old
> versions.
>
> So I was asking if there is a "manual" of installing keycloak "manually"
> without relying on the server overlay aka configuration. By droping jars or
> wars in some jboss folders ;)
>
> Am 17.11.15 um 20:55 schrieb Ismail Shaik:
>
> Hi Bill,
>
> This is the Issue I am getting when I start the Server using the  *" bash
> standalone.sh --server-config=standalone-keycloak.xml"*
>
>
> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
> --server-config=standalone-keycloak.xml
>
> =========================================================================
>
>
>   JBoss Bootstrap Environment
>
>
>   JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>
>
>   JAVA:
> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
>
> =========================================================================
>
>
> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.3.3.Final-redhat-1
>
> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
> 1.0.4.GA-redhat-1
>
> 13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>
> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
> JBAS015956: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> JBAS014676: Failed to parse configuration
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
> Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[2,1]
>
> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>
> at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>
> at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>
> ... 3 more
>
>
> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
> previous messages for details.
>
> 13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15) JBAS015950:
> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>
> Ismails-MacBook-Pro:bin ismailshaik$
>
>
> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> You don't need to migrate your 7 applications.  The client adapter should
>> still work on EAP 6.2.  If it doesn't thats something we would fix.  Its
>> the server that we won't support on anything earlier.
>>
>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>
>>> Bill,
>>>
>>> Yes if I change the server I need to migrate all my 7 applications to
>>> new jboss  EAP. Which is why I would like to have the version compatible
>>> with jboss eap 6.2.x.
>>> Thank you for quick reply.
>>>
>>> On Nov 17, 2015 1:24 PM, "Bill Burke" < <bburke at redhat.com>
>>> bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     Is there a reason we don't work on 6.2.3?
>>>
>>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>>      > Marko,
>>>      >
>>>      > Can you please let me know Which version of key cloak is good for
>>>     Jboss
>>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>> advance.
>>>      >
>>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
>>>      >
>>>      >     You should use EAP 6.4.x. We only support that.
>>>      >
>>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>>> wrote:
>>>      >
>>>      >         Hi,
>>>      >         This is Ismail , I am trying to set up SSO using the key
>>>     cloak ,
>>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to
>>> my
>>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>>     try to
>>>      >         start the server I am getting the below exception
>>>      >
>>>      >         se configuration
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at
>>>      >
>>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>      >
>>>
>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>      >
>>>      >         Caused by: javax.xml.stream.XMLStreamException:
>>> ParseError at
>>>      >         [row,col]:[2,1]
>>>      >
>>>      >         Message: Unexpected element '{urn:jboss:domain:1.7
>>> }server'
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>      >
>>>      >         at
>>>      >
>>>
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>      >
>>>
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>      >
>>>      >         ... 3 more
>>>      >
>>>      >
>>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>>>      >         Thread) JBAS015957: Server boot has failed in an
>>>     unrecoverable
>>>      >         manner; exiting. See previous messages for details.
>>>      >
>>>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>>     <http://org.jboss.as/>] (MSC
>>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>>     <http://6.2.3.GA>
>>>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>>     stopped in 4ms
>>>      >
>>>      >
>>>      >         I am running the server using below command.
>>>      >
>>>      >         bash standalone.sh --server-config=standalone-keycloak.xml
>>>      >
>>>      >
>>>      >         I am using the MAC OS
>>>      >
>>>      >
>>>      >         --
>>>      >         Thanks,
>>>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>> <908%20922%209571>
>>>     <tel:908%20922%209571> <908%20922%209571>
>>>      >
>>>      >         _______________________________________________
>>>      >         keycloak-user mailing list
>>>      > keycloak-user at lists.jboss.org
>>>     <mailto:keycloak-user at lists.jboss.org>
>>>     <mailto:keycloak-user at lists.jboss.org
>>>     <mailto:keycloak-user at lists.jboss.org>>
>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      >
>>>      >
>>>      >
>>>      >
>>>      >
>>>      > --
>>>      > Thanks,
>>>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>> <908%20922%209571>
>>>      >
>>>      >
>>>      > _______________________________________________
>>>      > keycloak-user mailing list
>>>      > keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      >
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151117/8ed65336/attachment-0001.html 

From alex_orl1079 at yahoo.it  Tue Nov 17 19:39:11 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Wed, 18 Nov 2015 00:39:11 +0000 (UTC)
Subject: [keycloak-user] Keycloak 1.6.1 possible bug. Deleting User
References: <1721610277.10340261.1447807151229.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <1721610277.10340261.1447807151229.JavaMail.yahoo@mail.yahoo.com>

Hi to all.Working on my custom user federation provider i'm facing up to a possible bug.I used the last 1.6.1 final keycloak version.In my legacy user database i have 3 users:user1user2user3
I try to log into my secured application with all three users' credentials and all goes fine.This way all three users are present inside the keycloak properties file so, if i open keycloak admin console and list all users by clicking on the "view all users" button, inside the user section, keycloak lists to me?user1user2user3
Now i delete user3 from my legacy database, then i come back to the keycloak admin console in order to list users again.After clicking the "view all users" button... nothing is listed and the page stucks in loading mode.
Debugging my code, after "view all users" click... my user federation provider executes the isValid() method for all the 3 users.The isValid method returns true for user1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?true for user2? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?false for the deleted user3?The last false value is returned to the?????UserModel validateAndProxy(RealmModel?realm, UserModel?local)?method which will return a NULL UserModel object.
ValidateAndProxy method passes the ball to?org.keycloak.models.UserFederationManager with its method:
protected?UserModel validateAndProxyUser(RealmModel?realm, UserModel?user) {??????? UserModel?managed?=?managedUsers.get(user.getId());????????if?(managed?!=?null) {????????????return?managed;??????? }???????? UserFederationProvider?link?= getFederationLink(realm,?user);????????if?(link?!=?null) {????????????UserModel?validatedProxyUser?=?link.validateAndProxy(realm,?user);????????????if?(validatedProxyUser?!=?null) {????????????????managedUsers.put(user.getId(),?validatedProxyUser);????????????????return?validatedProxyUser;??????????? }?else?{????????????????deleteInvalidUser(realm,?user);????????????????return?null;??????????? }??????? }
The UserModel NULL value triggers the deleteInvalidUser(...) method. (row 135 of?org.keycloak.models.UserFederationManager class). At this point nothing happens and keycloak console stays in loading state.
Am i wrong with anything? or is it a bug?thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/0387df9b/attachment-0001.html 

From Ken.Kong at invenco.com  Tue Nov 17 19:33:09 2015
From: Ken.Kong at invenco.com (Ken Kong)
Date: Wed, 18 Nov 2015 13:33:09 +1300
Subject: [keycloak-user] direct grant access with Resource Owner Password
	Credentials
Message-ID: <DFE9119B0D4B4A41944385095E86BABF03F9249E@exchange1>

I have setup the realms, the client and the users.

 

When I posted the request to
/auth/realms/{clientid}/protocol/openid-connect/token with client Id,
username, password and grant_type by SoapUI, I received error 

{

   "error_description": "Account is not fully set up",

   "error": "invalid_grant"

}

 

The keycloak server is running on EAP-6.4.0

 

Below is the server stack trace

12:54:47,234 WARN  [org.keycloak.events] (http-/127.0.0.1:8180-6)
type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
userId=null, ipAddress=127.0.0.1, error=resolve_required_actions,
auth_method=openid-connect, response_type=token,
client_auth_method=client-secret, username=kenk

12:54:47,235 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(http-/127.0.0.1:8180-6) RESTEASY000105: Failed to execute:
org.keycloak.services.ErrorResponseException

        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPas
swordCredentialsGrant(TokenEndpoint.java:363)
[keycloak-services-1.6.1.Final.jar:1.6.1.Final]

        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.j
ava:110) [keycloak-services-1.6.1.Final.jar:1.6.1.Final]

        at sun.reflect.GeneratedMethodAccessor221.invoke(Unknown Source)
[:1.8.0_45]

        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43) [rt.jar:1.8.0_45]

        at java.lang.reflect.Method.invoke(Method.java:497)
[rt.jar:1.8.0_45]

       at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.jav
a:168) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.jav
a:269) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLoc
ator.java:158) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLoc
ator.java:153) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDis
patcher.java:541) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatch
er.java:523) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatch
er.java:125) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.ser
vice(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-
2]

        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:295)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:214)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Keyc
loakSessionServletFilter.java:61)
[keycloak-services-1.6.1.Final.jar:1.6.1.Final]

        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:246)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:214)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(Securit
yContextAssociationValve.java:169)
[jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]

       at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
44) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85
4) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:653)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]

        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]

Regards,

KK

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/649b42a4/attachment.html 

From bburke at redhat.com  Tue Nov 17 20:54:08 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 17 Nov 2015 20:54:08 -0500
Subject: [keycloak-user] direct grant access with Resource Owner
 Password Credentials
In-Reply-To: <DFE9119B0D4B4A41944385095E86BABF03F9249E@exchange1>
References: <DFE9119B0D4B4A41944385095E86BABF03F9249E@exchange1>
Message-ID: <564BDA40.6030904@redhat.com>

  error=resolve_required_actions

You can't invoke direct grant if there are unresovled required actions 
(reset password, verify email, etc.)

On 11/17/2015 7:33 PM, Ken Kong wrote:
> I have setup the realms, the client and the users.
>
> When I posted the request to
> /auth/realms/{clientid}/protocol/openid-connect/token with client Id,
> username, password and grant_type by SoapUI, I received error
>
> {
>
>     "error_description": "Account is not fully set up",
>
>     "error": "invalid_grant"
>
> }
>
> The keycloak server is running on EAP-6.4.0
>
> Below is the server stack trace
>
> 12:54:47,234 WARN  [org.keycloak.events] (http-/127.0.0.1:8180-6)
> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
> userId=null, ipAddress=127.0.0.1, error=resolve_required_actions,
> auth_method=openid-connect, response_type=token,
> client_auth_method=client-secret, username=kenk
>
> 12:54:47,235 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (http-/127.0.0.1:8180-6) RESTEASY000105: Failed to execute:
> org.keycloak.services.ErrorResponseException
>
>          at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:363)
> [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)
> [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at sun.reflect.GeneratedMethodAccessor221.invoke(Unknown
> Source) [:1.8.0_45]
>
>          at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_45]
>
>          at java.lang.reflect.Method.invoke(Method.java:497)
> [rt.jar:1.8.0_45]
>
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>
> Regards,
>
> KK
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Ken.Kong at invenco.com  Tue Nov 17 21:38:16 2015
From: Ken.Kong at invenco.com (Ken Kong)
Date: Wed, 18 Nov 2015 15:38:16 +1300
Subject: [keycloak-user] direct grant access with Resource Owner
	Password Credentials
In-Reply-To: <564BDA40.6030904@redhat.com>
References: <DFE9119B0D4B4A41944385095E86BABF03F9249E@exchange1>
	<564BDA40.6030904@redhat.com>
Message-ID: <DFE9119B0D4B4A41944385095E86BABF03F9252A@exchange1>

Thanks! The required "update password" was the reason causing the
"account is not fully setup" error.	 
Problem solved after the password has changed.


Regards,
kk

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Wednesday, 18 November 2015 2:54 p.m.
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] direct grant access with Resource Owner
Password Credentials

  error=resolve_required_actions

You can't invoke direct grant if there are unresovled required actions
(reset password, verify email, etc.)

On 11/17/2015 7:33 PM, Ken Kong wrote:
> I have setup the realms, the client and the users.
>
> When I posted the request to
> /auth/realms/{clientid}/protocol/openid-connect/token with client Id, 
> username, password and grant_type by SoapUI, I received error
>
> {
>
>     "error_description": "Account is not fully set up",
>
>     "error": "invalid_grant"
>
> }
>
> The keycloak server is running on EAP-6.4.0
>
> Below is the server stack trace
>
> 12:54:47,234 WARN  [org.keycloak.events] (http-/127.0.0.1:8180-6) 
> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, 
> userId=null, ipAddress=127.0.0.1, error=resolve_required_actions, 
> auth_method=openid-connect, response_type=token, 
> client_auth_method=client-secret, username=kenk
>
> 12:54:47,235 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (http-/127.0.0.1:8180-6) RESTEASY000105: Failed to execute:
> org.keycloak.services.ErrorResponseException
>
>          at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerP
> asswordCredentialsGrant(TokenEndpoint.java:363)
> [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint
> .java:110) [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at sun.reflect.GeneratedMethodAccessor221.invoke(Unknown
> Source) [:1.8.0_45]
>
>          at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
> [rt.jar:1.8.0_45]
>
>          at java.lang.reflect.Method.invoke(Method.java:497)
> [rt.jar:1.8.0_45]
>
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j
> ava:168) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.j
> ava:269) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceL
> ocator.java:158) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:10
> 6) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceL
> ocator.java:153) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91
> ) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousD
> ispatcher.java:541) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
> cher.java:523) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
> cher.java:125) [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.s
> ervice(ServletContainerDispatcher.java:208)
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
> e(HttpServletDispatcher.java:55) 
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
> e(HttpServletDispatcher.java:50) 
> [resteasy-jaxrs-2.3.10.Final-redhat-1.jar:]
>
>          at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redha
> t-2]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:295) 
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:214) 
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Ke
> ycloakSessionServletFilter.java:61)
> [keycloak-services-1.6.1.Final.jar:1.6.1.Final]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:246) 
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:214) 
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> lve.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> lve.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(Secur
> ityContextAssociationValve.java:169)
> [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> va:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> va:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv
> e.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
> 854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces
> s(Http11Protocol.java:653) 
> [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926
> ) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
>
>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>
> Regards,
>
> KK
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From kalc04 at gmail.com  Wed Nov 18 01:10:37 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Wed, 18 Nov 2015 11:40:37 +0530
Subject: [keycloak-user] Admin Rest API Documentation Issue (1.6.1.Final)
Message-ID: <CAPj1eSytD=2bDCEc_SYi=-cw4m4jdeEVTe-f=Mj62WniF6c_tg@mail.gmail.com>

Hi,

Client level role mappings related endpoints are currently misleading
because it gives the feeling that the client-id could be passed instead of
the id-of-client. But that's not the case. Hence please update the
endpoints which has the signature:

...role-mappings/clients/{client}... -->
...role-mappings/clients/{id-of-client}...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/4fe752b6/attachment.html 

From sthorger at redhat.com  Wed Nov 18 02:37:30 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 08:37:30 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
	<564B8DE4.8010603@binaryninja.de>
	<CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>
Message-ID: <CAJgngAfoE7ELNXjwFC4ioTJGO1bBnuavDxbwrHTy60q3p8U2ag@mail.gmail.com>

Keycloak server only runs as standalone or deployed to WildFly 9 or EAP
6.4. The adapter bits which is what you need for your applications works on
a large ranger of containers.

Use the standalone Keycloak server download and run it separately to your
applications. Then get the eap6 adapter and deploy to EAP 6.2.

On 17 November 2015 at 21:38, Ismail Shaik <ismail117 at gmail.com> wrote:

> Hi Ataraxic,
>
> there is no manual process unless we compare and put them manually like
>  standalone folder and bin folder . Its available on with older versions .
> If you go to Beta version once you extract the
> *keycloak-war-dist-all-1.1.0.Beta2.zip*
> you will see deployment folder then just place that extracted deployment
> folder into your existing jboss standalone/deployment folder .
>
>
> On Tue, Nov 17, 2015 at 2:28 PM, Ataraxus <atx at binaryninja.de> wrote:
>
>> Hi Ismail,
>>
>> I'm able of installing keycloak via the documentation. The documentation
>> tells one how to install keycloak via the server overlay. The error you get
>> and posted here states (please correct me, if i'm wrong), that jboss is not
>> able to parse the configuration, since its not compatible with the old
>> versions.
>>
>> So I was asking if there is a "manual" of installing keycloak "manually"
>> without relying on the server overlay aka configuration. By droping jars or
>> wars in some jboss folders ;)
>>
>> Am 17.11.15 um 20:55 schrieb Ismail Shaik:
>>
>> Hi Bill,
>>
>> This is the Issue I am getting when I start the Server using the  *" bash
>> standalone.sh --server-config=standalone-keycloak.xml"*
>>
>>
>> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
>> --server-config=standalone-keycloak.xml
>>
>> =========================================================================
>>
>>
>>   JBoss Bootstrap Environment
>>
>>
>>   JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>>
>>
>>   JAVA:
>> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>>
>>
>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>
>>
>> =========================================================================
>>
>>
>> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
>> 1.3.3.Final-redhat-1
>>
>> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
>> 1.0.4.GA-redhat-1
>>
>> 13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>>
>> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015956: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>> JBAS014676: Failed to parse configuration
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>
>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>> [row,col]:[2,1]
>>
>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>> at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>> ... 3 more
>>
>>
>> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>> previous messages for details.
>>
>> 13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15) JBAS015950:
>> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>>
>> Ismails-MacBook-Pro:bin ismailshaik$
>>
>>
>> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> You don't need to migrate your 7 applications.  The client adapter
>>> should still work on EAP 6.2.  If it doesn't thats something we would fix.
>>> Its the server that we won't support on anything earlier.
>>>
>>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>>
>>>> Bill,
>>>>
>>>> Yes if I change the server I need to migrate all my 7 applications to
>>>> new jboss  EAP. Which is why I would like to have the version compatible
>>>> with jboss eap 6.2.x.
>>>> Thank you for quick reply.
>>>>
>>>> On Nov 17, 2015 1:24 PM, "Bill Burke" < <bburke at redhat.com>
>>>> bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>
>>>>     Is there a reason we don't work on 6.2.3?
>>>>
>>>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>>>      > Marko,
>>>>      >
>>>>      > Can you please let me know Which version of key cloak is good for
>>>>     Jboss
>>>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>>> advance.
>>>>      >
>>>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>>>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>>>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>
>>>> wrote:
>>>>      >
>>>>      >     You should use EAP 6.4.x. We only support that.
>>>>      >
>>>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>>>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>>>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>>>> wrote:
>>>>      >
>>>>      >         Hi,
>>>>      >         This is Ismail , I am trying to set up SSO using the key
>>>>     cloak ,
>>>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to
>>>> my
>>>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>>>     try to
>>>>      >         start the server I am getting the below exception
>>>>      >
>>>>      >         se configuration
>>>>      >
>>>>      >         at
>>>>      >
>>>>
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>>      >
>>>>
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>      >
>>>>      >         at
>>>>      >
>>>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>>      >
>>>>
>>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>      >
>>>>      >         at
>>>>      >
>>>>
>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>>      >
>>>>
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>      >
>>>>      >         at java.lang.Thread.run(Thread.java:745)
>>>> [rt.jar:1.7.0_75]
>>>>      >
>>>>      >         Caused by: javax.xml.stream.XMLStreamException:
>>>> ParseError at
>>>>      >         [row,col]:[2,1]
>>>>      >
>>>>      >         Message: Unexpected element '{urn:jboss:domain:1.7
>>>> }server'
>>>>      >
>>>>      >         at
>>>>      >
>>>>
>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>>      >
>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>      >
>>>>      >         at
>>>>      >
>>>>
>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>>      >
>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>      >
>>>>      >         at
>>>>      >
>>>>
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>>      >
>>>>
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>      >
>>>>      >         ... 3 more
>>>>      >
>>>>      >
>>>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>>>>      >         Thread) JBAS015957: Server boot has failed in an
>>>>     unrecoverable
>>>>      >         manner; exiting. See previous messages for details.
>>>>      >
>>>>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>>>     <http://org.jboss.as/>] (MSC
>>>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>>>     <http://6.2.3.GA>
>>>>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>>>     stopped in 4ms
>>>>      >
>>>>      >
>>>>      >         I am running the server using below command.
>>>>      >
>>>>      >         bash standalone.sh
>>>> --server-config=standalone-keycloak.xml
>>>>      >
>>>>      >
>>>>      >         I am using the MAC OS
>>>>      >
>>>>      >
>>>>      >         --
>>>>      >         Thanks,
>>>>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>> <908%20922%209571>
>>>>     <tel:908%20922%209571> <908%20922%209571>
>>>>      >
>>>>      >         _______________________________________________
>>>>      >         keycloak-user mailing list
>>>>      > keycloak-user at lists.jboss.org
>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>     <mailto:keycloak-user at lists.jboss.org
>>>>     <mailto:keycloak-user at lists.jboss.org>>
>>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>      >
>>>>      >
>>>>      >
>>>>      >
>>>>      >
>>>>      > --
>>>>      > Thanks,
>>>>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>> <908%20922%209571>
>>>>      >
>>>>      >
>>>>      > _______________________________________________
>>>>      > keycloak-user mailing list
>>>>      > keycloak-user at lists.jboss.org <mailto:
>>>> keycloak-user at lists.jboss.org>
>>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>      >
>>>>
>>>>     --
>>>>     Bill Burke
>>>>     JBoss, a division of Red Hat
>>>>     http://bill.burkecentral.com
>>>>     _______________________________________________
>>>>     keycloak-user mailing list
>>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>>>> >
>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>
>>
>>
>> --
>> Thanks,
>> Ismail Shaik - 908 922 9571
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/ef47336e/attachment-0001.html 

From mstrukel at redhat.com  Wed Nov 18 04:49:04 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 18 Nov 2015 10:49:04 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564B8367.7050103@redhat.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
Message-ID: <CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>

The attempt here looks to be to install server on EAP 6.2

Technical reasons for server are that overlay contains modules, and
standalone-keycloak.xml, which are targeted to specific version of EAP. The
exact issue in the above error is that the packaged standalone-keycloak.xml
uses configuration version that EAP 6.2 doesn't yet understand. There are
probably other reasons why it wouldn't work even after fixing that manually
- like old incompatible versions of the dependencies provided by EAP that
we rely upon.

Adapter was tested on EAP 6.2, and it should work yes.

On Tue, Nov 17, 2015 at 8:43 PM, Bill Burke <bburke at redhat.com> wrote:

> You don't need to migrate your 7 applications.  The client adapter
> should still work on EAP 6.2.  If it doesn't thats something we would
> fix.  Its the server that we won't support on anything earlier.
>
> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
> > Bill,
> >
> > Yes if I change the server I need to migrate all my 7 applications to
> > new jboss  EAP. Which is why I would like to have the version compatible
> > with jboss eap 6.2.x.
> > Thank you for quick reply.
> >
> > On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> >     Is there a reason we don't work on 6.2.3?
> >
> >     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
> >      > Marko,
> >      >
> >      > Can you please let me know Which version of key cloak is good for
> >     Jboss
> >      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
> advance.
> >      >
> >      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
> >     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
> >      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>> wrote:
> >      >
> >      >     You should use EAP 6.4.x. We only support that.
> >      >
> >      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
> >     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
> >      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
> wrote:
> >      >
> >      >         Hi,
> >      >         This is Ismail , I am trying to set up SSO using the key
> >     cloak ,
> >      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to
> my
> >      >         Jboss Home  which has the version 6.2.3. EAP and when I
> >     try to
> >      >         start the server I am getting the below exception
> >      >
> >      >         se configuration
> >      >
> >      >         at
> >      >
> >
>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> >      >
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >      >
> >      >         at
> >      >
> >       org.jboss.as.server.ServerService.boot(ServerService.java:324)
> >      >
> >
>  [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >      >
> >      >         at
> >      >
> >
>  org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
> >      >
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >      >
> >      >         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
> >      >
> >      >         Caused by: javax.xml.stream.XMLStreamException:
> ParseError at
> >      >         [row,col]:[2,1]
> >      >
> >      >         Message: Unexpected element '{urn:jboss:domain:1.7}server'
> >      >
> >      >         at
> >      >
> >
>  org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
> >      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >      >
> >      >         at
> >      >
> >
>  org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> >      >         [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
> >      >
> >      >         at
> >      >
> >
>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> >      >
> >
>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
> >      >
> >      >         ... 3 more
> >      >
> >      >
> >      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
> >      >         Thread) JBAS015957: Server boot has failed in an
> >     unrecoverable
> >      >         manner; exiting. See previous messages for details.
> >      >
> >      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
> >     <http://org.jboss.as/>] (MSC
> >      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
> >     <http://6.2.3.GA>
> >      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
> >     stopped in 4ms
> >      >
> >      >
> >      >         I am running the server using below command.
> >      >
> >      >         bash standalone.sh --server-config=standalone-keycloak.xml
> >      >
> >      >
> >      >         I am using the MAC OS
> >      >
> >      >
> >      >         --
> >      >         Thanks,
> >      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
> >     <tel:908%20922%209571>
> >      >
> >      >         _______________________________________________
> >      >         keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >
> >      >
> >      >
> >      >
> >      >
> >      > --
> >      > Thanks,
> >      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
> >      >
> >      >
> >      > _______________________________________________
> >      > keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >
> >
> >     --
> >     Bill Burke
> >     JBoss, a division of Red Hat
> >     http://bill.burkecentral.com
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/fc320704/attachment.html 

From mposolda at redhat.com  Wed Nov 18 05:15:46 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 18 Nov 2015 11:15:46 +0100
Subject: [keycloak-user] How to validate required for custom fields
In-Reply-To: <BY1PR0401MB122487E85FF2F03E0E8ABF5ED0120@BY1PR0401MB1224.namprd04.prod.outlook.com>
References: <BY1PR0401MB122487E85FF2F03E0E8ABF5ED0120@BY1PR0401MB1224.namprd04.prod.outlook.com>
Message-ID: <564C4FD2.2020203@redhat.com>

You can create custom validator for registration form via the 
Authentication Flows SPI : 
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3448 
.

Adding those custom validations works just for registration form, but 
not for account management or update-profile pages. In the future, we 
plan to improve so that you can attach custom validation on all 3 places 
and you won't need to code your own validator for supporting such common 
thing like marking some custom field to be mandatory.

Marek

On 13/11/15 00:04, Jairo Alonso Henao Rojas wrote:
>
> Hello,
>
> I added several custom fields in the registration form, how I can do 
> for them to be required?
>
> See attached fields in register form.
>
> Thanks
>
> **
>
> *Jairo Henao Rojas*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/0dee79d1/attachment.html 

From atx at binaryninja.de  Wed Nov 18 06:48:40 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 12:48:40 +0100
Subject: [keycloak-user] Cannot configure an authenticator for method
	KEYCLOAK
Message-ID: <564C6598.8050804@binaryninja.de>

Hello,

having trouble to get my or the example app "customer-portal" working 
with keycloak... I installed keycloak 1.6.1 on an EAP 6.4 via the 
overlay and followed the youtube tutorials. Is there anything else i 
have to configure, so that jboss finds the authenticator KEYCLOAK. The 
apps are deployed on the

11:38:38,317 INFO  [org.jboss.web] (ServerService Thread Pool -- 57) 
JBAS018210: Register web context: /customer-portal
11:38:38,332 ERROR [org.apache.catalina.startup] (ServerService Thread 
Pool -- 57) JBWEB001034: Cannot configure an authenticator for method 
KEYCLOAK
11:38:38,332 ERROR [org.jboss.web] (ServerService Thread Pool -- 57) 
JBAS018206: Webapp [/customer-portal] is unavailable due to startup errors
11:38:38,333 ERROR [org.apache.catalina.core] (ServerService Thread Pool 
-- 57) JBWEB001103: Error detected during context /customer-portal 
start, will stop it
11:38:38,365 ERROR [org.jboss.msc.service.fail] (ServerService Thread 
Pool -- 57) MSC000001: Failed to start service 
jboss.web.deployment.default-host./customer-portal: 
org.jboss.msc.service.StartException in service 
jboss.web.deployment.default-host./customer-portal: 
org.jboss.msc.service.StartException in anonymous service: JBAS018040: 
Failed to start context
         at 
org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:99)
         at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) 
[rt.jar:1.7.0_85]
         at java.util.concurrent.FutureTask.run(FutureTask.java:262) 
[rt.jar:1.7.0_85]
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
[rt.jar:1.7.0_85]
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
[rt.jar:1.7.0_85]
         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
         at org.jboss.threads.JBossThread.run(JBossThread.java:122) 
[jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Caused by: org.jboss.msc.service.StartException in anonymous service: 
JBAS018040: Failed to start context
         at 
org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:168)
         at 
org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
         at 
org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
         ... 6 more

11:38:38,372 ERROR [org.jboss.as.controller.management-operation] 
(HttpManagementService-threads - 3) JBAS014612: Operation ("add") failed 
- address: ([{"deployment" => "customer-portal.war"}]) - failure 
description: {"JBAS014671: Failed services" => 
{"jboss.web.deployment.default-host./customer-portal" => 
"org.jboss.msc.service.StartException in service 
jboss.web.deployment.default-host./customer-portal: 
org.jboss.msc.service.StartException in anonymous service: JBAS018040: 
Failed to start context
     Caused by: org.jboss.msc.service.StartException in anonymous 
service: JBAS018040: Failed to start context"}}
11:38:38,385 ERROR [org.jboss.as.server] (HttpManagementService-threads 
- 3) JBAS015870: Deploy of deployment "customer-portal.war" was rolled 
back with the following failure message:
{"JBAS014671: Failed services" => 
{"jboss.web.deployment.default-host./customer-portal" => 
"org.jboss.msc.service.StartException in service 
jboss.web.deployment.default-host./customer-portal: 
org.jboss.msc.service.StartException in anonymous service: JBAS018040: 
Failed to start context
     Caused by: org.jboss.msc.service.StartException in anonymous 
service: JBAS018040: Failed to start context"}}
11:38:38,399 INFO  [org.jboss.as.server.deployment] (MSC service thread 
1-2) JBAS015877: Stopped deployment customer-portal.war (runtime-name: 
customer-portal.war) in 21ms
11:38:38,401 INFO  [org.jboss.as.controller] 
(HttpManagementService-threads - 3) JBAS014774: Service status report
JBAS014775:    New missing/unsatisfied dependencies:
       service 
jboss.deployment.unit."customer-portal.war".component."com.sun.faces.config.ConfigureListener".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service 
jboss.deployment.unit."customer-portal.war".component."javax.faces.webapp.FacetTag".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service 
jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service 
jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.ScriptFreeTLV".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service 
jboss.deployment.unit."customer-portal.war".component."org.apache.catalina.servlets.DefaultServlet".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service 
jboss.deployment.unit."customer-portal.war".component."org.apache.jasper.servlet.JspServlet".START 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service jboss.web.deployment.default-host./customer-portal 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
       service jboss.web.deployment.default-host./customer-portal.realm 
(missing) dependents: [service 
jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
JBAS014777:   Services which failed to start:      service 
jboss.web.deployment.default-host./customer-portal

From atx at binaryninja.de  Wed Nov 18 07:41:07 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 13:41:07 +0100
Subject: [keycloak-user] Cannot configure an authenticator for method
 KEYCLOAK
In-Reply-To: <564C6598.8050804@binaryninja.de>
References: <564C6598.8050804@binaryninja.de>
Message-ID: <564C71E3.9070800@binaryninja.de>

Now I got it running. I installed the adapters from 
http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B
I thought, that they were also included in the eap overlay by default... 
Did i miss something?

Am 18.11.15 um 12:48 schrieb Ataraxus:
> Hello,
>
> having trouble to get my or the example app "customer-portal" working
> with keycloak... I installed keycloak 1.6.1 on an EAP 6.4 via the
> overlay and followed the youtube tutorials. Is there anything else i
> have to configure, so that jboss finds the authenticator KEYCLOAK. The
> apps are deployed on the
>
> 11:38:38,317 INFO  [org.jboss.web] (ServerService Thread Pool -- 57)
> JBAS018210: Register web context: /customer-portal
> 11:38:38,332 ERROR [org.apache.catalina.startup] (ServerService Thread
> Pool -- 57) JBWEB001034: Cannot configure an authenticator for method
> KEYCLOAK
> 11:38:38,332 ERROR [org.jboss.web] (ServerService Thread Pool -- 57)
> JBAS018206: Webapp [/customer-portal] is unavailable due to startup errors
> 11:38:38,333 ERROR [org.apache.catalina.core] (ServerService Thread Pool
> -- 57) JBWEB001103: Error detected during context /customer-portal
> start, will stop it
> 11:38:38,365 ERROR [org.jboss.msc.service.fail] (ServerService Thread
> Pool -- 57) MSC000001: Failed to start service
> jboss.web.deployment.default-host./customer-portal:
> org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./customer-portal:
> org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> Failed to start context
>           at
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:99)
>           at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [rt.jar:1.7.0_85]
>           at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> [rt.jar:1.7.0_85]
>           at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_85]
>           at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_85]
>           at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>           at org.jboss.threads.JBossThread.run(JBossThread.java:122)
> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
> Caused by: org.jboss.msc.service.StartException in anonymous service:
> JBAS018040: Failed to start context
>           at
> org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:168)
>           at
> org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
>           at
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
>           ... 6 more
>
> 11:38:38,372 ERROR [org.jboss.as.controller.management-operation]
> (HttpManagementService-threads - 3) JBAS014612: Operation ("add") failed
> - address: ([{"deployment" => "customer-portal.war"}]) - failure
> description: {"JBAS014671: Failed services" =>
> {"jboss.web.deployment.default-host./customer-portal" =>
> "org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./customer-portal:
> org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> Failed to start context
>       Caused by: org.jboss.msc.service.StartException in anonymous
> service: JBAS018040: Failed to start context"}}
> 11:38:38,385 ERROR [org.jboss.as.server] (HttpManagementService-threads
> - 3) JBAS015870: Deploy of deployment "customer-portal.war" was rolled
> back with the following failure message:
> {"JBAS014671: Failed services" =>
> {"jboss.web.deployment.default-host./customer-portal" =>
> "org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./customer-portal:
> org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> Failed to start context
>       Caused by: org.jboss.msc.service.StartException in anonymous
> service: JBAS018040: Failed to start context"}}
> 11:38:38,399 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-2) JBAS015877: Stopped deployment customer-portal.war (runtime-name:
> customer-portal.war) in 21ms
> 11:38:38,401 INFO  [org.jboss.as.controller]
> (HttpManagementService-threads - 3) JBAS014774: Service status report
> JBAS014775:    New missing/unsatisfied dependencies:
>         service
> jboss.deployment.unit."customer-portal.war".component."com.sun.faces.config.ConfigureListener".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service
> jboss.deployment.unit."customer-portal.war".component."javax.faces.webapp.FacetTag".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service
> jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service
> jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.ScriptFreeTLV".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service
> jboss.deployment.unit."customer-portal.war".component."org.apache.catalina.servlets.DefaultServlet".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service
> jboss.deployment.unit."customer-portal.war".component."org.apache.jasper.servlet.JspServlet".START
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service jboss.web.deployment.default-host./customer-portal
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
>         service jboss.web.deployment.default-host./customer-portal.realm
> (missing) dependents: [service
> jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> JBAS014777:   Services which failed to start:      service
> jboss.web.deployment.default-host./customer-portal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Wed Nov 18 07:43:56 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 13:43:56 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>
Message-ID: <CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>

Keycloak server will only ever be deployable to latest stable releases off
WildFly and JBoss EAP. There's two reasons for this:

a) We don't have the resources to maintain it
b) More importantly we want to be able to use new stuff (supporting old EAP
releases means old dependencies for everything)

End of the day Keycloak is a standalone service, not something you should
embed into your applications. It's also not just targeted towards JEE
developers.

On 18 November 2015 at 10:49, Marko Strukelj <mstrukel at redhat.com> wrote:

> The attempt here looks to be to install server on EAP 6.2
>
> Technical reasons for server are that overlay contains modules, and
> standalone-keycloak.xml, which are targeted to specific version of EAP. The
> exact issue in the above error is that the packaged standalone-keycloak.xml
> uses configuration version that EAP 6.2 doesn't yet understand. There are
> probably other reasons why it wouldn't work even after fixing that manually
> - like old incompatible versions of the dependencies provided by EAP that
> we rely upon.
>
> Adapter was tested on EAP 6.2, and it should work yes.
>
> On Tue, Nov 17, 2015 at 8:43 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> You don't need to migrate your 7 applications.  The client adapter
>> should still work on EAP 6.2.  If it doesn't thats something we would
>> fix.  Its the server that we won't support on anything earlier.
>>
>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>> > Bill,
>> >
>> > Yes if I change the server I need to migrate all my 7 applications to
>> > new jboss  EAP. Which is why I would like to have the version compatible
>> > with jboss eap 6.2.x.
>> > Thank you for quick reply.
>> >
>> > On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>> > <mailto:bburke at redhat.com>> wrote:
>> >
>> >     Is there a reason we don't work on 6.2.3?
>> >
>> >     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>> >      > Marko,
>> >      >
>> >      > Can you please let me know Which version of key cloak is good for
>> >     Jboss
>> >      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>> advance.
>> >      >
>> >      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>> >     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>> >      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>
>> wrote:
>> >      >
>> >      >     You should use EAP 6.4.x. We only support that.
>> >      >
>> >      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>> >     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>> >      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>> wrote:
>> >      >
>> >      >         Hi,
>> >      >         This is Ismail , I am trying to set up SSO using the key
>> >     cloak ,
>> >      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final *to
>> my
>> >      >         Jboss Home  which has the version 6.2.3. EAP and when I
>> >     try to
>> >      >         start the server I am getting the below exception
>> >      >
>> >      >         se configuration
>> >      >
>> >      >         at
>> >      >
>> >
>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>> >      >
>> >
>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>> >      >
>> >      >         at
>> >      >
>> >       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>> >      >
>> >
>>  [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>> >      >
>> >      >         at
>> >      >
>> >
>>  org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>> >      >
>> >
>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>> >      >
>> >      >         at java.lang.Thread.run(Thread.java:745)
>> [rt.jar:1.7.0_75]
>> >      >
>> >      >         Caused by: javax.xml.stream.XMLStreamException:
>> ParseError at
>> >      >         [row,col]:[2,1]
>> >      >
>> >      >         Message: Unexpected element
>> '{urn:jboss:domain:1.7}server'
>> >      >
>> >      >         at
>> >      >
>> >
>>  org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>> >      >
>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>> >      >
>> >      >         at
>> >      >
>> >
>>  org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> >      >
>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>> >      >
>> >      >         at
>> >      >
>> >
>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>> >      >
>> >
>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>> >      >
>> >      >         ... 3 more
>> >      >
>> >      >
>> >      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller Boot
>> >      >         Thread) JBAS015957: Server boot has failed in an
>> >     unrecoverable
>> >      >         manner; exiting. See previous messages for details.
>> >      >
>> >      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>> >     <http://org.jboss.as/>] (MSC
>> >      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>> >     <http://6.2.3.GA>
>> >      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>> >     stopped in 4ms
>> >      >
>> >      >
>> >      >         I am running the server using below command.
>> >      >
>> >      >         bash standalone.sh
>> --server-config=standalone-keycloak.xml
>> >      >
>> >      >
>> >      >         I am using the MAC OS
>> >      >
>> >      >
>> >      >         --
>> >      >         Thanks,
>> >      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>> >     <tel:908%20922%209571>
>> >      >
>> >      >         _______________________________________________
>> >      >         keycloak-user mailing list
>> >      > keycloak-user at lists.jboss.org
>> >     <mailto:keycloak-user at lists.jboss.org>
>> >     <mailto:keycloak-user at lists.jboss.org
>> >     <mailto:keycloak-user at lists.jboss.org>>
>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >      >
>> >      >
>> >      >
>> >      >
>> >      >
>> >      > --
>> >      > Thanks,
>> >      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>> >      >
>> >      >
>> >      > _______________________________________________
>> >      > keycloak-user mailing list
>> >      > keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>
>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >      >
>> >
>> >     --
>> >     Bill Burke
>> >     JBoss, a division of Red Hat
>> >     http://bill.burkecentral.com
>> >     _______________________________________________
>> >     keycloak-user mailing list
>> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>> >
>> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/9395c9c5/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 18 07:45:06 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 13:45:06 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>
	<CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>
Message-ID: <CAJgngAd5scEvsD0Aos2mN01-NXL+Ue7UOrY_VaYG=_DFnF+kKA@mail.gmail.com>

Again, I stress that only applies to the server. Adapters will have a much
greater range of containers, including Tomcat, Jetty etc.. We still have
adapters for AS7 to name one.

On 18 November 2015 at 13:43, Stian Thorgersen <sthorger at redhat.com> wrote:

> Keycloak server will only ever be deployable to latest stable releases off
> WildFly and JBoss EAP. There's two reasons for this:
>
> a) We don't have the resources to maintain it
> b) More importantly we want to be able to use new stuff (supporting old
> EAP releases means old dependencies for everything)
>
> End of the day Keycloak is a standalone service, not something you should
> embed into your applications. It's also not just targeted towards JEE
> developers.
>
> On 18 November 2015 at 10:49, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> The attempt here looks to be to install server on EAP 6.2
>>
>> Technical reasons for server are that overlay contains modules, and
>> standalone-keycloak.xml, which are targeted to specific version of EAP. The
>> exact issue in the above error is that the packaged standalone-keycloak.xml
>> uses configuration version that EAP 6.2 doesn't yet understand. There are
>> probably other reasons why it wouldn't work even after fixing that manually
>> - like old incompatible versions of the dependencies provided by EAP that
>> we rely upon.
>>
>> Adapter was tested on EAP 6.2, and it should work yes.
>>
>> On Tue, Nov 17, 2015 at 8:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> You don't need to migrate your 7 applications.  The client adapter
>>> should still work on EAP 6.2.  If it doesn't thats something we would
>>> fix.  Its the server that we won't support on anything earlier.
>>>
>>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>> > Bill,
>>> >
>>> > Yes if I change the server I need to migrate all my 7 applications to
>>> > new jboss  EAP. Which is why I would like to have the version
>>> compatible
>>> > with jboss eap 6.2.x.
>>> > Thank you for quick reply.
>>> >
>>> > On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>>> > <mailto:bburke at redhat.com>> wrote:
>>> >
>>> >     Is there a reason we don't work on 6.2.3?
>>> >
>>> >     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>> >      > Marko,
>>> >      >
>>> >      > Can you please let me know Which version of key cloak is good
>>> for
>>> >     Jboss
>>> >      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>> advance.
>>> >      >
>>> >      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>> >     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>> >      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>
>>> wrote:
>>> >      >
>>> >      >     You should use EAP 6.4.x. We only support that.
>>> >      >
>>> >      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>> >     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>> >      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>>> wrote:
>>> >      >
>>> >      >         Hi,
>>> >      >         This is Ismail , I am trying to set up SSO using the key
>>> >     cloak ,
>>> >      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final
>>> *to my
>>> >      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>> >     try to
>>> >      >         start the server I am getting the below exception
>>> >      >
>>> >      >         se configuration
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at
>>> >      >
>>> >       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>> >      >
>>> >
>>>  [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at java.lang.Thread.run(Thread.java:745)
>>> [rt.jar:1.7.0_75]
>>> >      >
>>> >      >         Caused by: javax.xml.stream.XMLStreamException:
>>> ParseError at
>>> >      >         [row,col]:[2,1]
>>> >      >
>>> >      >         Message: Unexpected element
>>> '{urn:jboss:domain:1.7}server'
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>> >      >
>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> >      >
>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         ... 3 more
>>> >      >
>>> >      >
>>> >      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller
>>> Boot
>>> >      >         Thread) JBAS015957: Server boot has failed in an
>>> >     unrecoverable
>>> >      >         manner; exiting. See previous messages for details.
>>> >      >
>>> >      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>> >     <http://org.jboss.as/>] (MSC
>>> >      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>> >     <http://6.2.3.GA>
>>> >      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>> >     stopped in 4ms
>>> >      >
>>> >      >
>>> >      >         I am running the server using below command.
>>> >      >
>>> >      >         bash standalone.sh
>>> --server-config=standalone-keycloak.xml
>>> >      >
>>> >      >
>>> >      >         I am using the MAC OS
>>> >      >
>>> >      >
>>> >      >         --
>>> >      >         Thanks,
>>> >      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>> >     <tel:908%20922%209571>
>>> >      >
>>> >      >         _______________________________________________
>>> >      >         keycloak-user mailing list
>>> >      > keycloak-user at lists.jboss.org
>>> >     <mailto:keycloak-user at lists.jboss.org>
>>> >     <mailto:keycloak-user at lists.jboss.org
>>> >     <mailto:keycloak-user at lists.jboss.org>>
>>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >      >
>>> >      >
>>> >      >
>>> >      >
>>> >      >
>>> >      > --
>>> >      > Thanks,
>>> >      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>> >      >
>>> >      >
>>> >      > _______________________________________________
>>> >      > keycloak-user mailing list
>>> >      > keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >      >
>>> >
>>> >     --
>>> >     Bill Burke
>>> >     JBoss, a division of Red Hat
>>> >     http://bill.burkecentral.com
>>> >     _______________________________________________
>>> >     keycloak-user mailing list
>>> >     keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/7b783ba1/attachment.html 

From sthorger at redhat.com  Wed Nov 18 07:47:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 13:47:03 +0100
Subject: [keycloak-user] Cannot configure an authenticator for method
	KEYCLOAK
In-Reply-To: <564C71E3.9070800@binaryninja.de>
References: <564C6598.8050804@binaryninja.de> <564C71E3.9070800@binaryninja.de>
Message-ID: <CAJgngAd95hZK7Oeisy9VY6UgNGPbjUN3riGkaxvW06EbkUKBaQ@mail.gmail.com>

Nopes, you didn't miss anything. You need both the server and adapters, and
the adapters are not included in the server overlay.

On 18 November 2015 at 13:41, Ataraxus <atx at binaryninja.de> wrote:

> Now I got it running. I installed the adapters from
>
> http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B
> I thought, that they were also included in the eap overlay by default...
> Did i miss something?
>
> Am 18.11.15 um 12:48 schrieb Ataraxus:
> > Hello,
> >
> > having trouble to get my or the example app "customer-portal" working
> > with keycloak... I installed keycloak 1.6.1 on an EAP 6.4 via the
> > overlay and followed the youtube tutorials. Is there anything else i
> > have to configure, so that jboss finds the authenticator KEYCLOAK. The
> > apps are deployed on the
> >
> > 11:38:38,317 INFO  [org.jboss.web] (ServerService Thread Pool -- 57)
> > JBAS018210: Register web context: /customer-portal
> > 11:38:38,332 ERROR [org.apache.catalina.startup] (ServerService Thread
> > Pool -- 57) JBWEB001034: Cannot configure an authenticator for method
> > KEYCLOAK
> > 11:38:38,332 ERROR [org.jboss.web] (ServerService Thread Pool -- 57)
> > JBAS018206: Webapp [/customer-portal] is unavailable due to startup
> errors
> > 11:38:38,333 ERROR [org.apache.catalina.core] (ServerService Thread Pool
> > -- 57) JBWEB001103: Error detected during context /customer-portal
> > start, will stop it
> > 11:38:38,365 ERROR [org.jboss.msc.service.fail] (ServerService Thread
> > Pool -- 57) MSC000001: Failed to start service
> > jboss.web.deployment.default-host./customer-portal:
> > org.jboss.msc.service.StartException in service
> > jboss.web.deployment.default-host./customer-portal:
> > org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> > Failed to start context
> >           at
> >
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:99)
> >           at
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > [rt.jar:1.7.0_85]
> >           at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > [rt.jar:1.7.0_85]
> >           at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > [rt.jar:1.7.0_85]
> >           at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > [rt.jar:1.7.0_85]
> >           at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
> >           at org.jboss.threads.JBossThread.run(JBossThread.java:122)
> > [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
> > Caused by: org.jboss.msc.service.StartException in anonymous service:
> > JBAS018040: Failed to start context
> >           at
> >
> org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:168)
> >           at
> >
> org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
> >           at
> >
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
> >           ... 6 more
> >
> > 11:38:38,372 ERROR [org.jboss.as.controller.management-operation]
> > (HttpManagementService-threads - 3) JBAS014612: Operation ("add") failed
> > - address: ([{"deployment" => "customer-portal.war"}]) - failure
> > description: {"JBAS014671: Failed services" =>
> > {"jboss.web.deployment.default-host./customer-portal" =>
> > "org.jboss.msc.service.StartException in service
> > jboss.web.deployment.default-host./customer-portal:
> > org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> > Failed to start context
> >       Caused by: org.jboss.msc.service.StartException in anonymous
> > service: JBAS018040: Failed to start context"}}
> > 11:38:38,385 ERROR [org.jboss.as.server] (HttpManagementService-threads
> > - 3) JBAS015870: Deploy of deployment "customer-portal.war" was rolled
> > back with the following failure message:
> > {"JBAS014671: Failed services" =>
> > {"jboss.web.deployment.default-host./customer-portal" =>
> > "org.jboss.msc.service.StartException in service
> > jboss.web.deployment.default-host./customer-portal:
> > org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> > Failed to start context
> >       Caused by: org.jboss.msc.service.StartException in anonymous
> > service: JBAS018040: Failed to start context"}}
> > 11:38:38,399 INFO  [org.jboss.as.server.deployment] (MSC service thread
> > 1-2) JBAS015877: Stopped deployment customer-portal.war (runtime-name:
> > customer-portal.war) in 21ms
> > 11:38:38,401 INFO  [org.jboss.as.controller]
> > (HttpManagementService-threads - 3) JBAS014774: Service status report
> > JBAS014775:    New missing/unsatisfied dependencies:
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."com.sun.faces.config.ConfigureListener".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."javax.faces.webapp.FacetTag".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."javax.servlet.jsp.jstl.tlv.ScriptFreeTLV".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."org.apache.catalina.servlets.DefaultServlet".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service
> >
> jboss.deployment.unit."customer-portal.war".component."org.apache.jasper.servlet.JspServlet".START
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service jboss.web.deployment.default-host./customer-portal
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> >         service jboss.web.deployment.default-host./customer-portal.realm
> > (missing) dependents: [service
> > jboss.deployment.unit."customer-portal.war".deploymentCompleteService]
> > JBAS014777:   Services which failed to start:      service
> > jboss.web.deployment.default-host./customer-portal
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/1b8bb889/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 18 07:53:36 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 13:53:36 +0100
Subject: [keycloak-user] Users losing realm roles without a valid reason
In-Reply-To: <CADLc4EGwEXuAYj7TrELBjQ0vyJjDtik4aKp7fRneJ7h7agR0oQ@mail.gmail.com>
References: <CADLc4EGwEXuAYj7TrELBjQ0vyJjDtik4aKp7fRneJ7h7agR0oQ@mail.gmail.com>
Message-ID: <CAJgngAcy4ziu30LqOVF0NXUfo67GjqR12ke4-jq_t3dFVVZn0A@mail.gmail.com>

Not sure what could be wrong, but posting the whole realm config every X
minutes is pretty crazy. Why are you doing that?!

A few questions:

* Is the realm role still there? If the ID of the role changes then the
user role mappings will be lost. User role mappings are for a role by id,
not by name. So if you delete a role and re-create it role mappings are lost
* What database are you using?
* Do you have multiple nodes in a cluster?
* Does it happen to all users or just some?

On 17 November 2015 at 15:40, Johan Heylen <johan.heylen.public at gmail.com>
wrote:

> Hallo,
>
> we have noticed a strange behaviour in our Keycloak setup:
>
> After a while, some users lose one of their assigned realm roles, without
> anyone actually requesting this from the keycloak server (We see no admin
> events who can explain this behaviour).
> Could it be that something is wrong in some cache implementation or an in
> issue in concurrency?
> When I make a dump of the database, the role can also no longer be found
> there in the user export, so it actually gets removed from there as well.
>
> One specific thing we do, is managing the realm settings using the admin
> REST API, which PUTs the realm config JSON every X minutes (X is currently
> 5 to 2 minutes), so the PUT call happens a lot (I can see it in the admin
> events).
>
> To exclude this as possible culprit, I've disable this constant updating
> of the realm. I'll send an update wether this has had any impact, but
> either way, the issue should not occur.
>
> Has anyone already encountered this issue?
> I can provide you with more config of the keycloak server and realm if
> required... We are one 1.6.0
>
> Could you help me with enabling the correct logging, so I might be able to
> trace where the problem occurs or see what causes the drop of a realm role
> on a user (His other realms roles remain untouched...)
>
> Currently I am not able to reproduce this with a testcase, it just occurs
> from time to time on a test platform, so I did not create a JIRA ticket yet
>
> Tnx,
>
> Johan Heylen
> DNS Belgium
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/e5b95aeb/attachment.html 

From atx at binaryninja.de  Wed Nov 18 07:55:27 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 13:55:27 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>
	<CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>
Message-ID: <564C753F.8070307@binaryninja.de>

Hello Stian, thank you very much making this point clear!

I guess the reason why people show up with the "expectation" that EAP 
6.2 should be supported, is that on the frontpage it states:
Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat,...
and as you mentioned this holds only true for the adapters (maybe this 
point should be stressed on the frontpage somehow).
But as I and maybe others implicitly thought this is also applicable to 
the "host AS" of keycloak.
I think another reason, why people ask for this setup (deploying 
keycloak on EAP 6.2) is that in large companies you only get 
"provisioned" versions of JBoss
and either your IT doesn't support EAP 6.4 yet, does'nt let you run 
"standalone" servers "at will" or even you are not provided shell access 
to the JBoss.
I think these are reasons why people (and I) asking for Keycloak to be 
deployable on older versions and Keycloak to be deployable as an EAR/WAR.



Am 18.11.15 um 13:43 schrieb Stian Thorgersen:
> Keycloak server will only ever be deployable to latest stable releases 
> off WildFly and JBoss EAP. There's two reasons for this:
>
> a) We don't have the resources to maintain it
> b) More importantly we want to be able to use new stuff (supporting 
> old EAP releases means old dependencies for everything)
>
> End of the day Keycloak is a standalone service, not something you 
> should embed into your applications. It's also not just targeted 
> towards JEE developers.
>
> On 18 November 2015 at 10:49, Marko Strukelj <mstrukel at redhat.com 
> <mailto:mstrukel at redhat.com>> wrote:
>
>     The attempt here looks to be to install server on EAP 6.2
>
>     Technical reasons for server are that overlay contains modules,
>     and standalone-keycloak.xml, which are targeted to specific
>     version of EAP. The exact issue in the above error is that the
>     packaged standalone-keycloak.xml uses configuration version that
>     EAP 6.2 doesn't yet understand. There are probably other reasons
>     why it wouldn't work even after fixing that manually - like old
>     incompatible versions of the dependencies provided by EAP that we
>     rely upon.
>
>     Adapter was tested on EAP 6.2, and it should work yes.
>
>     On Tue, Nov 17, 2015 at 8:43 PM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>
>         You don't need to migrate your 7 applications.  The client adapter
>         should still work on EAP 6.2.  If it doesn't thats something
>         we would
>         fix.  Its the server that we won't support on anything earlier.
>
>         On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>         > Bill,
>         >
>         > Yes if I change the server I need to migrate all my 7
>         applications to
>         > new jboss  EAP. Which is why I would like to have the
>         version compatible
>         > with jboss eap 6.2.x.
>         > Thank you for quick reply.
>         >
>         > On Nov 17, 2015 1:24 PM, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>         >
>         >     Is there a reason we don't work on 6.2.3?
>         >
>         >     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>         >      > Marko,
>         >      >
>         >      > Can you please let me know Which version of key cloak
>         is good for
>         >     Jboss
>         >      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 .
>         Thanks in advance.
>         >      >
>         >      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>         >     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>         <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>
>         >      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>         <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>> wrote:
>         >      >
>         >      >     You should use EAP 6.4.x. We only support that.
>         >      >
>         >      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>         >     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>         <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>
>         >      >     <mailto:ismail117 at gmail.com
>         <mailto:ismail117 at gmail.com> <mailto:ismail117 at gmail.com
>         <mailto:ismail117 at gmail.com>>>> wrote:
>         >      >
>         >      >         Hi,
>         >      >         This is Ismail , I am trying to set up SSO
>         using the key
>         >     cloak ,
>         >      >         I extracted the a
>         *keycloak-overlay-eap6-1.6.1.Final *to my
>         >      >         Jboss Home  which has the version 6.2.3. EAP
>         and when I
>         >     try to
>         >      >         start the server I am getting the below exception
>         >      >
>         >      >         se configuration
>         >      >
>         >      >         at
>         >      >
>         >
>          org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>         >      >
>         >
>          [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>         >      >
>         >      >         at
>         >      >
>         >  org.jboss.as.server.ServerService.boot(ServerService.java:324)
>         >      >
>         >
>          [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>         >      >
>         >      >         at
>         >      >
>         >
>          org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>         >      >
>         >
>          [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>         >      >
>         >      >         at java.lang.Thread.run(Thread.java:745)
>         [rt.jar:1.7.0_75]
>         >      >
>         >      >         Caused by:
>         javax.xml.stream.XMLStreamException: ParseError at
>         >      >         [row,col]:[2,1]
>         >      >
>         >      >         Message: Unexpected element
>         '{urn:jboss:domain:1.7}server'
>         >      >
>         >      >         at
>         >      >
>         >
>          org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>         >      >
>          [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>         >      >
>         >      >         at
>         >      >
>         >
>          org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>         >      >
>          [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>         >      >
>         >      >         at
>         >      >
>         >
>          org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>         >      >
>         >
>          [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>         >      >
>         >      >         ... 3 more
>         >      >
>         >      >
>         >      >         09:27:24,775 FATAL [org.jboss.as.server]
>         (Controller Boot
>         >      >         Thread) JBAS015957: Server boot has failed in an
>         >     unrecoverable
>         >      >         manner; exiting. See previous messages for
>         details.
>         >      >
>         >      >         09:27:24,784 INFO  [org.jboss.as
>         <http://org.jboss.as> <http://org.jboss.as>
>         >     <http://org.jboss.as/>] (MSC
>         >      >         service thread 1-7) JBAS015950: JBoss EAP
>         6.2.3.GA <http://6.2.3.GA>
>         >     <http://6.2.3.GA>
>         >      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>         >     stopped in 4ms
>         >      >
>         >      >
>         >      >         I am running the server using below command.
>         >      >
>         >      >         bash standalone.sh
>         --server-config=standalone-keycloak.xml
>         >      >
>         >      >
>         >      >         I am using the MAC OS
>         >      >
>         >      >
>         >      >         --
>         >      >         Thanks,
>         >      >         Ismail Shaik - 908 922 9571
>         <tel:908%20922%209571> <tel:908%20922%209571>
>         >     <tel:908%20922%209571>
>         >      >
>         >      >  _______________________________________________
>         >      >         keycloak-user mailing list
>         >      > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         >     <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         >     <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         >     <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>         >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>         >      >
>         >      >
>         >      >
>         >      >
>         >      >
>         >      > --
>         >      > Thanks,
>         >      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>         <tel:908%20922%209571>
>         >      >
>         >      >
>         >      > _______________________________________________
>         >      > keycloak-user mailing list
>         >      > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>         >      >
>         >
>         >     --
>         >     Bill Burke
>         >     JBoss, a division of Red Hat
>         > http://bill.burkecentral.com
>         >  _______________________________________________
>         >     keycloak-user mailing list
>         >keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>         >
>
>         --
>         Bill Burke
>         JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/95b7e68b/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 18 08:03:37 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Nov 2015 14:03:37 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564C753F.8070307@binaryninja.de>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CA+1OW+hVGw_oYxGF1homxBZ6wJtL+SyuwUBQnrF6ry=Gynhqqw@mail.gmail.com>
	<CAJgngAc9Ltxd40V-C4Kc4QJqB2KTxfFb7VME-mLdJZSUL4VC0w@mail.gmail.com>
	<564C753F.8070307@binaryninja.de>
Message-ID: <CAJgngAedAkadSsaxsWu549=7t2WVzL9d79WrMJR+bmOgUBOmqQ@mail.gmail.com>

On 18 November 2015 at 13:55, Ataraxus <atx at binaryninja.de> wrote:

> Hello Stian, thank you very much making this point clear!
>
> I guess the reason why people show up with the "expectation" that EAP 6.2
> should be supported, is that on the frontpage it states:
>   Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat,...
> and as you mentioned this holds only true for the adapters (maybe this
> point should be stressed on the frontpage somehow).
>

Good point. We will update the website and documentation to make it clearer.


> But as I and maybe others implicitly thought this is also applicable to
> the "host AS" of keycloak.
> I think another reason, why people ask for this setup (deploying keycloak
> on EAP 6.2) is that in large companies you only get "provisioned" versions
> of JBoss
> and either your IT doesn't support EAP 6.4 yet, does'nt let you run
> "standalone" servers "at will" or even you are not provided shell access to
> the JBoss.
> I think these are reasons why people (and I) asking for Keycloak to be
> deployable on older versions and Keycloak to be deployable as an EAR/WAR.
>

Fair point, but I'm afraid we can't support older versions of EAP and
especially not deploying as a WAR. It's just to much work and also means we
can't rely on new features in newer versions of WildFly and JBoss EAP.

You should talk to your IT department about provisioning a Keycloak server
for you. As I said Keycloak server should be treated as a separate service
and not be co-located with your applications. If they are unwilling to do
that go ahead and deploy it externally in the cloud (that's why the cloud
was invented isn't it?) ;)


>
>
>
> Am 18.11.15 um 13:43 schrieb Stian Thorgersen:
>
> Keycloak server will only ever be deployable to latest stable releases off
> WildFly and JBoss EAP. There's two reasons for this:
>
> a) We don't have the resources to maintain it
> b) More importantly we want to be able to use new stuff (supporting old
> EAP releases means old dependencies for everything)
>
> End of the day Keycloak is a standalone service, not something you should
> embed into your applications. It's also not just targeted towards JEE
> developers.
>
> On 18 November 2015 at 10:49, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> The attempt here looks to be to install server on EAP 6.2
>>
>> Technical reasons for server are that overlay contains modules, and
>> standalone-keycloak.xml, which are targeted to specific version of EAP. The
>> exact issue in the above error is that the packaged standalone-keycloak.xml
>> uses configuration version that EAP 6.2 doesn't yet understand. There are
>> probably other reasons why it wouldn't work even after fixing that manually
>> - like old incompatible versions of the dependencies provided by EAP that
>> we rely upon.
>>
>> Adapter was tested on EAP 6.2, and it should work yes.
>>
>> On Tue, Nov 17, 2015 at 8:43 PM, Bill Burke < <bburke at redhat.com>
>> bburke at redhat.com> wrote:
>>
>>> You don't need to migrate your 7 applications.  The client adapter
>>> should still work on EAP 6.2.  If it doesn't thats something we would
>>> fix.  Its the server that we won't support on anything earlier.
>>>
>>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>> > Bill,
>>> >
>>> > Yes if I change the server I need to migrate all my 7 applications to
>>> > new jboss  EAP. Which is why I would like to have the version
>>> compatible
>>> > with jboss eap 6.2.x.
>>> > Thank you for quick reply.
>>> >
>>> > On Nov 17, 2015 1:24 PM, "Bill Burke" < <bburke at redhat.com>
>>> bburke at redhat.com
>>> > <mailto: <bburke at redhat.com>bburke at redhat.com>> wrote:
>>> >
>>> >     Is there a reason we don't work on 6.2.3?
>>> >
>>> >     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>> >      > Marko,
>>> >      >
>>> >      > Can you please let me know Which version of key cloak is good
>>> for
>>> >     Jboss
>>> >      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>> advance.
>>> >      >
>>> >      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>> >     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>> >      > <mailto: <mstrukel at redhat.com>mstrukel at redhat.com <mailto:
>>> mstrukel at redhat.com>>> wrote:
>>> >      >
>>> >      >     You should use EAP 6.4.x. We only support that.
>>> >      >
>>> >      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>> >     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>> >      >     <mailto: <ismail117 at gmail.com>ismail117 at gmail.com <mailto:
>>> ismail117 at gmail.com>>> wrote:
>>> >      >
>>> >      >         Hi,
>>> >      >         This is Ismail , I am trying to set up SSO using the key
>>> >     cloak ,
>>> >      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final
>>> *to my
>>> >      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>> >     try to
>>> >      >         start the server I am getting the below exception
>>> >      >
>>> >      >         se configuration
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at
>>> >      >
>>> >       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>> >      >
>>> >
>>>  [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         at java.lang.Thread.run(Thread.java:745)
>>> [rt.jar:1.7.0_75]
>>> >      >
>>> >      >         Caused by: javax.xml.stream.XMLStreamException:
>>> ParseError at
>>> >      >         [row,col]:[2,1]
>>> >      >
>>> >      >         Message: Unexpected element '{urn:jboss:domain:1.7
>>> }server'
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>> >      >
>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> >      >
>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>> >      >
>>> >      >         at
>>> >      >
>>> >
>>>  org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> >      >
>>> >
>>>  [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>> >      >
>>> >      >         ... 3 more
>>> >      >
>>> >      >
>>> >      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller
>>> Boot
>>> >      >         Thread) JBAS015957: Server boot has failed in an
>>> >     unrecoverable
>>> >      >         manner; exiting. See previous messages for details.
>>> >      >
>>> >      >         09:27:24,784 INFO  [org.jboss.as <
>>> <http://org.jboss.as>http://org.jboss.as>
>>> >     <http://org.jboss.as/>] (MSC
>>> >      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>> >     <http://6.2.3.GA>
>>> >      >         < <http://6.2.3.ga/>http://6.2.3.ga/> (AS
>>> 7.3.3.Final-redhat-SNAPSHOT)
>>> >     stopped in 4ms
>>> >      >
>>> >      >
>>> >      >         I am running the server using below command.
>>> >      >
>>> >      >         bash standalone.sh
>>> --server-config=standalone-keycloak.xml
>>> >      >
>>> >      >
>>> >      >         I am using the MAC OS
>>> >      >
>>> >      >
>>> >      >         --
>>> >      >         Thanks,
>>> >      >         Ismail Shaik - 908 922 9571 <908%20922%209571>
>>> <tel:908%20922%209571> <908%20922%209571>
>>> >     <tel:908%20922%209571> <908%20922%209571>
>>> >      >
>>> >      >         _______________________________________________
>>> >      >         keycloak-user mailing list
>>> >      > keycloak-user at lists.jboss.org
>>> >     <mailto:keycloak-user at lists.jboss.org>
>>> >     <mailto: <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org
>>> >     <mailto: <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org>>
>>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >      >
>>> >      >
>>> >      >
>>> >      >
>>> >      >
>>> >      > --
>>> >      > Thanks,
>>> >      > Ismail Shaik - 908 922 9571 <908%20922%209571>
>>> <tel:908%20922%209571> <908%20922%209571>
>>> >      >
>>> >      >
>>> >      > _______________________________________________
>>> >      > keycloak-user mailing list
>>> >      > keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >      >
>>> >
>>> >     --
>>> >     Bill Burke
>>> >     JBoss, a division of Red Hat
>>> >     http://bill.burkecentral.com
>>> >     _______________________________________________
>>> >     keycloak-user mailing list
>>> >     keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/c064c609/attachment-0001.html 

From alex_orl1079 at yahoo.it  Wed Nov 18 08:09:57 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Wed, 18 Nov 2015 13:09:57 +0000 (UTC)
Subject: [keycloak-user] Authentication flow wrong behaviour using custom
 Authenticator Implementation
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>

Working on 1.5.0 keycloak final version i catched a bug related to consecutive logins.My use case was:
Configuration:
1) I've created a new realm, say "TestRealm"2) I've created 1 role: "testRole"3) I've created 2 users: "userTest1" and "userTest2"4) In the role mapping tab of each user i've assigned "testRole" to both of them5) In the credential tab of each user i've changed their pwd
Use case:1) I try to access the account application from:?https://localhost:8444/auth/realms/TestRealm/account/2) I insert username: userTest1? ? ? ? ? ? ? ? pwd: (a wrong password)
Login page displays a tooltip saying "invalid username or password"
3) Withouth any page refreshing i try to login again with second user:? ? ? ? ? ? ?username: userTest2:? ? ? ? ? ? ?pwd: (whatever right or wrong password)
Keycloak catch an exception:The page displays:????????????????????????? ? ? ? We're?sorry?...????????????????????????????????Invalid username or password.? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<< Back to Application

Now i'm testing keycloak 1.6.1 final.
I realize that bug is solved but only using the standard?org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.
Making Reference to chapter 33 of keycloak 1.6.1 reference guide, i developed my custom Authenticator. As Proof of Concepts i simply copied the UserPassworfForm code implementing a CustomUserPasswordForm.I ve implemented CustomUserPasswordFormFactory.I ?tested again the previous use case in debug mode and i catched again the same error as in the 1.5.0 version.
In particular i realize that on the second login attempt the execution flow starts from the: UserFederationManager.?validateAndProxyUser(RealmModel realm, UserModel user) methodwhen the right flow should begin from the action method of my CustomUserPasswordForm.Was this use case missed? Or am i doing something wrong?Thanks a lot.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/adbf31cc/attachment.html 

From atx at binaryninja.de  Wed Nov 18 09:02:31 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 15:02:31 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <564C84F7.1030407@binaryninja.de>

I'm setting up a docker container with keycloak. now i want to install 
the adapters,
the usual way of installing is via
${JBOSS_HOME}/bin/jboss-cli.sh -c 
--file=${JBOSS_HOME}/bin/adapter-install.cli
but therefore jboss needs to be running already, which is not 
good/possible on this step.
is there a offline way of installing the adapters?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/4c22b5b4/attachment.html 

From mstrukel at redhat.com  Wed Nov 18 09:28:45 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 18 Nov 2015 15:28:45 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <564C84F7.1030407@binaryninja.de>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
Message-ID: <CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>

If you put:

embed-server

as first command in your cli script, that will start embedded server in
administration mode, so you won't need an already started server.

That only works since Wildfly 9.

On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus <atx at binaryninja.de> wrote:

> I'm setting up a docker container with keycloak. now i want to install the
> adapters,
> the usual way of installing is via
> ${JBOSS_HOME}/bin/jboss-cli.sh -c
> --file=${JBOSS_HOME}/bin/adapter-install.cli
> but therefore jboss needs to be running already, which is not
> good/possible on this step.
> is there a offline way of installing the adapters?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/1b4f0f1e/attachment.html 

From atx at binaryninja.de  Wed Nov 18 09:38:00 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 15:38:00 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
	<CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
Message-ID: <564C8D48.4090209@binaryninja.de>

Sorry wasn't clear about that.
But I was looking for a solution with JBoss EAP 6.4

Am 18.11.15 um 15:28 schrieb Marko Strukelj:
> If you put:
>
> embed-server
>
> as first command in your cli script, that will start embedded server 
> in administration mode, so you won't need an already started server.
>
> That only works since Wildfly 9.
>
> On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus <atx at binaryninja.de 
> <mailto:atx at binaryninja.de>> wrote:
>
>     I'm setting up a docker container with keycloak. now i want to
>     install the adapters,
>     the usual way of installing is via
>     ${JBOSS_HOME}/bin/jboss-cli.sh -c
>     --file=${JBOSS_HOME}/bin/adapter-install.cli
>     but therefore jboss needs to be running already, which is not
>     good/possible on this step.
>     is there a offline way of installing the adapters?
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/743ac1d3/attachment.html 

From alex_orl1079 at yahoo.it  Wed Nov 18 09:52:34 2015
From: alex_orl1079 at yahoo.it (alex orl)
Date: Wed, 18 Nov 2015 14:52:34 +0000 (UTC)
Subject: [keycloak-user] Authentication flow wrong behaviour using
 custom Authenticator Implementation
In-Reply-To: <1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1120019216.10938807.1447858354457.JavaMail.yahoo@mail.yahoo.com>

Another helpulf element in order to reproduce this use case is that this behaviour occurs only when i set my CustomUserFederation Provider...
Now i d like to know:What is the right value the?UserModel validateAndProxy(RealmModel realm, UserModel local) of UserFederationProvider has to return when:1) user is present on my custom db but password is wrong2) user doesn't exist
Maybe the problem could be there.Thanks 


    Il Mercoled? 18 Novembre 2015 14:09, alex orl <alex_orl1079 at yahoo.it> ha scritto:
 

 Working on 1.5.0 keycloak final version i catched a bug related to consecutive logins.My use case was:
Configuration:
1) I've created a new realm, say "TestRealm"2) I've created 1 role: "testRole"3) I've created 2 users: "userTest1" and "userTest2"4) In the role mapping tab of each user i've assigned "testRole" to both of them5) In the credential tab of each user i've changed their pwd
Use case:1) I try to access the account application from:?https://localhost:8444/auth/realms/TestRealm/account/2) I insert username: userTest1? ? ? ? ? ? ? ? pwd: (a wrong password)
Login page displays a tooltip saying "invalid username or password"
3) Withouth any page refreshing i try to login again with second user:? ? ? ? ? ? ?username: userTest2:? ? ? ? ? ? ?pwd: (whatever right or wrong password)
Keycloak catch an exception:The page displays:????????????????????????? ? ? ? We're?sorry?...????????????????????????????????Invalid username or password.? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<< Back to Application

Now i'm testing keycloak 1.6.1 final.
I realize that bug is solved but only using the standard?org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.
Making Reference to chapter 33 of keycloak 1.6.1 reference guide, i developed my custom Authenticator. As Proof of Concepts i simply copied the UserPassworfForm code implementing a CustomUserPasswordForm.I ve implemented CustomUserPasswordFormFactory.I ?tested again the previous use case in debug mode and i catched again the same error as in the 1.5.0 version.
In particular i realize that on the second login attempt the execution flow starts from the: UserFederationManager.?validateAndProxyUser(RealmModel realm, UserModel user) methodwhen the right flow should begin from the action method of my CustomUserPasswordForm.Was this use case missed? Or am i doing something wrong?Thanks a lot.



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/8b960337/attachment-0001.html 

From mstrukel at redhat.com  Wed Nov 18 09:55:22 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 18 Nov 2015 15:55:22 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <564C8D48.4090209@binaryninja.de>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
	<CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
	<564C8D48.4090209@binaryninja.de>
Message-ID: <CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>

You can give EAP 7 Alpha a try :)

http://www.jboss.org/products/eap/download/


On Wed, Nov 18, 2015 at 3:38 PM, Ataraxus <atx at binaryninja.de> wrote:

> Sorry wasn't clear about that.
> But I was looking for a solution with JBoss EAP 6.4
>
> Am 18.11.15 um 15:28 schrieb Marko Strukelj:
>
> If you put:
>
> embed-server
>
> as first command in your cli script, that will start embedded server in
> administration mode, so you won't need an already started server.
>
> That only works since Wildfly 9.
>
> On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus <atx at binaryninja.de> wrote:
>
>> I'm setting up a docker container with keycloak. now i want to install
>> the adapters,
>> the usual way of installing is via
>> ${JBOSS_HOME}/bin/jboss-cli.sh -c
>> --file=${JBOSS_HOME}/bin/adapter-install.cli
>> but therefore jboss needs to be running already, which is not
>> good/possible on this step.
>> is there a offline way of installing the adapters?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/ace50efc/attachment.html 

From bburke at redhat.com  Wed Nov 18 10:03:08 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 18 Nov 2015 10:03:08 -0500
Subject: [keycloak-user] Authentication flow wrong behaviour using
 custom Authenticator Implementation
In-Reply-To: <1120019216.10938807.1447858354457.JavaMail.yahoo@mail.yahoo.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<1120019216.10938807.1447858354457.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <564C932C.5030308@redhat.com>

Try getting the Authenticator to work without the federation provider 
first, then work from there.  Isolate the problem.

On 11/18/2015 9:52 AM, alex orl wrote:
> Another helpulf element in order to reproduce this use case is that this
> behaviour occurs only when i set my CustomUserFederation Provider...
> Now i d like to know:
> What is the right value the UserModel validateAndProxy(RealmModel realm,
> UserModel local) of UserFederationProvider has to return when:
> 1) user is present on my custom db but password is wrong
> 2) user doesn't exist
>
> Maybe the problem could be there.
> Thanks
>
>
>
> Il Mercoled? 18 Novembre 2015 14:09, alex orl <alex_orl1079 at yahoo.it> ha
> scritto:
>
>
> Working on 1.5.0 keycloak final version i catched a bug related to
> consecutive logins.
> My use case was:
>
> Configuration:
> 1) I've created a new realm, say "TestRealm"
> 2) I've created 1 role: "testRole"
> 3) I've created 2 users: "userTest1" and "userTest2"
> 4) In the role mapping tab of each user i've assigned "testRole" to both
> of them
> 5) In the credential tab of each user i've changed their pwd
>
> Use case:
> 1) I try to access the account application from:
> https://localhost:8444/auth/realms/TestRealm/account/
> <https://localhost:8444/auth/realms/PROVA/account/>
> 2) I insert username: userTest1
>                  pwd: (a wrong password)
>
> Login page displays a tooltip saying "invalid username or password"
>
> 3) Withouth any page refreshing i try to login again with second user:
>               username: userTest2:
>               pwd: (whatever right or wrong password)
>
> Keycloak catch an exception:
> The page displays:
>                                  We're sorry ...
>                                  Invalid username or password.
>                                   << Back to Application
>
>
> Now i'm testing keycloak 1.6.1 final.
>
> I realize that bug is solved but only using the
> standard org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.
>
> Making Reference to chapter 33 of keycloak 1.6.1 reference guide, i
> developed my custom Authenticator. As Proof of Concepts i simply copied
> the UserPassworfForm code implementing a CustomUserPasswordForm.
> I ve implemented CustomUserPasswordFormFactory.
> I  tested again the previous use case in debug mode and i catched again
> the same error as in the 1.5.0 version.
>
> In particular i realize that on the second login attempt the execution
> flow starts from the:
> UserFederationManager. validateAndProxyUser(RealmModel realm, UserModel
> user) method
> when the right flow should begin from the action method of my
> CustomUserPasswordForm.
> Was this use case missed? Or am i doing something wrong?
> Thanks a lot.
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ismail117 at gmail.com  Wed Nov 18 10:15:36 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Wed, 18 Nov 2015 09:15:36 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CAJgngAfoE7ELNXjwFC4ioTJGO1bBnuavDxbwrHTy60q3p8U2ag@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
	<564B8DE4.8010603@binaryninja.de>
	<CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>
	<CAJgngAfoE7ELNXjwFC4ioTJGO1bBnuavDxbwrHTy60q3p8U2ag@mail.gmail.com>
Message-ID: <CALC-KvjpOzWbLBPAfQ9pNLZ1qCb8SnymamBwddNMeJ-Ds1rA3w@mail.gmail.com>

Stian,
I done the same procedure , but I am still having the same Issue , I think
this is the version in compatible , Key cloak config has the server 1.7 and
the  EAP standalone has the version 1.5 . I try to update the version with
different combinations. I did not have luck yet .

I tried another version  1.1.0 Final version which is working on existing
EAP 6.2.3.  but I am not able to deploy the examples customer and  product
portals.

I am able to maven build successfully and the server is not able to deploy
the ear file .

I am trying all the options but not able to get it work on my EAP 6.2 . Un
fortunately what ever the documentation is in the key cloak.org I followed
every step multiple times no luck yet. Please throw some light on this .
Help is highly appreciated.

Thanks,
Ismail

On Wed, Nov 18, 2015 at 1:37 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Keycloak server only runs as standalone or deployed to WildFly 9 or EAP
> 6.4. The adapter bits which is what you need for your applications works on
> a large ranger of containers.
>
> Use the standalone Keycloak server download and run it separately to your
> applications. Then get the eap6 adapter and deploy to EAP 6.2.
>
> On 17 November 2015 at 21:38, Ismail Shaik <ismail117 at gmail.com> wrote:
>
>> Hi Ataraxic,
>>
>> there is no manual process unless we compare and put them manually like
>>  standalone folder and bin folder . Its available on with older versions .
>> If you go to Beta version once you extract the
>> *keycloak-war-dist-all-1.1.0.Beta2.zip*
>> you will see deployment folder then just place that extracted deployment
>> folder into your existing jboss standalone/deployment folder .
>>
>>
>> On Tue, Nov 17, 2015 at 2:28 PM, Ataraxus <atx at binaryninja.de> wrote:
>>
>>> Hi Ismail,
>>>
>>> I'm able of installing keycloak via the documentation. The documentation
>>> tells one how to install keycloak via the server overlay. The error you get
>>> and posted here states (please correct me, if i'm wrong), that jboss is not
>>> able to parse the configuration, since its not compatible with the old
>>> versions.
>>>
>>> So I was asking if there is a "manual" of installing keycloak "manually"
>>> without relying on the server overlay aka configuration. By droping jars or
>>> wars in some jboss folders ;)
>>>
>>> Am 17.11.15 um 20:55 schrieb Ismail Shaik:
>>>
>>> Hi Bill,
>>>
>>> This is the Issue I am getting when I start the Server using the  *" bash
>>> standalone.sh --server-config=standalone-keycloak.xml"*
>>>
>>>
>>> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
>>> --server-config=standalone-keycloak.xml
>>>
>>> =========================================================================
>>>
>>>
>>>   JBoss Bootstrap Environment
>>>
>>>
>>>   JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>>>
>>>
>>>   JAVA:
>>> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>>>
>>>
>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
>>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>>
>>>
>>> =========================================================================
>>>
>>>
>>> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
>>> 1.3.3.Final-redhat-1
>>>
>>> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
>>> 1.0.4.GA-redhat-1
>>>
>>> 13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>>>
>>> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015956: Caught exception during boot:
>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>> JBAS014676: Failed to parse configuration
>>>
>>> at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>
>>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>> [row,col]:[2,1]
>>>
>>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>>
>>> at
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>
>>> at
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>
>>> at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>
>>> ... 3 more
>>>
>>>
>>> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>> previous messages for details.
>>>
>>> 13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15) JBAS015950:
>>> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) stopped in 4ms
>>>
>>> Ismails-MacBook-Pro:bin ismailshaik$
>>>
>>>
>>> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>> You don't need to migrate your 7 applications.  The client adapter
>>>> should still work on EAP 6.2.  If it doesn't thats something we would fix.
>>>> Its the server that we won't support on anything earlier.
>>>>
>>>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>>>
>>>>> Bill,
>>>>>
>>>>> Yes if I change the server I need to migrate all my 7 applications to
>>>>> new jboss  EAP. Which is why I would like to have the version
>>>>> compatible
>>>>> with jboss eap 6.2.x.
>>>>> Thank you for quick reply.
>>>>>
>>>>> On Nov 17, 2015 1:24 PM, "Bill Burke" < <bburke at redhat.com>
>>>>> bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>
>>>>>     Is there a reason we don't work on 6.2.3?
>>>>>
>>>>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>>>>      > Marko,
>>>>>      >
>>>>>      > Can you please let me know Which version of key cloak is good
>>>>> for
>>>>>     Jboss
>>>>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>>>> advance.
>>>>>      >
>>>>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>>>>     <mstrukel at redhat.com <mailto:mstrukel at redhat.com>
>>>>>      > <mailto:mstrukel at redhat.com <mailto:mstrukel at redhat.com>>>
>>>>> wrote:
>>>>>      >
>>>>>      >     You should use EAP 6.4.x. We only support that.
>>>>>      >
>>>>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>>>>     <ismail117 at gmail.com <mailto:ismail117 at gmail.com>
>>>>>      >     <mailto:ismail117 at gmail.com <mailto:ismail117 at gmail.com>>>
>>>>> wrote:
>>>>>      >
>>>>>      >         Hi,
>>>>>      >         This is Ismail , I am trying to set up SSO using the key
>>>>>     cloak ,
>>>>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final
>>>>> *to my
>>>>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>>>>     try to
>>>>>      >         start the server I am getting the below exception
>>>>>      >
>>>>>      >         se configuration
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>
>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>>>      >
>>>>>
>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>>>      >
>>>>>
>>>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>
>>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>>>      >
>>>>>
>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>      >
>>>>>      >         at java.lang.Thread.run(Thread.java:745)
>>>>> [rt.jar:1.7.0_75]
>>>>>      >
>>>>>      >         Caused by: javax.xml.stream.XMLStreamException:
>>>>> ParseError at
>>>>>      >         [row,col]:[2,1]
>>>>>      >
>>>>>      >         Message: Unexpected element '{urn:jboss:domain:1.7
>>>>> }server'
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>
>>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>>>      >
>>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>
>>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>>>      >
>>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>>      >
>>>>>      >         at
>>>>>      >
>>>>>
>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>>>      >
>>>>>
>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>      >
>>>>>      >         ... 3 more
>>>>>      >
>>>>>      >
>>>>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller
>>>>> Boot
>>>>>      >         Thread) JBAS015957: Server boot has failed in an
>>>>>     unrecoverable
>>>>>      >         manner; exiting. See previous messages for details.
>>>>>      >
>>>>>      >         09:27:24,784 INFO  [org.jboss.as <http://org.jboss.as>
>>>>>     <http://org.jboss.as/>] (MSC
>>>>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>>>>     <http://6.2.3.GA>
>>>>>      >         <http://6.2.3.ga/> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>>>>     stopped in 4ms
>>>>>      >
>>>>>      >
>>>>>      >         I am running the server using below command.
>>>>>      >
>>>>>      >         bash standalone.sh
>>>>> --server-config=standalone-keycloak.xml
>>>>>      >
>>>>>      >
>>>>>      >         I am using the MAC OS
>>>>>      >
>>>>>      >
>>>>>      >         --
>>>>>      >         Thanks,
>>>>>      >         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>>> <908%20922%209571>
>>>>>     <tel:908%20922%209571> <908%20922%209571>
>>>>>      >
>>>>>      >         _______________________________________________
>>>>>      >         keycloak-user mailing list
>>>>>      > keycloak-user at lists.jboss.org
>>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>>     <mailto:keycloak-user at lists.jboss.org
>>>>>     <mailto:keycloak-user at lists.jboss.org>>
>>>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      >
>>>>>      > --
>>>>>      > Thanks,
>>>>>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>>>> <908%20922%209571>
>>>>>      >
>>>>>      >
>>>>>      > _______________________________________________
>>>>>      > keycloak-user mailing list
>>>>>      > keycloak-user at lists.jboss.org <mailto:
>>>>> keycloak-user at lists.jboss.org>
>>>>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>      >
>>>>>
>>>>>     --
>>>>>     Bill Burke
>>>>>     JBoss, a division of Red Hat
>>>>>     http://bill.burkecentral.com
>>>>>     _______________________________________________
>>>>>     keycloak-user mailing list
>>>>>     keycloak-user at lists.jboss.org <mailto:
>>>>> keycloak-user at lists.jboss.org>
>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Ismail Shaik - 908 922 9571
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> Thanks,
>> Ismail Shaik - 908 922 9571
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/5182b500/attachment-0001.html 

From atx at binaryninja.de  Wed Nov 18 10:20:42 2015
From: atx at binaryninja.de (Ataraxus)
Date: Wed, 18 Nov 2015 16:20:42 +0100
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <CALC-KvjpOzWbLBPAfQ9pNLZ1qCb8SnymamBwddNMeJ-Ds1rA3w@mail.gmail.com>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
	<564B8DE4.8010603@binaryninja.de>
	<CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>
	<CAJgngAfoE7ELNXjwFC4ioTJGO1bBnuavDxbwrHTy60q3p8U2ag@mail.gmail.com>
	<CALC-KvjpOzWbLBPAfQ9pNLZ1qCb8SnymamBwddNMeJ-Ds1rA3w@mail.gmail.com>
Message-ID: <564C974A.6070703@binaryninja.de>

Hey Ismail,

please consider this statement:

"
On 18 November 2015 at 13:55, Ataraxus <atx at binaryninja.de 
<mailto:atx at binaryninja.de>> wrote:

    Hello Stian, thank you very much making this point clear!

    I guess the reason why people show up with the "expectation" that
    EAP 6.2 should be supported, is that on the frontpage it states:
    Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat,...
    and as you mentioned this holds only true for the adapters (maybe
    this point should be stressed on the frontpage somehow).


Good point. We will update the website and documentation to make it clearer.
"
I guess trying to get Keycloak running on EAP 6.2 is not worth the 
effort, nor supported. What is supported are the adapters for EAP 6.2 
but i guess you need keycloak oon it (as i did).


Am 18.11.15 um 16:15 schrieb Ismail Shaik:
> Stian,
> I done the same procedure , but I am still having the same Issue , I 
> think this is the version in compatible , Key cloak config has the 
> server 1.7 and the  EAP standalone has the version 1.5 . I try to 
> update the version with different combinations. I did not have luck yet .
>
> I tried another version  1.1.0 Final version which is working on 
> existing EAP 6.2.3.  but I am not able to deploy the examples customer 
> and  product portals.
>
> I am able to maven build successfully and the server is not able to 
> deploy the ear file .
>
> I am trying all the options but not able to get it work on my EAP 6.2 
> . Un fortunately what ever the documentation is in the key cloak.org 
> <http://cloak.org> I followed every step multiple times no luck yet. 
> Please throw some light on this . Help is highly appreciated.
>
> Thanks,
> Ismail
>
> On Wed, Nov 18, 2015 at 1:37 AM, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     Keycloak server only runs as standalone or deployed to WildFly 9
>     or EAP 6.4. The adapter bits which is what you need for your
>     applications works on a large ranger of containers.
>
>     Use the standalone Keycloak server download and run it separately
>     to your applications. Then get the eap6 adapter and deploy to EAP 6.2.
>
>     On 17 November 2015 at 21:38, Ismail Shaik <ismail117 at gmail.com
>     <mailto:ismail117 at gmail.com>> wrote:
>
>         Hi Ataraxic,
>
>         there is no manual process unless we compare and put them
>         manually like  standalone folder and bin folder . Its
>         available on with older versions . If you go to Beta version
>         once you extract the *keycloak-war-dist-all-1.1.0.Beta2.zip*
>         you will see deployment folder then just place that extracted
>         deployment folder into your existing jboss
>         standalone/deployment folder .
>
>
>         On Tue, Nov 17, 2015 at 2:28 PM, Ataraxus <atx at binaryninja.de
>         <mailto:atx at binaryninja.de>> wrote:
>
>             Hi Ismail,
>
>             I'm able of installing keycloak via the documentation. The
>             documentation tells one how to install keycloak via the
>             server overlay. The error you get and posted here states
>             (please correct me, if i'm wrong), that jboss is not able
>             to parse the configuration, since its not compatible with
>             the old versions.
>
>             So I was asking if there is a "manual" of installing
>             keycloak "manually" without relying on the server overlay
>             aka configuration. By droping jars or wars in some jboss
>             folders ;)
>
>             Am 17.11.15 um 20:55 schrieb Ismail Shaik:
>>             Hi Bill,
>>
>>             This is the Issue I am getting when I start the Server
>>             using the *" bash standalone.sh
>>             --server-config=standalone-keycloak.xml"*
>>             *
>>             *
>>
>>             Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
>>             --server-config=standalone-keycloak.xml
>>
>>             =========================================================================
>>
>>
>>             JBoss Bootstrap Environment
>>
>>
>>             JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>>
>>
>>             JAVA:
>>             /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>>
>>
>>             JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m
>>             -Xmx1303m -XX:MaxPermSize=256m
>>             -Djava.net.preferIPv4Stack=true
>>             -Djboss.modules.system.pkgs=org.jboss.byteman
>>             -Djava.awt.headless=true
>>
>>
>>             =========================================================================
>>
>>
>>             13:53:49,193 INFO  [org.jboss.modules] (main) JBoss
>>             Modules version 1.3.3.Final-redhat-1
>>
>>             13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC
>>             version 1.0.4.GA-redhat-1
>>
>>             13:53:50,303 INFO  [org.jboss.as <http://org.jboss.as>]
>>             (MSC service thread 1-6) JBAS015899: JBoss EAP 6.2.3.GA
>>             <http://6.2.3.GA> (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>>
>>             13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot
>>             Thread) JBAS015956: Caught exception during boot:
>>             org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>             JBAS014676: Failed to parse configuration
>>
>>             at
>>             org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>             [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>>             at
>>             org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>             [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>>             at
>>             org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>             [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>>             at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>
>>             Caused by: javax.xml.stream.XMLStreamException:
>>             ParseError at [row,col]:[2,1]
>>
>>             Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>
>>             at
>>             org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>             [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>>             at
>>             org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>             [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>
>>             at
>>             org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>             [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>
>>             ... 3 more
>>
>>
>>             13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot
>>             Thread) JBAS015957: Server boot has failed in an
>>             unrecoverable manner; exiting. See previous messages for
>>             details.
>>
>>             13:53:50,825 INFO  [org.jboss.as <http://org.jboss.as>]
>>             (MSC service thread 1-15) JBAS015950: JBoss EAP 6.2.3.GA
>>             <http://6.2.3.GA> (AS 7.3.3.Final-redhat-SNAPSHOT)
>>             stopped in 4ms
>>
>>             Ismails-MacBook-Pro:bin ismailshaik$
>>
>>
>>
>>             On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke
>>             <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>
>>                 You don't need to migrate your 7 applications.  The
>>                 client adapter should still work on EAP 6.2.  If it
>>                 doesn't thats something we would fix.  Its the server
>>                 that we won't support on anything earlier.
>>
>>                 On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>
>>                     Bill,
>>
>>                     Yes if I change the server I need to migrate all
>>                     my 7 applications to
>>                     new jboss  EAP. Which is why I would like to have
>>                     the version compatible
>>                     with jboss eap 6.2.x.
>>                     Thank you for quick reply.
>>
>>                     On Nov 17, 2015 1:24 PM, "Bill Burke"
>>                     <bburke at redhat.com <mailto:bburke at redhat.com>
>>                     <mailto:bburke at redhat.com
>>                     <mailto:bburke at redhat.com>>> wrote:
>>
>>                         Is there a reason we don't work on 6.2.3?
>>
>>                         On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>                          > Marko,
>>                          >
>>                          > Can you please let me know Which version
>>                     of key cloak is good for
>>                         Jboss
>>                          > EAP 6.2.3. ? I have to use the Jboss EAP
>>                     6.2.3 . Thanks in advance.
>>                          >
>>                          > On Tue, Nov 17, 2015 at 10:24 AM, Marko
>>                     Strukelj
>>                         <mstrukel at redhat.com
>>                     <mailto:mstrukel at redhat.com>
>>                     <mailto:mstrukel at redhat.com
>>                     <mailto:mstrukel at redhat.com>>
>>                          > <mailto:mstrukel at redhat.com
>>                     <mailto:mstrukel at redhat.com>
>>                     <mailto:mstrukel at redhat.com
>>                     <mailto:mstrukel at redhat.com>>>> wrote:
>>                          >
>>                          >     You should use EAP 6.4.x. We only
>>                     support that.
>>                          >
>>                          >     On Tue, Nov 17, 2015 at 5:12 PM,
>>                     Ismail Shaik
>>                         <ismail117 at gmail.com
>>                     <mailto:ismail117 at gmail.com>
>>                     <mailto:ismail117 at gmail.com
>>                     <mailto:ismail117 at gmail.com>>
>>                          >  <mailto:ismail117 at gmail.com
>>                     <mailto:ismail117 at gmail.com>
>>                     <mailto:ismail117 at gmail.com
>>                     <mailto:ismail117 at gmail.com>>>> wrote:
>>                          >
>>                          >  Hi,
>>                          >  This is Ismail , I am trying to set up
>>                     SSO using the key
>>                         cloak ,
>>                          >         I extracted the a
>>                     *keycloak-overlay-eap6-1.6.1.Final *to my
>>                          >  Jboss Home  which has the version 6.2.3.
>>                     EAP and when I
>>                         try to
>>                          >  start the server I am getting the below
>>                     exception
>>                          >
>>                          >         se configuration
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>                          >
>>                     [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>                          >
>>                     [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>                          >
>>                     [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>                          >
>>                          >         at
>>                     java.lang.Thread.run(Thread.java:745)
>>                     [rt.jar:1.7.0_75]
>>                          >
>>                          >  Caused by:
>>                     javax.xml.stream.XMLStreamException: ParseError at
>>                          >  [row,col]:[2,1]
>>                          >
>>                          >  Message: Unexpected element
>>                     '{urn:jboss:domain:1.7}server'
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>                          >
>>                      [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>                          >
>>                      [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>                          >
>>                          >         at
>>                          >
>>                     org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>                          >
>>                     [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>                          >
>>                          >  ... 3 more
>>                          >
>>                          >
>>                          >  09:27:24,775 FATAL [org.jboss.as.server]
>>                     (Controller Boot
>>                          >  Thread) JBAS015957: Server boot has
>>                     failed in an
>>                         unrecoverable
>>                          >  manner; exiting. See previous messages
>>                     for details.
>>                          >
>>                          >  09:27:24,784 INFO [org.jboss.as
>>                     <http://org.jboss.as> <http://org.jboss.as>
>>                         <http://org.jboss.as/>] (MSC
>>                          >  service thread 1-7) JBAS015950: JBoss EAP
>>                     6.2.3.GA <http://6.2.3.GA>
>>                         <http://6.2.3.GA>
>>                          >         <http://6.2.3.ga/> (AS
>>                     7.3.3.Final-redhat-SNAPSHOT)
>>                         stopped in 4ms
>>                          >
>>                          >
>>                          >         I am running the server using
>>                     below command.
>>                          >
>>                          >         bash standalone.sh
>>                     --server-config=standalone-keycloak.xml
>>                          >
>>                          >
>>                          >         I am using the MAC OS
>>                          >
>>                          >
>>                          >         --
>>                          >  Thanks,
>>                          >  Ismail Shaik - 908 922 9571
>>                     <tel:908%20922%209571> <tel:908%20922%209571>
>>                     <tel:908%20922%209571>
>>                     <tel:908%20922%209571> <tel:908%20922%209571>
>>                          >
>>                          >
>>                      _______________________________________________
>>                          >  keycloak-user mailing list
>>                          > keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>
>>                         <mailto:keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>>
>>                         <mailto:keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>
>>                         <mailto:keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>>>
>>                          >
>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                          >
>>                          >
>>                          >
>>                          >
>>                          >
>>                          > --
>>                          > Thanks,
>>                          > Ismail Shaik - 908 922 9571
>>                     <tel:908%20922%209571> <tel:908%20922%209571>
>>                     <tel:908%20922%209571>
>>                          >
>>                          >
>>                          >
>>                     _______________________________________________
>>                          > keycloak-user mailing list
>>                          > keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>
>>                     <mailto:keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>>
>>                          >
>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                          >
>>
>>                         --
>>                         Bill Burke
>>                         JBoss, a division of Red Hat
>>                     http://bill.burkecentral.com
>>                     _______________________________________________
>>                         keycloak-user mailing list
>>                     keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>
>>                     <mailto:keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>>
>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>                 -- 
>>                 Bill Burke
>>                 JBoss, a division of Red Hat
>>                 http://bill.burkecentral.com
>>
>>
>>
>>
>>             -- 
>>             Thanks,
>>             Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>>
>>
>>             _______________________________________________
>>             keycloak-user mailing list keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>         -- 
>         Thanks,
>         Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> -- 
> Thanks,
> Ismail Shaik - 908 922 9571

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/114d9336/attachment-0001.html 

From ismail117 at gmail.com  Wed Nov 18 16:08:43 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Wed, 18 Nov 2015 15:08:43 -0600
Subject: [keycloak-user] keycloak-overlay-eap6-1.6.1.Final has jobs
 start up issue
In-Reply-To: <564C974A.6070703@binaryninja.de>
References: <CALC-KvhEt3ZaQBeuBNOhfv1mXRkTPB8tfHC5mXTBFOkbwGGR6w@mail.gmail.com>
	<CA+1OW+iMjyHrcg4qSRCsLfm7nQMs9sp7xieba2xUuz-e-vH0eg@mail.gmail.com>
	<CALC-KvjfQ3nciweYN1zpnFX4zQk3m=emkrT8qJECh2HHXRrVig@mail.gmail.com>
	<564B7EDF.5040909@redhat.com>
	<CALC-KvhM+ocV=WdARpwm+RV+3AAN06ji6pyp01+r4aFDhGy+Lg@mail.gmail.com>
	<564B8367.7050103@redhat.com>
	<CALC-KvghJhR6APtLmEGwGv-6f4HMg5uoCs8Hd4vuSeOX5oaqcA@mail.gmail.com>
	<564B8DE4.8010603@binaryninja.de>
	<CALC-KviWF5r_f++x+OuQtqJihMtQFK0HDeTkRw4CanijjLqPSQ@mail.gmail.com>
	<CAJgngAfoE7ELNXjwFC4ioTJGO1bBnuavDxbwrHTy60q3p8U2ag@mail.gmail.com>
	<CALC-KvjpOzWbLBPAfQ9pNLZ1qCb8SnymamBwddNMeJ-Ds1rA3w@mail.gmail.com>
	<564C974A.6070703@binaryninja.de>
Message-ID: <CALC-Kvg3_sLGp2uScf+51SKGRWMBtg5bcNiWc=Y4veeOgDE_MQ@mail.gmail.com>

Hi All,

I am trying the version 1.1.0 final with EAP 6.2 I am able to configure the
applications and users and roles with demo realm.

But some how database application is not deployable in Jboss EAP 6.2

I am getting the following issue when I try to login in demo realm to
access the customer-portal

session of subresource org.keycloak.protocol.oidc.OpenIDConnectService will
not be injected according to spec


while deploying in jboss with  command   mvn jboss-as:deploy  is having the
below stack trace in my server


14:58:22,857 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-3) JBAS015876: Starting deployment of "database.war" (runtime-name:
"database.war")

14:58:22,888 INFO  [org.jboss.web] (ServerService Thread Pool -- 61)
JBAS018210: Register web context: /database

14:58:22,892 ERROR [org.apache.catalina.startup] (ServerService Thread Pool
-- 61) JBWEB001034: Cannot configure an authenticator for method KEYCLOAK

14:58:22,893 ERROR [org.jboss.web] (ServerService Thread Pool -- 61)
JBAS018206: Webapp [/database] is unavailable due to startup errors

14:58:22,893 ERROR [org.apache.catalina.core] (ServerService Thread Pool --
61) JBWEB001103: Error detected during context /database start, will stop it

14:58:22,896 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 61) MSC000001: Failed to start service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in anonymous service: JBAS018040:
Failed to start context

at org.jboss.as.web.deployment.WebDeploymentService$1.run(
WebDeploymentService.java:96)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[rt.jar:1.7.0_75]

at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_75]

at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_75]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615) [rt.jar:1.7.0_75]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]

at org.jboss.threads.JBossThread.run(JBossThread.java:122)

Caused by: org.jboss.msc.service.StartException in anonymous service:
JBAS018040: Failed to start context

at org.jboss.as.web.deployment.WebDeploymentService.doStart(
WebDeploymentService.java:161)

at org.jboss.as.web.deployment.WebDeploymentService.access$000(
WebDeploymentService.java:60)

at org.jboss.as.web.deployment.WebDeploymentService$1.run(
WebDeploymentService.java:93)

... 6 more


14:58:23,109 ERROR [org.jboss.as.server] (management-handler-thread - 6)
JBAS015870: Deploy of deployment "database.war" was rolled back with the
following failure message:

{"JBAS014671: Failed services" =>
{"jboss.web.deployment.default-host./database" => "
org.jboss.msc.service.StartException in service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in anonymous service: JBAS018040:
Failed to start context

    Caused by: org.jboss.msc.service.StartException in anonymous service:
JBAS018040: Failed to start context"}}



Can you please me with that, I am not able to login in demo with the create
roles . Thanks,

Ismail

On Wed, Nov 18, 2015 at 9:20 AM, Ataraxus <atx at binaryninja.de> wrote:

> Hey Ismail,
>
> please consider this statement:
>
> "
> On 18 November 2015 at 13:55, Ataraxus < <atx at binaryninja.de>
> atx at binaryninja.de> wrote:
>
>> Hello Stian, thank you very much making this point clear!
>>
>> I guess the reason why people show up with the "expectation" that EAP 6.2
>> should be supported, is that on the frontpage it states:
>>   Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat,...
>> and as you mentioned this holds only true for the adapters (maybe this
>> point should be stressed on the frontpage somehow).
>>
>
> Good point. We will update the website and documentation to make it
> clearer.
> "
> I guess trying to get Keycloak running on EAP 6.2 is not worth the effort,
> nor supported. What is supported are the adapters for EAP 6.2 but i guess
> you need keycloak oon it (as i did).
>
>
> Am 18.11.15 um 16:15 schrieb Ismail Shaik:
>
> Stian,
> I done the same procedure , but I am still having the same Issue , I think
> this is the version in compatible , Key cloak config has the server 1.7 and
> the  EAP standalone has the version 1.5 . I try to update the version with
> different combinations. I did not have luck yet .
>
> I tried another version  1.1.0 Final version which is working on existing
> EAP 6.2.3.  but I am not able to deploy the examples customer and  product
> portals.
>
> I am able to maven build successfully and the server is not able to deploy
> the ear file .
>
> I am trying all the options but not able to get it work on my EAP 6.2 . Un
> fortunately what ever the documentation is in the key cloak.org I
> followed every step multiple times no luck yet. Please throw some light on
> this . Help is highly appreciated.
>
> Thanks,
> Ismail
>
> On Wed, Nov 18, 2015 at 1:37 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Keycloak server only runs as standalone or deployed to WildFly 9 or EAP
>> 6.4. The adapter bits which is what you need for your applications works on
>> a large ranger of containers.
>>
>> Use the standalone Keycloak server download and run it separately to your
>> applications. Then get the eap6 adapter and deploy to EAP 6.2.
>>
>> On 17 November 2015 at 21:38, Ismail Shaik < <ismail117 at gmail.com>
>> ismail117 at gmail.com> wrote:
>>
>>> Hi Ataraxic,
>>>
>>> there is no manual process unless we compare and put them manually like
>>>  standalone folder and bin folder . Its available on with older versions .
>>> If you go to Beta version once you extract the
>>> *keycloak-war-dist-all-1.1.0.Beta2.zip*
>>> you will see deployment folder then just place that extracted deployment
>>> folder into your existing jboss standalone/deployment folder .
>>>
>>>
>>> On Tue, Nov 17, 2015 at 2:28 PM, Ataraxus < <atx at binaryninja.de>
>>> atx at binaryninja.de> wrote:
>>>
>>>> Hi Ismail,
>>>>
>>>> I'm able of installing keycloak via the documentation. The
>>>> documentation tells one how to install keycloak via the server overlay. The
>>>> error you get and posted here states (please correct me, if i'm wrong),
>>>> that jboss is not able to parse the configuration, since its not compatible
>>>> with the old versions.
>>>>
>>>> So I was asking if there is a "manual" of installing keycloak
>>>> "manually" without relying on the server overlay aka configuration. By
>>>> droping jars or wars in some jboss folders ;)
>>>>
>>>> Am 17.11.15 um 20:55 schrieb Ismail Shaik:
>>>>
>>>> Hi Bill,
>>>>
>>>> This is the Issue I am getting when I start the Server using the  *" bash
>>>> standalone.sh --server-config=standalone-keycloak.xml"*
>>>>
>>>>
>>>> Ismails-MacBook-Pro:bin ismailshaik$ bash standalone.sh
>>>> --server-config=standalone-keycloak.xml
>>>>
>>>>
>>>> =========================================================================
>>>>
>>>>
>>>>   JBoss Bootstrap Environment
>>>>
>>>>
>>>>   JBOSS_HOME: /Users/ismailshaik/Jboss/jboss-eap-6.2
>>>>
>>>>
>>>>   JAVA:
>>>> /Library/Java/JavaVirtualMachines/jdk1.7.0_75.jdk/Contents/Home/bin/java
>>>>
>>>>
>>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -Xms1303m -Xmx1303m
>>>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>>>
>>>>
>>>>
>>>> =========================================================================
>>>>
>>>>
>>>> 13:53:49,193 INFO  [org.jboss.modules] (main) JBoss Modules version
>>>> 1.3.3.Final-redhat-1
>>>>
>>>> 13:53:50,205 INFO  [org.jboss.msc] (main) JBoss MSC version
>>>> 1.0.4.GA-redhat-1
>>>>
>>>> 13:53:50,303 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>>> JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT) starting
>>>>
>>>> 13:53:50,814 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015956: Caught exception during boot:
>>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>>> JBAS014676: Failed to parse configuration
>>>>
>>>> at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>
>>>> at org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>
>>>> at
>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>>
>>>> Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>>> [row,col]:[2,1]
>>>>
>>>> Message: Unexpected element '{urn:jboss:domain:1.7}server'
>>>>
>>>> at
>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>
>>>> at
>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>> [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>
>>>> at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>
>>>> ... 3 more
>>>>
>>>>
>>>> 13:53:50,816 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>>> previous messages for details.
>>>>
>>>> 13:53:50,825 INFO  [org.jboss.as] (MSC service thread 1-15)
>>>> JBAS015950: JBoss EAP 6.2.3.GA (AS 7.3.3.Final-redhat-SNAPSHOT)
>>>> stopped in 4ms
>>>>
>>>> Ismails-MacBook-Pro:bin ismailshaik$
>>>>
>>>>
>>>> On Tue, Nov 17, 2015 at 1:43 PM, Bill Burke < <bburke at redhat.com>
>>>> bburke at redhat.com> wrote:
>>>>
>>>>> You don't need to migrate your 7 applications.  The client adapter
>>>>> should still work on EAP 6.2.  If it doesn't thats something we would fix.
>>>>> Its the server that we won't support on anything earlier.
>>>>>
>>>>> On 11/17/2015 2:29 PM, Ismail Shaik wrote:
>>>>>
>>>>>> Bill,
>>>>>>
>>>>>> Yes if I change the server I need to migrate all my 7 applications to
>>>>>> new jboss  EAP. Which is why I would like to have the version
>>>>>> compatible
>>>>>> with jboss eap 6.2.x.
>>>>>> Thank you for quick reply.
>>>>>>
>>>>>> On Nov 17, 2015 1:24 PM, "Bill Burke" < <bburke at redhat.com>
>>>>>> bburke at redhat.com
>>>>>> <mailto: <bburke at redhat.com>bburke at redhat.com>> wrote:
>>>>>>
>>>>>>     Is there a reason we don't work on 6.2.3?
>>>>>>
>>>>>>     On 11/17/2015 2:07 PM, Ismail Shaik wrote:
>>>>>>      > Marko,
>>>>>>      >
>>>>>>      > Can you please let me know Which version of key cloak is good
>>>>>> for
>>>>>>     Jboss
>>>>>>      > EAP 6.2.3. ? I have to use the Jboss EAP 6.2.3 . Thanks in
>>>>>> advance.
>>>>>>      >
>>>>>>      > On Tue, Nov 17, 2015 at 10:24 AM, Marko Strukelj
>>>>>>     < <mstrukel at redhat.com>mstrukel at redhat.com <mailto:
>>>>>> <mstrukel at redhat.com>mstrukel at redhat.com>
>>>>>>      > <mailto: <mstrukel at redhat.com>mstrukel at redhat.com <mailto:
>>>>>> <mstrukel at redhat.com>mstrukel at redhat.com>>> wrote:
>>>>>>      >
>>>>>>      >     You should use EAP 6.4.x. We only support that.
>>>>>>      >
>>>>>>      >     On Tue, Nov 17, 2015 at 5:12 PM, Ismail Shaik
>>>>>>     < <ismail117 at gmail.com>ismail117 at gmail.com <mailto:
>>>>>> <ismail117 at gmail.com>ismail117 at gmail.com>
>>>>>>      >     <mailto: <ismail117 at gmail.com>ismail117 at gmail.com <mailto:
>>>>>> <ismail117 at gmail.com>ismail117 at gmail.com>>> wrote:
>>>>>>      >
>>>>>>      >         Hi,
>>>>>>      >         This is Ismail , I am trying to set up SSO using the
>>>>>> key
>>>>>>     cloak ,
>>>>>>      >         I extracted the a *keycloak-overlay-eap6-1.6.1.Final
>>>>>> *to my
>>>>>>      >         Jboss Home  which has the version 6.2.3. EAP and when I
>>>>>>     try to
>>>>>>      >         start the server I am getting the below exception
>>>>>>      >
>>>>>>      >         se configuration
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>
>>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>>>>      >
>>>>>>
>>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>       org.jboss.as.server.ServerService.boot(ServerService.java:324)
>>>>>>      >
>>>>>>
>>>>>> [jboss-as-server-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>
>>>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253)
>>>>>>      >
>>>>>>
>>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>>      >
>>>>>>      >         at java.lang.Thread.run(Thread.java:745)
>>>>>> [rt.jar:1.7.0_75]
>>>>>>      >
>>>>>>      >         Caused by: javax.xml.stream.XMLStreamException:
>>>>>> ParseError at
>>>>>>      >         [row,col]:[2,1]
>>>>>>      >
>>>>>>      >         Message: Unexpected element '{urn:jboss:domain:1.7
>>>>>> }server'
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>
>>>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
>>>>>>      >
>>>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>
>>>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>>>>      >
>>>>>>  [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
>>>>>>      >
>>>>>>      >         at
>>>>>>      >
>>>>>>
>>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>>>>      >
>>>>>>
>>>>>> [jboss-as-controller-7.3.3.Final-redhat-SNAPSHOT.jar:7.3.3.Final-redhat-SNAPSHOT]
>>>>>>      >
>>>>>>      >         ... 3 more
>>>>>>      >
>>>>>>      >
>>>>>>      >         09:27:24,775 FATAL [org.jboss.as.server] (Controller
>>>>>> Boot
>>>>>>      >         Thread) JBAS015957: Server boot has failed in an
>>>>>>     unrecoverable
>>>>>>      >         manner; exiting. See previous messages for details.
>>>>>>      >
>>>>>>      >         09:27:24,784 INFO  [org.jboss.as <
>>>>>> <http://org.jboss.as>http://org.jboss.as>
>>>>>>     < <http://org.jboss.as/>http://org.jboss.as/>] (MSC
>>>>>>      >         service thread 1-7) JBAS015950: JBoss EAP 6.2.3.GA
>>>>>>     < <http://6.2.3.GA>http://6.2.3.GA>
>>>>>>      >         < <http://6.2.3.ga/>http://6.2.3.ga/> (AS
>>>>>> 7.3.3.Final-redhat-SNAPSHOT)
>>>>>>     stopped in 4ms
>>>>>>      >
>>>>>>      >
>>>>>>      >         I am running the server using below command.
>>>>>>      >
>>>>>>      >         bash standalone.sh
>>>>>> --server-config=standalone-keycloak.xml
>>>>>>      >
>>>>>>      >
>>>>>>      >         I am using the MAC OS
>>>>>>      >
>>>>>>      >
>>>>>>      >         --
>>>>>>      >         Thanks,
>>>>>>      >         Ismail Shaik - 908 922 9571 <908%20922%209571>
>>>>>> <908%20922%209571><tel:908%20922%209571> <908%20922%209571>
>>>>>>     <908%20922%209571><tel:908%20922%209571> <908%20922%209571>
>>>>>>      >
>>>>>>      >         _______________________________________________
>>>>>>      >         keycloak-user mailing list
>>>>>>      > <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>>     <mailto: <keycloak-user at lists.jboss.org>
>>>>>> keycloak-user at lists.jboss.org>
>>>>>>     <mailto: <keycloak-user at lists.jboss.org>
>>>>>> keycloak-user at lists.jboss.org
>>>>>>     <mailto: <keycloak-user at lists.jboss.org>
>>>>>> keycloak-user at lists.jboss.org>>
>>>>>>      > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>      >
>>>>>>      >
>>>>>>      >
>>>>>>      >
>>>>>>      >
>>>>>>      > --
>>>>>>      > Thanks,
>>>>>>      > Ismail Shaik - 908 922 9571 <908%20922%209571>
>>>>>> <908%20922%209571><tel:908%20922%209571> <908%20922%209571>
>>>>>>      >
>>>>>>      >
>>>>>>      > _______________________________________________
>>>>>>      > keycloak-user mailing list
>>>>>>      > <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>> <mailto: <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>> >
>>>>>>      > <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>      >
>>>>>>
>>>>>>     --
>>>>>>     Bill Burke
>>>>>>     JBoss, a division of Red Hat
>>>>>>     <http://bill.burkecentral.com>http://bill.burkecentral.com
>>>>>>     _______________________________________________
>>>>>>     keycloak-user mailing list
>>>>>>     <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>> <mailto: <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>>>>> >
>>>>>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> <http://bill.burkecentral.com>http://bill.burkecentral.com
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Ismail Shaik - 908 922 9571 <908%20922%209571>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Ismail Shaik - 908 922 9571 <908%20922%209571>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
>


-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151118/da3c7ec9/attachment-0001.html 

From samuel.otter at gmail.com  Thu Nov 19 05:38:13 2015
From: samuel.otter at gmail.com (Samuel Otter)
Date: Thu, 19 Nov 2015 11:38:13 +0100
Subject: [keycloak-user] Problems with expired user action emails
Message-ID: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>

Hi,

We have discovered a somewhat strange behavior with the User Action
timeouts. We need to have a fairly long User Action timeout but the links
provided in the emails to the users expire well before that time. After
some digging around in the source code I think this is because both a user
and a client session is created for the user action, but when the user
session expires and is removed the client session is also removed with it.
If we set the User Session SSO timeout to the same value it does indeed
seem to work as expected.

This seems unintentional and I can't really see why the user session is
created at all in this case as it is not really used as far as I can tell
(the client session id is used in the email link)? OTOH I am not sure why
the client session is removed when the user session expires? Or have we
completely misunderstood how this is supposed to work?

Anyway, as it is you can't really have a User Action timeout that is longer
than the SSO Session timeout.

Thanks,
Samuel Otter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/e6537dd9/attachment.html 

From adrianmatei at gmail.com  Thu Nov 19 09:13:09 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Thu, 19 Nov 2015 15:13:09 +0100
Subject: [keycloak-user] Proxy configuration issue
Message-ID: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>

Hi everyone,

I am trying to make a simple test and configure a keycloak proxy to protect
an application running on http://localhost:8280/backend/

1.
My proxy.json configuration looks like the following:

{
    "target-url": "http://localhost:8280/",
    "send-access-token": false,
    "bind-address": "localhost",
    "http-port": "8080",
    "applications": [
        {
            "base-path": "/backend",
            "error-page": "/error.html",
            "adapter-config": {
                "realm": "demo",
                "resource": "sandbox-backend",
                "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
                "auth-server-url": "http://localhost:8180/auth",
                "ssl-required" : "external",
                "credentials": {
                    "secret": "9323cdd6-7e0e-46ce-814f-b5ac79581395"
                }
            }

        }
    ]
}

2.
I've started the proxy server as specified in the documentation "java -jar
bin/launcher.jar proxy.json"
I am getting an error "ERROR: UT005026: Jetty ALPN support not found on
boot class path, SPDY client will not be available.", but the server still
starts, I don't think there should be a problem with that...

3. In the admin console (keycloak running on port 8180) I've configured the
backend application like the following:

Could you tell me what I am doing wrong? When I put in the app's url in the
browser it goes directly to the application...

Thanks,
Adrian
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/8f824083/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-11-19 15:10:20.png
Type: image/png
Size: 162985 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/8f824083/attachment-0001.png 

From bburke at redhat.com  Thu Nov 19 09:45:42 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Nov 2015 09:45:42 -0500
Subject: [keycloak-user] Proxy configuration issue
In-Reply-To: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>
References: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>
Message-ID: <564DE096.7090702@redhat.com>

Can't really see the screenshot, but you have to point keycloak to the 
host/port of the proxy.

On 11/19/2015 9:13 AM, Adrian Matei wrote:
> Hi everyone,
>
> I am trying to make a simple test and configure a keycloak proxy to
> protect an application running on http://localhost:8280/backend/
>
> 1.
> My proxy.json configuration looks like the following:
>
> {
>      "target-url": "http://localhost:8280/",
>      "send-access-token": false,
>      "bind-address": "localhost",
>      "http-port": "8080",
>      "applications": [
>          {
>              "base-path": "/backend",
>              "error-page": "/error.html",
>              "adapter-config": {
>                  "realm": "demo",
>                  "resource": "sandbox-backend",
>                  "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>                  "auth-server-url": "http://localhost:8180/auth",
>                  "ssl-required" : "external",
>                  "credentials": {
>                      "secret": "9323cdd6-7e0e-46ce-814f-b5ac79581395"
>                  }
>              }
>          }
>      ]
> }
>
> 2.
> I've started the proxy server as specified in the documentation "java
> -jar bin/launcher.jar proxy.json"
> I am getting an error "ERROR: UT005026: Jetty ALPN support not found on
> boot class path, SPDY client will not be available.", but the server
> still starts, I don't think there should be a problem with that...
>
> 3. In the admin console (keycloak running on port 8180) I've configured
> the backend application like the following:
>
> Could you tell me what I am doing wrong? When I put in the app's url in
> the browser it goes directly to the application...
>
> Thanks,
> Adrian
> ?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From atx at binaryninja.de  Thu Nov 19 09:48:22 2015
From: atx at binaryninja.de (Ataraxus)
Date: Thu, 19 Nov 2015 15:48:22 +0100
Subject: [keycloak-user] keycloak.js correct usage
In-Reply-To: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>
References: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>
Message-ID: <564DE136.7030501@binaryninja.de>

Hey,

having 2 issues using the keycloak.js correct.

As for now i deployed my keycloak.json in the WEB-INF folder, but 
keycloak.js needs it accessible so i have to put it outside of WEB-INF. 
This forces me to have it two times, is this correct?

If I login to my test site which is essentially the view.html of the 
demo-template/customer-app-js example I'm forced to relogin.
This is as far as I can tell due to the keycloak.init({ onLoad: 
'login-required' }) "login-required" if i just call keycloak.init(), 
keycloak doesnt retrieve a token at all.
How do i use this api correctly?

Bonus Question: the "myapp/k_query_bearer_token " return an HTTP 200 but 
no token. i thought this one could have been an alternative to keycloak.js

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/aef4ae29/attachment.html 

From ismail117 at gmail.com  Thu Nov 19 09:58:23 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Thu, 19 Nov 2015 08:58:23 -0600
Subject: [keycloak-user] Database war is not deployable on Jboss EAP 6.2
	with 1.1.0.Final version
Message-ID: <CALC-Kvjv678VQq-yPkjzrpF0voQUs-qcrEAA7pP2jYH_Ko8qVw@mail.gmail.com>

Hi All,

I am trying the version 1.1.0 final with EAP 6.2 I am able to configure the
applications and users and roles with demo realm.

But some how database application is not deployable in Jboss EAP 6.2

I am getting the following issue when I try to login in demo realm to
access the customer-portal

session of subresource org.keycloak.protocol.oidc.OpenIDConnectService will
not be injected according to spec


while deploying in jboss with  command   mvn jboss-as:deploy  is having the
below stack trace in my server


14:58:22,857 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-3) JBAS015876: Starting deployment of "database.war" (runtime-name:
"database.war")

14:58:22,888 INFO  [org.jboss.web] (ServerService Thread Pool -- 61)
JBAS018210: Register web context: /database

14:58:22,892 ERROR [org.apache.catalina.startup] (ServerService Thread Pool
-- 61) JBWEB001034: Cannot configure an authenticator for method KEYCLOAK

14:58:22,893 ERROR [org.jboss.web] (ServerService Thread Pool -- 61)
JBAS018206: Webapp [/database] is unavailable due to startup errors

14:58:22,893 ERROR [org.apache.catalina.core] (ServerService Thread Pool --
61) JBWEB001103: Error detected during context /database start, will stop it

14:58:22,896 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 61) MSC000001: Failed to start service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in anonymous service: JBAS018040:
Failed to start context

at org.jboss.as.web.deployment.WebDeploymentService$1.run(
WebDeploymentService.java:96)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[rt.jar:1.7.0_75]

at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_75]

at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_75]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615) [rt.jar:1.7.0_75]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]

at org.jboss.threads.JBossThread.run(JBossThread.java:122)

Caused by: org.jboss.msc.service.StartException in anonymous service:
JBAS018040: Failed to start context

at org.jboss.as.web.deployment.WebDeploymentService.doStart(
WebDeploymentService.java:161)

at org.jboss.as.web.deployment.WebDeploymentService.access$000(
WebDeploymentService.java:60)

at org.jboss.as.web.deployment.WebDeploymentService$1.run(
WebDeploymentService.java:93)

... 6 more


14:58:23,109 ERROR [org.jboss.as.server] (management-handler-thread - 6)
JBAS015870: Deploy of deployment "database.war" was rolled back with the
following failure message:

{"JBAS014671: Failed services" =>
{"jboss.web.deployment.default-host./database" => "
org.jboss.msc.service.StartException in service
jboss.web.deployment.default-host./database:
org.jboss.msc.service.StartException in anonymous service: JBAS018040:
Failed to start context

    Caused by: org.jboss.msc.service.StartException in anonymous service:
JBAS018040: Failed to start context"}}



Can you please me with that, I am not able to login in demo with the create
roles . Thanks,

Ismail
-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/4ee29b17/attachment.html 

From bburke at redhat.com  Thu Nov 19 13:21:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Nov 2015 13:21:00 -0500
Subject: [keycloak-user] Database war is not deployable on Jboss EAP 6.2
 with 1.1.0.Final version
In-Reply-To: <CALC-Kvjv678VQq-yPkjzrpF0voQUs-qcrEAA7pP2jYH_Ko8qVw@mail.gmail.com>
References: <CALC-Kvjv678VQq-yPkjzrpF0voQUs-qcrEAA7pP2jYH_Ko8qVw@mail.gmail.com>
Message-ID: <564E130C.5010500@redhat.com>

We don't support older community versions of Keycloak.

My guess is that you did not enable the adapter in standalone.xml. 
Please see our documentation on how to install the adapter.

On 11/19/2015 9:58 AM, Ismail Shaik wrote:
>
> Hi All,
>
> I am trying the version 1.1.0 final with EAP 6.2 I am able to configure
> the applications and users and roles with demo realm.
>
> But some how database application is not deployable in Jboss EAP 6.2
>
> I am getting the following issue when I try to login in demo realm to
> access the customer-portal
>
> session of subresource org.keycloak.protocol.oidc.OpenIDConnectService
> will not be injected according to spec
>
>
> while deploying in jboss with  command   mvn jboss-as:deploy  is having
> the below stack trace in my server
>
>
> 14:58:22,857 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-3) JBAS015876: Starting deployment of "database.war" (runtime-name:
> "database.war")
>
> 14:58:22,888 INFO  [org.jboss.web] (ServerService Thread Pool -- 61)
> JBAS018210: Register web context: /database
>
> 14:58:22,892 ERROR [org.apache.catalina.startup] (ServerService Thread
> Pool -- 61) JBWEB001034: Cannot configure an authenticator for method
> KEYCLOAK
>
> 14:58:22,893 ERROR [org.jboss.web] (ServerService Thread Pool -- 61)
> JBAS018206: Webapp [/database] is unavailable due to startup errors
>
> 14:58:22,893 ERROR [org.apache.catalina.core] (ServerService Thread Pool
> -- 61) JBWEB001103: Error detected during context /database start, will
> stop it
>
> 14:58:22,896 ERROR [org.jboss.msc.service.fail] (ServerService Thread
> Pool -- 61) MSC000001: Failed to start service
> jboss.web.deployment.default-host./database:
> org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./database:
> org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> Failed to start context
>
> at
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
>
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [rt.jar:1.7.0_75]
>
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> [rt.jar:1.7.0_75]
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_75]
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_75]
>
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>
> at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>
> Caused by: org.jboss.msc.service.StartException in anonymous service:
> JBAS018040: Failed to start context
>
> at
> org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:161)
>
> at
> org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:60)
>
> at
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:93)
>
> ... 6 more
>
>
> 14:58:23,109 ERROR [org.jboss.as.server] (management-handler-thread - 6)
> JBAS015870: Deploy of deployment "database.war" was rolled back with the
> following failure message:
>
> {"JBAS014671: Failed services" =>
> {"jboss.web.deployment.default-host./database" =>
> "org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./database:
> org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> Failed to start context
>
>      Caused by: org.jboss.msc.service.StartException in anonymous
> service: JBAS018040: Failed to start context"}}
>
>
>
> Can you please me with that, I am not able to login in demo with the
> create roles . Thanks,
>
> Ismail
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ismail117 at gmail.com  Thu Nov 19 14:32:02 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Thu, 19 Nov 2015 13:32:02 -0600
Subject: [keycloak-user] Database war is not deployable on Jboss EAP 6.2
 with 1.1.0.Final version
In-Reply-To: <564E130C.5010500@redhat.com>
References: <CALC-Kvjv678VQq-yPkjzrpF0voQUs-qcrEAA7pP2jYH_Ko8qVw@mail.gmail.com>
	<564E130C.5010500@redhat.com>
Message-ID: <CALC-KvgGBXofeSx20gzs9W4iVHe5JMieSvneBMkzAHfk3ZDhDg@mail.gmail.com>

can any one suggest, how to get workable key cloak on jboss lap 6.2 ?  with
the latest 1.6.1 final version. I am not getting much useful help to
resolve this issue , running with lots of issues .

Thanks,
Ismail

On Thu, Nov 19, 2015 at 12:21 PM, Bill Burke <bburke at redhat.com> wrote:

> We don't support older community versions of Keycloak.
>
> My guess is that you did not enable the adapter in standalone.xml.
> Please see our documentation on how to install the adapter.
>
> On 11/19/2015 9:58 AM, Ismail Shaik wrote:
> >
> > Hi All,
> >
> > I am trying the version 1.1.0 final with EAP 6.2 I am able to configure
> > the applications and users and roles with demo realm.
> >
> > But some how database application is not deployable in Jboss EAP 6.2
> >
> > I am getting the following issue when I try to login in demo realm to
> > access the customer-portal
> >
> > session of subresource org.keycloak.protocol.oidc.OpenIDConnectService
> > will not be injected according to spec
> >
> >
> > while deploying in jboss with  command   mvn jboss-as:deploy  is having
> > the below stack trace in my server
> >
> >
> > 14:58:22,857 INFO  [org.jboss.as.server.deployment] (MSC service thread
> > 1-3) JBAS015876: Starting deployment of "database.war" (runtime-name:
> > "database.war")
> >
> > 14:58:22,888 INFO  [org.jboss.web] (ServerService Thread Pool -- 61)
> > JBAS018210: Register web context: /database
> >
> > 14:58:22,892 ERROR [org.apache.catalina.startup] (ServerService Thread
> > Pool -- 61) JBWEB001034: Cannot configure an authenticator for method
> > KEYCLOAK
> >
> > 14:58:22,893 ERROR [org.jboss.web] (ServerService Thread Pool -- 61)
> > JBAS018206: Webapp [/database] is unavailable due to startup errors
> >
> > 14:58:22,893 ERROR [org.apache.catalina.core] (ServerService Thread Pool
> > -- 61) JBWEB001103: Error detected during context /database start, will
> > stop it
> >
> > 14:58:22,896 ERROR [org.jboss.msc.service.fail] (ServerService Thread
> > Pool -- 61) MSC000001: Failed to start service
> > jboss.web.deployment.default-host./database:
> > org.jboss.msc.service.StartException in service
> > jboss.web.deployment.default-host./database:
> > org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> > Failed to start context
> >
> > at
> >
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
> >
> > at
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > [rt.jar:1.7.0_75]
> >
> > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > [rt.jar:1.7.0_75]
> >
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > [rt.jar:1.7.0_75]
> >
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > [rt.jar:1.7.0_75]
> >
> > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
> >
> > at org.jboss.threads.JBossThread.run(JBossThread.java:122)
> >
> > Caused by: org.jboss.msc.service.StartException in anonymous service:
> > JBAS018040: Failed to start context
> >
> > at
> >
> org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:161)
> >
> > at
> >
> org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:60)
> >
> > at
> >
> org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:93)
> >
> > ... 6 more
> >
> >
> > 14:58:23,109 ERROR [org.jboss.as.server] (management-handler-thread - 6)
> > JBAS015870: Deploy of deployment "database.war" was rolled back with the
> > following failure message:
> >
> > {"JBAS014671: Failed services" =>
> > {"jboss.web.deployment.default-host./database" =>
> > "org.jboss.msc.service.StartException in service
> > jboss.web.deployment.default-host./database:
> > org.jboss.msc.service.StartException in anonymous service: JBAS018040:
> > Failed to start context
> >
> >      Caused by: org.jboss.msc.service.StartException in anonymous
> > service: JBAS018040: Failed to start context"}}
> >
> >
> >
> > Can you please me with that, I am not able to login in demo with the
> > create roles . Thanks,
> >
> > Ismail
> >
> > --
> > Thanks,
> > Ismail Shaik - 908 922 9571
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/198a3c1c/attachment-0001.html 

From atx at binaryninja.de  Thu Nov 19 14:36:33 2015
From: atx at binaryninja.de (Ataraxus)
Date: Thu, 19 Nov 2015 20:36:33 +0100
Subject: [keycloak-user] Database war is not deployable on Jboss EAP 6.2
 with 1.1.0.Final version
In-Reply-To: <CALC-KvgGBXofeSx20gzs9W4iVHe5JMieSvneBMkzAHfk3ZDhDg@mail.gmail.com>
References: <CALC-Kvjv678VQq-yPkjzrpF0voQUs-qcrEAA7pP2jYH_Ko8qVw@mail.gmail.com>
	<564E130C.5010500@redhat.com>
	<CALC-KvgGBXofeSx20gzs9W4iVHe5JMieSvneBMkzAHfk3ZDhDg@mail.gmail.com>
Message-ID: <564E24C1.6090404@binaryninja.de>

As discussed quite detailed. It is not going to happen, the dev team (as 
far I understand) won't support you, since it's not their focus. _only_ 
the adapter for JBoss 6.2 is supported. If you want to use keycloak with 
jboss EAP 6.2 you have to run keycloak standalone and use the adapter 
for JBoss 6.2. Keycloak on EAP 6.2 won't happen (which also affects me, 
but i also can't/wont spend time on porting it back).

Am 19.11.15 um 20:32 schrieb Ismail Shaik:
> can any one suggest, how to get workable key cloak on jboss lap 6.2 ? 
>  with the latest 1.6.1 final version. I am not getting much useful 
> help to resolve this issue , running with lots of issues .
>
> Thanks,
> Ismail
>
> On Thu, Nov 19, 2015 at 12:21 PM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     We don't support older community versions of Keycloak.
>
>     My guess is that you did not enable the adapter in standalone.xml.
>     Please see our documentation on how to install the adapter.
>
>     On 11/19/2015 9:58 AM, Ismail Shaik wrote:
>     >
>     > Hi All,
>     >
>     > I am trying the version 1.1.0 final with EAP 6.2 I am able to
>     configure
>     > the applications and users and roles with demo realm.
>     >
>     > But some how database application is not deployable in Jboss EAP 6.2
>     >
>     > I am getting the following issue when I try to login in demo
>     realm to
>     > access the customer-portal
>     >
>     > session of subresource
>     org.keycloak.protocol.oidc.OpenIDConnectService
>     > will not be injected according to spec
>     >
>     >
>     > while deploying in jboss with  command   mvn jboss-as:deploy  is
>     having
>     > the below stack trace in my server
>     >
>     >
>     > 14:58:22,857 INFO  [org.jboss.as.server.deployment] (MSC service
>     thread
>     > 1-3) JBAS015876: Starting deployment of "database.war"
>     (runtime-name:
>     > "database.war")
>     >
>     > 14:58:22,888 INFO  [org.jboss.web] (ServerService Thread Pool -- 61)
>     > JBAS018210: Register web context: /database
>     >
>     > 14:58:22,892 ERROR [org.apache.catalina.startup] (ServerService
>     Thread
>     > Pool -- 61) JBWEB001034: Cannot configure an authenticator for
>     method
>     > KEYCLOAK
>     >
>     > 14:58:22,893 ERROR [org.jboss.web] (ServerService Thread Pool -- 61)
>     > JBAS018206: Webapp [/database] is unavailable due to startup errors
>     >
>     > 14:58:22,893 ERROR [org.apache.catalina.core] (ServerService
>     Thread Pool
>     > -- 61) JBWEB001103: Error detected during context /database
>     start, will
>     > stop it
>     >
>     > 14:58:22,896 ERROR [org.jboss.msc.service.fail] (ServerService
>     Thread
>     > Pool -- 61) MSC000001: Failed to start service
>     > jboss.web.deployment.default-host./database:
>     > org.jboss.msc.service.StartException in service
>     > jboss.web.deployment.default-host./database:
>     > org.jboss.msc.service.StartException in anonymous service:
>     JBAS018040:
>     > Failed to start context
>     >
>     > at
>     >
>     org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
>     >
>     > at
>     >
>     java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>     > [rt.jar:1.7.0_75]
>     >
>     > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>     > [rt.jar:1.7.0_75]
>     >
>     > at
>     >
>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>     > [rt.jar:1.7.0_75]
>     >
>     > at
>     >
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>     > [rt.jar:1.7.0_75]
>     >
>     > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>     >
>     > at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>     >
>     > Caused by: org.jboss.msc.service.StartException in anonymous
>     service:
>     > JBAS018040: Failed to start context
>     >
>     > at
>     >
>     org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:161)
>     >
>     > at
>     >
>     org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:60)
>     >
>     > at
>     >
>     org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:93)
>     >
>     > ... 6 more
>     >
>     >
>     > 14:58:23,109 ERROR [org.jboss.as.server]
>     (management-handler-thread - 6)
>     > JBAS015870: Deploy of deployment "database.war" was rolled back
>     with the
>     > following failure message:
>     >
>     > {"JBAS014671: Failed services" =>
>     > {"jboss.web.deployment.default-host./database" =>
>     > "org.jboss.msc.service.StartException in service
>     > jboss.web.deployment.default-host./database:
>     > org.jboss.msc.service.StartException in anonymous service:
>     JBAS018040:
>     > Failed to start context
>     >
>     >      Caused by: org.jboss.msc.service.StartException in anonymous
>     > service: JBAS018040: Failed to start context"}}
>     >
>     >
>     >
>     > Can you please me with that, I am not able to login in demo with the
>     > create roles . Thanks,
>     >
>     > Ismail
>     >
>     > --
>     > Thanks,
>     > Ismail Shaik - 908 922 9571
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/e672f8e4/attachment.html 

From ismail117 at gmail.com  Thu Nov 19 16:09:25 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Thu, 19 Nov 2015 15:09:25 -0600
Subject: [keycloak-user] Can I apply SSO using key cloak for different
	application
Message-ID: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>

Hi

This is Ismail , I want to use SSO mechanism to apply for different
applications which are running on different web applications

for example one python and angular application is running on Ngenix web
server and and other applications running on Jboss . Can I configure the
python application on key cloak so that I can use the same credentials from
my LDAP ?

Please let know , appreciate your responses.


-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/b6185a9c/attachment.html 

From bburke at redhat.com  Thu Nov 19 16:14:43 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Nov 2015 16:14:43 -0500
Subject: [keycloak-user] Can I apply SSO using key cloak for different
 application
In-Reply-To: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>
References: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>
Message-ID: <564E3BC3.1040105@redhat.com>

There are 2 options for your python app:

* Use Keycloak Proxy in front of Ngenix.  See our docs for more details.
* Use Apache HTTPD + mod-auth-mellon (SAML) in front of your python app.



On 11/19/2015 4:09 PM, Ismail Shaik wrote:
> Hi
>
> This is Ismail , I want to use SSO mechanism to apply for different
> applications which are running on different web applications
>
> for example one python and angular application is running on Ngenix web
> server and and other applications running on Jboss . Can I configure the
> python application on key cloak so that I can use the same credentials
> from my LDAP ?
>
> Please let know , appreciate your responses.
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ismail117 at gmail.com  Thu Nov 19 16:21:53 2015
From: ismail117 at gmail.com (Ismail Shaik)
Date: Thu, 19 Nov 2015 15:21:53 -0600
Subject: [keycloak-user] Can I apply SSO using key cloak for different
	application
In-Reply-To: <564E3BC3.1040105@redhat.com>
References: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>
	<564E3BC3.1040105@redhat.com>
Message-ID: <CALC-Kvg-yYv9UKTQjGz5FTWgCZHBJ=EPX4jbYf-z89NYn4JuYA@mail.gmail.com>

Hi Bill,

Thanks for the quick response, I am using the SAML 2.0 through key cloak.

My basic question is  "How can I configure Python Application in key
cloak?". I saw all your you tube videos initially you created applications
and then created roles and users and then made changes to those
applications like creating key cloak.json and changes in web.xml file .

But for python application how can I configure and add all those changes
you applied before and deploy as : jboss .

Do i need to take another approach for this python application ?.

I am able to create the user federation which used my LDAP the test is
successful.

appreciate your help.

Thanks,
Ismail Shaik.

On Thu, Nov 19, 2015 at 3:14 PM, Bill Burke <bburke at redhat.com> wrote:

> There are 2 options for your python app:
>
> * Use Keycloak Proxy in front of Ngenix.  See our docs for more details.
> * Use Apache HTTPD + mod-auth-mellon (SAML) in front of your python app.
>
>
>
> On 11/19/2015 4:09 PM, Ismail Shaik wrote:
> > Hi
> >
> > This is Ismail , I want to use SSO mechanism to apply for different
> > applications which are running on different web applications
> >
> > for example one python and angular application is running on Ngenix web
> > server and and other applications running on Jboss . Can I configure the
> > python application on key cloak so that I can use the same credentials
> > from my LDAP ?
> >
> > Please let know , appreciate your responses.
> >
> >
> > --
> > Thanks,
> > Ismail Shaik - 908 922 9571
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Thanks,
Ismail Shaik - 908 922 9571
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151119/92f573a9/attachment-0001.html 

From bburke at redhat.com  Thu Nov 19 21:34:22 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Nov 2015 21:34:22 -0500
Subject: [keycloak-user] Can I apply SSO using key cloak for different
 application
In-Reply-To: <CALC-Kvg-yYv9UKTQjGz5FTWgCZHBJ=EPX4jbYf-z89NYn4JuYA@mail.gmail.com>
References: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>
	<564E3BC3.1040105@redhat.com>
	<CALC-Kvg-yYv9UKTQjGz5FTWgCZHBJ=EPX4jbYf-z89NYn4JuYA@mail.gmail.com>
Message-ID: <564E86AE.9080600@redhat.com>

We do not have a Python adapter.  Go Google "Python SAML" and you'll 
find a couple.  Again the other options are:

* Keycloak Proxy in front of your Python app
* Apache HTTPD + mod_auth_mellon.

On 11/19/2015 4:21 PM, Ismail Shaik wrote:
> Hi Bill,
>
> Thanks for the quick response, I am using the SAML 2.0 through key cloak.
>
> My basic question is  "How can I configure Python Application in key
> cloak?". I saw all your you tube videos initially you created
> applications and then created roles and users and then made changes to
> those applications like creating key cloak.json and changes in web.xml
> file .
>
> But for python application how can I configure and add all those changes
> you applied before and deploy as : jboss .
>
> Do i need to take another approach for this python application ?.
>
> I am able to create the user federation which used my LDAP the test is
> successful.
>
> appreciate your help.
>
> Thanks,
> Ismail Shaik.
>
> On Thu, Nov 19, 2015 at 3:14 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     There are 2 options for your python app:
>
>     * Use Keycloak Proxy in front of Ngenix.  See our docs for more details.
>     * Use Apache HTTPD + mod-auth-mellon (SAML) in front of your python app.
>
>
>
>     On 11/19/2015 4:09 PM, Ismail Shaik wrote:
>      > Hi
>      >
>      > This is Ismail , I want to use SSO mechanism to apply for different
>      > applications which are running on different web applications
>      >
>      > for example one python and angular application is running on
>     Ngenix web
>      > server and and other applications running on Jboss . Can I
>     configure the
>      > python application on key cloak so that I can use the same
>     credentials
>      > from my LDAP ?
>      >
>      > Please let know , appreciate your responses.
>      >
>      >
>      > --
>      > Thanks,
>      > Ismail Shaik - 908 922 9571 <tel:908%20922%209571>
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Thanks,
> Ismail Shaik - 908 922 9571

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.raehalme at aitiofinland.com  Fri Nov 20 01:47:41 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Fri, 20 Nov 2015 08:47:41 +0200
Subject: [keycloak-user] Can I apply SSO using key cloak for different
	application
In-Reply-To: <564E86AE.9080600@redhat.com>
References: <CALC-KvgS1=7KgnbUaAp+VsDkPxEKNDaBCGR-RLDEyaT_iCWb2A@mail.gmail.com>
	<564E3BC3.1040105@redhat.com>
	<CALC-Kvg-yYv9UKTQjGz5FTWgCZHBJ=EPX4jbYf-z89NYn4JuYA@mail.gmail.com>
	<564E86AE.9080600@redhat.com>
Message-ID: <CAPyAMoaeuCUJd7yp6Vxdh-vCncwSD9sU8KWNKv9ANyvhOs8SSw@mail.gmail.com>

Hi,

On Fri, Nov 20, 2015 at 4:34 AM, Bill Burke <bburke at redhat.com> wrote:

> We do not have a Python adapter.  Go Google "Python SAML" and you'll
> find a couple.  Again the other options are:
>
> * Keycloak Proxy in front of your Python app
> * Apache HTTPD + mod_auth_mellon.
>

Wouldn't mod_auth_openidc[1] work aswell using OpenID Connect?

[1] https://github.com/pingidentity/mod_auth_openidc

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/52ab8c6e/attachment.html 

From khirschmann at huebinet.de  Fri Nov 20 03:46:00 2015
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Fri, 20 Nov 2015 09:46:00 +0100
Subject: [keycloak-user] Best practice: Server to Server authentication
Message-ID: <025001d1236f$e1b4a770$a51df650$@huebinet.de>

Hello,

 

has anyone experience or advice how to handle the following situation:

 

I have my application running on a keycloak secured wildfly instance.
Another application

wants to make REST calls from an IIS Server to my application.  Of course
the user is not

willing to provide credentials a second time, but the calls must be
associated with the user.

It must not be a shared account in keycloak, which is used for all users on
the IIS.

 

What is the right way (keycloak way) to approach this?

 

Thx for your help.

 

Kevin Hirschmann

 

HUEBINET Informationsmanagement GmbH & Co. KG

 

 

HUEBINET Informationsmanagement GmbH & Co. KG

An der K?nigsbach 8

56075 Koblenz

 

Sitz und Registergericht: Koblenz HRA 5329

 

Pers?nlich haftender Gesellschafter der KG:

HUEBINET GmbH;

Sitz und Registergericht: Koblenz HRB 6857

 

Gesch?ftsf?hrung:

Frank H?ttmann; Michael Biemer

 

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------

 

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.

 

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/35a1b5be/attachment.html 

From pavel.masloff at gmail.com  Fri Nov 20 06:18:03 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Fri, 20 Nov 2015 12:18:03 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
Message-ID: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>

Hi everyone,


>From the user documentation I could not find the authorization grant url (a
la github's  https://github.com/login/oauth/authorize) and Get token url (a
la https://github.com/login/oauth/access_token).

I presume it's
{keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
and
{keycloak_base}/realms/{realm-name}/protocol/openid-connect/token respectively,
but I am not sure.

I would like to follow the standard OAuth2.0 workflow:

   1. Get Auth grant (GET on https://github.com/login/oauth/authorize)
   2. Get access token in exchange for the auth grant code (POST on
   https://github.com/login/oauth/access_token)
   3. Use the resource using the access token gotten in step 2.

Please, correct me if I am wrong.
Thanks.

Regards,
Pavel Maslov, MSc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/4417916c/attachment.html 

From adrianmatei at gmail.com  Fri Nov 20 06:31:05 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Fri, 20 Nov 2015 12:31:05 +0100
Subject: [keycloak-user] Proxy configuration issue (Bill Burke)
Message-ID: <CAG=THF04yR43WHQ8dtrrXZnnZXPJ9KwsGcNvkS3wYGx=hjTcbA@mail.gmail.com>

Hi Bill,

Thank your for your answer, but I still don't seem to get Keycloak to
"catch" my requests against the protected application.
Let me make the scenario clear:

1. Application to be protected runs on http://localhost:*8280*/backend

2. Server proxy started and runs on http://localhost:*8080*, when I type
http://localhost:8080/backend in the browser I see the protected application

3. Keycloak server runs on http://localhost:*8180*/auth

4. The adapter config in the "applications" section corresponds now the
proxy client I have  configured in the Keycloak realm:

Client ID: proxy

Client Protocol: openid-connect
Access Type: confidential
Valid Redirect URIs: http://localhost:8080/backend/*


I am not sure how to configure the proxy Server - now I have the following:
{
    "target-url": "*http://localhost:8280/ <http://localhost:8280/>*", ???
    "send-access-token": false,
    "bind-address": "localhost",
    "http-port": "8080", ???
    "applications": [
        {
            "base-path": "*/backend*",
            "error-page": "/error.html",
            "adapter-config": {
                "realm": "demo",
                "resource": "*proxy*",
                "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
                "auth-server-url": "http://localhost:8180/auth",
                "ssl-required" : "external",
                "principal-attribute": "name",
                "credentials": {
                    "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
                }
            }

        }
    ]
}
Questions:
1. The target-url I set it to the URL of the application the proxy server
is proxying - this means the server can only proxy applications on the same
URL?
2. What am I doing wrong :((((?


Thanks a bunch,
Adrian

"Can't really see the screenshot, but you have to point keycloak to the
host/port of the proxy.

On 11/19/2015 9:13 AM, Adrian Matei wrote:
> Hi everyone,
>
> I am trying to make a simple test and configure a keycloak proxy to
> protect an application running on http://localhost:8280/backend/

> >on looks like the following:
> >
> > {
> >      "target-url": "http://localhost:8280/",
> >      "send-access-token": false,
> >      "bind-address": "localhost",
> >      "http-port": "8080",
> >      "applications": [
> >          {
> >              "base-path": "/backend",
> >              "error-page": "/error.html",
> >              "adapter-config": {
> >                  "realm": "demo",
> >                  "resource": "sandbox-backend",
> >                  "realm-public-key":
> >
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> >                  "auth-server-url": "http://localhost:8180/auth",
> >                  "ssl-required" : "external",
> >                  "credentials": {
> >                      "secret": "9323cdd6-7e0e-46ce-814f-b5ac79581395"
> >                  }
> >              }
> >          }
> >      ]
> > }
> >
> > 2.
> > I've started the proxy server as specified in the documentation "java
> > -jar bin/launcher.jar proxy.json"
> > I am getting an error "ERROR: UT005026: Jetty ALPN support not found on
> > boot class path, SPDY client will not be available.", but the server
> > still starts, I don't think there should be a problem with that...
> >
> > 3. In the admin console (keycloak running on port 8180) I've configured
> > the backend application like the following:
> >
> > Could you tell me what I am doing wrong? When I put in the app's url in
> > the browser it goes directly to the application...
> >
> > Thanks,
> > Adrian"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/31e16d2e/attachment-0001.html 

From mposolda at redhat.com  Fri Nov 20 07:41:44 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Nov 2015 13:41:44 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
In-Reply-To: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
References: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
Message-ID: <564F1508.4080104@redhat.com>

On 20/11/15 12:18, Pavel Maslov wrote:
> Hi everyone,
>
>
> >From the user documentation I could not find the authorization grant 
> url (a la github's https://github.com/login/oauth/authorize) and Get 
> token url (a la https://github.com/login/oauth/access_token).
>
> I presume it's 
> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code 
> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and 
> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token 
> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively, 
> but I am not sure.
Yes, your URLs are correct. However if you want to use the default 
Authorization Code Grant flow and browser applications, you can just use 
our adapters. You don't even need to know the authorization grant url 
and token URL as adapters handle all the redirections and exchanges for you.

I suggest to take a look at our examples .

And here is the docs for adapters: 
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html

Marek
>
> I would like to follow the standard OAuth2.0 workflow:
>
>  1. Get Auth grant (GET on https://github.com/login/oauth/authorize)
>  2. Get access token in exchange for the auth grant code (POST on
>     https://github.com/login/oauth/access_token)
>  3. Use the resource using the access token gotten in step 2.
>
> Please, correct me if I am wrong.
> Thanks.
>
> Regards,
> Pavel Maslov, MSc
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/a586c0fd/attachment.html 

From mposolda at redhat.com  Fri Nov 20 07:48:00 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Nov 2015 13:48:00 +0100
Subject: [keycloak-user] Best practice: Server to Server authentication
In-Reply-To: <025001d1236f$e1b4a770$a51df650$@huebinet.de>
References: <025001d1236f$e1b4a770$a51df650$@huebinet.de>
Message-ID: <564F1680.4020603@redhat.com>

Hi,

am I understand correctly that you have:
1) UI application, which handles redirection to keycloak login screen 
etc. and have access token available
2) REST Application 1
3) REST Application 2

The user wants to send accessToken to RESTApp1 and this RESTApp1 wants 
to send another REST request to RESTApp2. Is it correct? I wonder that 
you can just send same accessToken used for RESTApp1 for authentication 
to RESTApp2. Or am I not understand correctly your environment?

Marek

On 20/11/15 09:46, Kevin Hirschmann wrote:
>
> Hello,
>
> has anyone experience or advice how to handle the following situation:
>
> I have my application running on a keycloak secured wildfly instance. 
> Another application
>
> wants to make REST calls from an IIS Server to my application.  Of 
> course the user is not
>
> willing to provide credentials a second time, but the calls must be 
> associated with the user.
>
> It must not be a shared account in keycloak, which is used for all 
> users on the IIS.
>
> What is the right way (keycloak way) to approach this?
>
> Thx for your help.
>
> Kevin Hirschmann
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
> An der K?nigsbach 8
>
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
>
> HUEBINET GmbH;
>
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
>
> Frank H?ttmann; Michael Biemer
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & 
> Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. 
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber 
> dieses Medium nicht ausgetauscht werden, da die Manipulation von 
> E-Mails durch Dritte nicht ausgeschlossen werden kann.
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG 
> is only intended to provide information of a general kind, and shall 
> not be used for any statement with binding contents in respect to 
> legal relations. It is not totally possible to prevent a third party 
> from manipulating emails and email contents.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/8167e239/attachment.html 

From pavel.masloff at gmail.com  Fri Nov 20 07:58:40 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Fri, 20 Nov 2015 13:58:40 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
In-Reply-To: <564F1508.4080104@redhat.com>
References: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
	<564F1508.4080104@redhat.com>
Message-ID: <CAF9aV_prtZwgc=eL+qgwSh__OqErCo3fxyn7y_xOUjHpBYcOWw@mail.gmail.com>

Hey Marek,


As far as I understood, adapters are used on the Resourse side (e.g. the
API  you would like to secure with Keycloak).
Here, I am calling the API (resource) from a 3rd party application
(client). First it needs a user's consent to use the API on his behalf.
Then it gets the auth_code, which is then used to obtain the access token.
Then the client is free to utilize the API on behalf of the user.

Does the Keycloak auth workflow differ slightly from the standard OAuth2.0
procedure? Or am I missing something?
Thanks.


Regards,
Pavel Maslov, MSc

On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 20/11/15 12:18, Pavel Maslov wrote:
>
> Hi everyone,
>
>
> >From the user documentation I could not find the authorization grant url
> (a la github's   <https://github.com/login/oauth/authorize>
> https://github.com/login/oauth/authorize) and Get token url (a la
> <https://github.com/login/oauth/access_token>
> https://github.com/login/oauth/access_token).
>
> I presume it's
> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and
> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively,
> but I am not sure.
>
> Yes, your URLs are correct. However if you want to use the default
> Authorization Code Grant flow and browser applications, you can just use
> our adapters. You don't even need to know the authorization grant url and
> token URL as adapters handle all the redirections and exchanges for you.
>
> I suggest to take a look at our examples .
>
> And here is the docs for adapters:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
>
> Marek
>
>
> I would like to follow the standard OAuth2.0 workflow:
>
>    1. Get Auth grant (GET on  <https://github.com/login/oauth/authorize>
>    https://github.com/login/oauth/authorize)
>    2. Get access token in exchange for the auth grant code (POST on
>    <https://github.com/login/oauth/access_token>
>    https://github.com/login/oauth/access_token)
>    3. Use the resource using the access token gotten in step 2.
>
> Please, correct me if I am wrong.
> Thanks.
>
> Regards,
> Pavel Maslov, MSc
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/3a1143de/attachment-0001.html 

From bburke at redhat.com  Fri Nov 20 10:09:59 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 20 Nov 2015 10:09:59 -0500
Subject: [keycloak-user] Proxy configuration issue (Bill Burke)
In-Reply-To: <CAG=THF04yR43WHQ8dtrrXZnnZXPJ9KwsGcNvkS3wYGx=hjTcbA@mail.gmail.com>
References: <CAG=THF04yR43WHQ8dtrrXZnnZXPJ9KwsGcNvkS3wYGx=hjTcbA@mail.gmail.com>
Message-ID: <564F37C7.9010007@redhat.com>

That all looks right.  What are the problems you are seeing?  I don't 
see them listed explicitly in this email thread.

On 11/20/2015 6:31 AM, Adrian Matei wrote:
> Hi Bill,
>
> Thank your for your answer, but I still don't seem to get Keycloak to
> "catch" my requests against the protected application.
> Let me make the scenario clear:
>
> 1. Application to be protected runs on http://localhost:*8280*/backend
>
> 2. Server proxy started and runs on http://localhost:*8080*, when I type
> http://localhost:8080/backend in the browser I see the protected application
>
> 3. Keycloak server runs on http://localhost:*8180*/auth
>
> 4. The adapter config in the "applications" section corresponds now the
> proxy client I have  configured in the Keycloak realm:
>
>     Client ID: proxy
>
>     Client Protocol: openid-connect
>     Access Type: confidential
>     Valid Redirect URIs: http://localhost:8080/backend/*
>
>
> I am not sure how to configure the proxy Server - now I have the following:
> {
>      "target-url": "*http://localhost:8280/*", ???
>      "send-access-token": false,
>      "bind-address": "localhost",
>      "http-port": "8080", ???
>      "applications": [
>          {
>              "base-path": "*/backend*",
>              "error-page": "/error.html",
>              "adapter-config": {
>                  "realm": "demo",
>                  "resource": "*proxy*",
>                  "realm-public-key":
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>                  "auth-server-url": "http://localhost:8180/auth",
>                  "ssl-required" : "external",
>                  "principal-attribute": "name",
>                  "credentials": {
>                      "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
>                  }
>              }
>          }
>      ]
> }
> Questions:
> 1. The target-url I set it to the URL of the application the proxy
> server is proxying - this means the server can only proxy applications
> on the same URL?
> 2. What am I doing wrong :((((?
>
>
> Thanks a bunch,
> Adrian
>
> "Can't really see the screenshot, but you have to point keycloak to the
> host/port of the proxy.
>
> On 11/19/2015 9:13 AM, Adrian Matei wrote:
>  > Hi everyone,
>  >
>  > I am trying to make a simple test and configure a keycloak proxy to
>  > protect an application running on http://localhost:8280/backend/
>
>      >on looks like the following:
>      >
>      > {
>      >      "target-url": "http://localhost:8280/",
>      >      "send-access-token": false,
>      >      "bind-address": "localhost",
>      >      "http-port": "8080",
>      >      "applications": [
>      >          {
>      >              "base-path": "/backend",
>      >              "error-page": "/error.html",
>      >              "adapter-config": {
>      >                  "realm": "demo",
>      >                  "resource": "sandbox-backend",
>      >                  "realm-public-key":
>      >
>     "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>      >                  "auth-server-url": "http://localhost:8180/auth",
>      >                  "ssl-required" : "external",
>      >                  "credentials": {
>      >                      "secret": "9323cdd6-7e0e-46ce-814f-b5ac79581395"
>      >                  }
>      >              }
>      >          }
>      >      ]
>      > }
>      >
>      > 2.
>      > I've started the proxy server as specified in the documentation "java
>      > -jar bin/launcher.jar proxy.json"
>      > I am getting an error "ERROR: UT005026: Jetty ALPN support not
>     found on
>      > boot class path, SPDY client will not be available.", but the server
>      > still starts, I don't think there should be a problem with that...
>      >
>      > 3. In the admin console (keycloak running on port 8180) I've
>     configured
>      > the backend application like the following:
>      >
>      > Could you tell me what I am doing wrong? When I put in the app's
>     url in
>      > the browser it goes directly to the application...
>      >
>      > Thanks,
>      > Adrian"
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jeff.macomber at modernizingmedicine.com  Fri Nov 20 14:30:50 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Fri, 20 Nov 2015 14:30:50 -0500
Subject: [keycloak-user] Defect in the OIDCAttributeMapperHelper class
Message-ID: <CAByzN4RhsRdBAhqocPAJmYzj2NAy8iGHzZKtLHrnHNZTjxvVKA@mail.gmail.com>

HI,

I believe i have come across a defect in the OIDCAttributeMapperHelper
class.  The issue occurs when you have a String Attribute which is set with
no value using a custom federation provider.  The code blows up on the line:
return attributeValue.toString(); (Line 64)

in the section of code:
String type = mappingModel.getConfig().get(JSON_TYPE);
if (type == null) return attributeValue;
if (type.equals("boolean")) {
     if (attributeValue instanceof Boolean) return attributeValue;
     if (attributeValue instanceof String) return
Boolean.valueOf((String)attributeValue);
     throw new RuntimeException("cannot map type for token claim");
} else if (type.equals("String")) {
     if (attributeValue instanceof String) return attributeValue;
     return attributeValue.toString();
} else if (type.equals("long")) {
     if (attributeValue instanceof Long) return attributeValue;
     if (attributeValue instanceof String) return
Long.valueOf((String)attributeValue);
     throw new RuntimeException("cannot map type for token claim");
} else if (type.equals("int")) {
     if (attributeValue instanceof Integer) return attributeValue;
     if (attributeValue instanceof String) return
Integer.valueOf((String)attributeValue);
     throw new RuntimeException("cannot map type for token claim");
}
return attributeValue;

The attribute exists with no value which causes the attrbuteValue to be
null and there is no check for null at that point.  I would expect it would
return empty string if the type is string and the value is null.

Thanks,
jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/c52e62b5/attachment.html 

From bburke at redhat.com  Fri Nov 20 14:37:58 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 20 Nov 2015 14:37:58 -0500
Subject: [keycloak-user] Defect in the OIDCAttributeMapperHelper class
In-Reply-To: <CAByzN4RhsRdBAhqocPAJmYzj2NAy8iGHzZKtLHrnHNZTjxvVKA@mail.gmail.com>
References: <CAByzN4RhsRdBAhqocPAJmYzj2NAy8iGHzZKtLHrnHNZTjxvVKA@mail.gmail.com>
Message-ID: <564F7696.7000107@redhat.com>

If the value is null, then no attribute should be set.  What does "blows 
up" mean?  NPE?  Stack trace?

On 11/20/2015 2:30 PM, Jeff Macomber wrote:
> HI,
>
> I believe i have come across a defect in the OIDCAttributeMapperHelper
> class.  The issue occurs when you have a String Attribute which is set
> with no value using a custom federation provider.  The code blows up on
> the line:
> return attributeValue.toString(); (Line 64)
>
> in the section of code:
> String type = mappingModel.getConfig().get(JSON_TYPE);
> if (type == null) return attributeValue;
> if (type.equals("boolean")) {
>       if (attributeValue instanceof Boolean) return attributeValue;
>       if (attributeValue instanceof String) return
> Boolean.valueOf((String)attributeValue);
>       throw new RuntimeException("cannot map type for token claim");
> } else if (type.equals("String")) {
>       if (attributeValue instanceof String) return attributeValue;
>       return attributeValue.toString();
> } else if (type.equals("long")) {
>       if (attributeValue instanceof Long) return attributeValue;
>       if (attributeValue instanceof String) return
> Long.valueOf((String)attributeValue);
>       throw new RuntimeException("cannot map type for token claim");
> } else if (type.equals("int")) {
>       if (attributeValue instanceof Integer) return attributeValue;
>       if (attributeValue instanceof String) return
> Integer.valueOf((String)attributeValue);
>       throw new RuntimeException("cannot map type for token claim");
> }
> return attributeValue;
>
> The attribute exists with no value which causes the attrbuteValue to be
> null and there is no check for null at that point.  I would expect it
> would return empty string if the type is string and the value is null.
>
> Thanks,
> jeff
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tmasselink at selcouth.org  Fri Nov 20 18:26:37 2015
From: tmasselink at selcouth.org (Travis Masselink)
Date: Fri, 20 Nov 2015 16:26:37 -0700
Subject: [keycloak-user] Error upgrading database,
	1.2.0.Final to 1.6.1.Final
In-Reply-To: <CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
	<CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
Message-ID: <CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>

That didn't work for me. I Tried 1.2 -> 1.5, 1.2 -> 1.4 and then 1.2 ->
1.3.1 (success) -> 1.4. But all failed. I then cloned the project and built
1.7 and tried 1.2 -> 1.7. This also failed. In all cases it looks like 1.4
is the problem as this is the exception I get with all versions but 1.3.1:

6:10:43,401 ERROR [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 62) Failed to migrate datamodel:
java.lang.NullPointerException
at
org.keycloak.models.ImpersonationConstants.setupMasterRealmRole(ImpersonationConstants.java:26)
at
org.keycloak.models.ImpersonationConstants.setupImpersonationService(ImpersonationConstants.java:47)
at org.keycloak.migration.migrators.*MigrateTo1_4_0*
.migrate(MigrateTo1_4_0.java:30)

On Tue, Nov 17, 2015 at 12:39 AM, Lohitha Chiranjeewa <kalc04 at gmail.com>
wrote:

> Had the exact problem a few moments ago, thanks for clarifying.
>
> Regards,
> Lohitha.
>
> On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja <
> felipe.braun at intelbras.com.br> wrote:
>
>> Great! Thanks for the quick reply. Upgraded now :)
>>
>> Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
>> > Hi,
>> >
>> > There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
>> > 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
>> >
>> > On 16 November 2015 at 18:13, Felipe Braun Azambuja
>> > <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
>> > wrote:
>> >
>> >     Hey all,
>> >
>> >     I'm trying to upgrade Keycloak in our test instance, but I'm
>> getting a
>> >     really generic error while trying to start the service:
>> >
>> >     15:09:35,559 INFO
>> >     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
>> >     (ServerService Thread Pool -- 60) HHH000397: Using
>> >     ASTQueryTranslatorFactory
>> >     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
>> >     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
>> >     5.1.3.Final
>> >     15:09:38,643 ERROR
>> [org.keycloak.services.resources.KeycloakApplication]
>> >     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
>> >     java.lang.NullPointerException
>> >               at
>> >
>>  org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>> >               at
>> >
>>  org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>> >               at
>> >
>>  org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>> >               at
>> >
>>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>> >               at
>> >     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> >     (...)
>> >
>> >     Is there any way to increase logging level on the migration part, so
>> >     that I can try and understand where's the problem with our database?
>> >
>> >
>> >     Thanks!
>> >     --
>> >     Felipe Braun Azambuja
>> >     DBA
>> >     Tecnologia da Informa??o e Comunica??o
>> >     (48) 3281 9577
>> >     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br
>> >
>> >     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>> >     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>> >     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>> >     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>> >     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>> >     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>> >     recebido esta mensagem por engano, por favor informe o remetente
>> >     respondendo imediatamente a este e-mail, e em seguida apague-a do
>> >     seu computador.
>> >
>> >     The information contained in this e-mail and its attachments are
>> >     protected by law, subjected to privilege and/or confidentiality and
>> >     cannot be retransmitted, filed, disclosed or copied without
>> >     authorization from the sender. The sender uses the electronic mail
>> >     in the exercise of his/her work or by virtue thereof, and the
>> >     institution accepts no liability from its undue use. If you have
>> >     received this message by mistake, please notify us immediately by
>> >     returning the e-mail and deleting this message from your system.
>> >
>> >     _______________________________________________
>> >     keycloak-user mailing list
>> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>> >
>> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>>
>> --
>> Felipe Braun Azambuja
>> DBA
>> Tecnologia da Informa??o e Comunica??o
>> (48) 3281 9577
>> felipe.braun at intelbras.com.br
>> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
>> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
>> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
>> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
>> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
>> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
>> por engano, por favor informe o remetente respondendo imediatamente a este
>> e-mail, e em seguida apague-a do seu computador.
>>
>> The information contained in this e-mail and its attachments are
>> protected by law, subjected to privilege and/or confidentiality and cannot
>> be retransmitted, filed, disclosed or copied without authorization from the
>> sender. The sender uses the electronic mail in the exercise of his/her work
>> or by virtue thereof, and the institution accepts no liability from its
>> undue use. If you have received this message by mistake, please notify us
>> immediately by returning the e-mail and deleting this message from your
>> system.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/adfce7d1/attachment-0001.html 

From josephsuero at gmail.com  Fri Nov 20 19:41:56 2015
From: josephsuero at gmail.com (Jose Suero)
Date: Fri, 20 Nov 2015 20:41:56 -0400
Subject: [keycloak-user] Securing dynamic services
Message-ID: <CAJcoKwwppuYUry2c0h-T_gqiQs2zLZqF2azc8mNY714Lheku_w@mail.gmail.com>

i've installed keycloak to secure a software as a service application that
allow users to create scripts they can run as services, for the
authentication part keycloak works like a charm, users are required to
enter a login and I get their roles and everything.

The idea is to let users create services and roles, and assign them to
users, this all works

The issue i'm having is authorization, since i have no knowledge before and
of what services or roles would be created i can't use Security Constrains
on web.xml or annotations.

Since I have the roles I could write a function that does auhorizations,
but would love for keycloak to do it for me, I'm already passing realms to
keycloak as the multi-tenant example, is there any way I could assign urls
to roles I create so keycloak checks where or not I can access that url?


thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/6ae731f9/attachment.html 

From josephsuero at gmail.com  Fri Nov 20 19:48:34 2015
From: josephsuero at gmail.com (Jose Suero)
Date: Fri, 20 Nov 2015 20:48:34 -0400
Subject: [keycloak-user] mobile security
Message-ID: <CAJcoKwxUT+6+VSO+gqcakYbsjP6jw=Ef6ba0HmEY-HwEvy39Ug@mail.gmail.com>

I need to create a mobile application that consumes services from a
keycloak protected services, users don't create an account, but I don't
want people outside the app to consume the services.

How can I send the token authenticate on the mobile app the same way I
authenticate on websites. meaning having a keycloak.json key or something

Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151120/c1cca669/attachment.html 

From jeff.macomber at modernizingmedicine.com  Sat Nov 21 12:28:48 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Sat, 21 Nov 2015 12:28:48 -0500
Subject: [keycloak-user] Defect in the OIDCAttributeMapperHelper class
In-Reply-To: <CAByzN4RhsRdBAhqocPAJmYzj2NAy8iGHzZKtLHrnHNZTjxvVKA@mail.gmail.com>
References: <CAByzN4RhsRdBAhqocPAJmYzj2NAy8iGHzZKtLHrnHNZTjxvVKA@mail.gmail.com>
Message-ID: <CAByzN4RPJYuePDdwDZXx=HSx0PnqKPpwpLQG-uyPiPFtqBBfPw@mail.gmail.com>

Hi Bill,

Yes, a NPE. Here is the stack trace.  Sorry meant  to include it in the
original message.

Caused by: java.lang.NullPointerException

at
org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:64)

at
org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:78)

at
org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:89)

at
org.keycloak.protocol.oidc.mappers.UserAttributeMapper.transformIDToken(UserAttributeMapper.java:95)

at
org.keycloak.protocol.oidc.TokenManager.transformIDToken(TokenManager.java:421)

at
org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateIDToken(TokenManager.java:571)

at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildAuthorizationCodeAccessTokenResponse(TokenEndpoint.java:249)

at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:106)

at sun.reflect.GeneratedMethodAccessor258.invoke(Unknown Source)

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
...

Thanks
Jeff


On Fri, Nov 20, 2015 at 2:30 PM, Jeff Macomber <
jeff.macomber at modernizingmedicine.com> wrote:

> HI,
>
> I believe i have come across a defect in the OIDCAttributeMapperHelper
> class.  The issue occurs when you have a String Attribute which is set with
> no value using a custom federation provider.  The code blows up on the line:
> return attributeValue.toString(); (Line 64)
>
> in the section of code:
> String type = mappingModel.getConfig().get(JSON_TYPE);
> if (type == null) return attributeValue;
> if (type.equals("boolean")) {
>      if (attributeValue instanceof Boolean) return attributeValue;
>      if (attributeValue instanceof String) return
> Boolean.valueOf((String)attributeValue);
>      throw new RuntimeException("cannot map type for token claim");
> } else if (type.equals("String")) {
>      if (attributeValue instanceof String) return attributeValue;
>      return attributeValue.toString();
> } else if (type.equals("long")) {
>      if (attributeValue instanceof Long) return attributeValue;
>      if (attributeValue instanceof String) return
> Long.valueOf((String)attributeValue);
>      throw new RuntimeException("cannot map type for token claim");
> } else if (type.equals("int")) {
>      if (attributeValue instanceof Integer) return attributeValue;
>      if (attributeValue instanceof String) return
> Integer.valueOf((String)attributeValue);
>      throw new RuntimeException("cannot map type for token claim");
> }
> return attributeValue;
>
> The attribute exists with no value which causes the attrbuteValue to be
> null and there is no check for null at that point.  I would expect it would
> return empty string if the type is string and the value is null.
>
> Thanks,
> jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151121/2e042dd4/attachment.html 

From Rens.Verhage at topicus.nl  Sun Nov 22 12:53:08 2015
From: Rens.Verhage at topicus.nl (Rens Verhage)
Date: Sun, 22 Nov 2015 17:53:08 +0000
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
Message-ID: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>

Hi all,

I?m having some trouble securing a test application with Keycloak. I downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the datasource to PostgreSQL and in Keycloak configured my realm and generated a keycloak.json file.

I copied keycloak.json to the WEB-INF folder of my war project and edited my web.xml, I added this:

<login-config>
   <auth-method>KEYCLOAK</auth-method>
   <realm-name>PDC</realm-name>
</login-config>

<security-role>
   <role-name>admin</role-name>
</security-role>
<security-role>
   <role-name>user</role-name>
</security-role>

Upon boot however, Wildfly logs the following error:

"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./pdc-web" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./pdc-web: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
    Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
    Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK?}}

The only hint to fix this error that I could find was to make sure that the Keycloak subsystem is enabled in standalone/configuration/standalone.xml, which is the case as I didn?t change the default config:

<server xmlns="urn:jboss:domain:3.0">
    <extensions>
	...
        <extension module="org.keycloak.keycloak-server-subsystem"/>
        ...
    </extensions>
?
</server>

As my experience with Wildfly and knowledge of Keycloak is limited, what could be the problem here?


Regards,
Rens Verhage



From mposolda at redhat.com  Mon Nov 23 03:12:49 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Nov 2015 09:12:49 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
In-Reply-To: <CAF9aV_prtZwgc=eL+qgwSh__OqErCo3fxyn7y_xOUjHpBYcOWw@mail.gmail.com>
References: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
	<564F1508.4080104@redhat.com>
	<CAF9aV_prtZwgc=eL+qgwSh__OqErCo3fxyn7y_xOUjHpBYcOWw@mail.gmail.com>
Message-ID: <5652CA81.2020708@redhat.com>

Keycloak handles well this scenario. Adapters are used on both REST 
resource side, but also on UI application side (application which wants 
to redirect to Keycloak login and exchange code for token).

One of Keycloak points is, that you don't need to code anything in order 
to handle OIDC / OAuth2 flow. The server part of specification is 
implemented by Keycloak auth-server and the client part of specification 
is implemented by our adapters. You don't need to care about redirection 
to keycloak login screen or to exchange code for token etc. Adapters is 
doing all of this for you. You can also enable "consent" for your client 
in which case, the user's consent screen will be displayed during 
authentication by keycloak server. Again, no need to code anything custom.

When you want to send request to REST resource, you need to add 
accessToken to "Authorization: Bearer" header, which will authenticate 
the request.

Take a look at our demo examples (customer-portal, product-portal, 
oauth-client) for more details.

Marek

On 20/11/15 13:58, Pavel Maslov wrote:
> Hey Marek,
>
>
> As far as I understood, adapters are used on the Resourse side (e.g. 
> the API  you would like to secure with Keycloak).
> Here, I am calling the API (resource) from a 3rd party application 
> (client). First it needs a user's consent to use the API on his 
> behalf. Then it gets the auth_code, which is then used to obtain the 
> access token. Then the client is free to utilize the API on behalf of 
> the user.
>
> Does the Keycloak auth workflow differ slightly from the standard 
> OAuth2.0 procedure? Or am I missing something?
> Thanks.
>
>
> Regards,
> Pavel Maslov, MSc
>
> On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 20/11/15 12:18, Pavel Maslov wrote:
>>     Hi everyone,
>>
>>
>>     >From the user documentation I could not find the authorization grant url (a la github's
>>     https://github.com/login/oauth/authorize) and Get token url (a la
>>     https://github.com/login/oauth/access_token).
>>
>>     I presume it's
>>     {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
>>     <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and
>>     {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
>>     <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively,
>>     but I am not sure.
>     Yes, your URLs are correct. However if you want to use the default
>     Authorization Code Grant flow and browser applications, you can
>     just use our adapters. You don't even need to know the
>     authorization grant url and token URL as adapters handle all the
>     redirections and exchanges for you.
>
>     I suggest to take a look at our examples .
>
>     And here is the docs for adapters:
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
>
>     Marek
>>
>>     I would like to follow the standard OAuth2.0 workflow:
>>
>>      1. Get Auth grant (GET on https://github.com/login/oauth/authorize)
>>      2. Get access token in exchange for the auth grant code (POST on
>>         https://github.com/login/oauth/access_token)
>>      3. Use the resource using the access token gotten in step 2.
>>
>>     Please, correct me if I am wrong.
>>     Thanks.
>>
>>     Regards,
>>     Pavel Maslov, MSc
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/5d42ab23/attachment-0001.html 

From pavel.masloff at gmail.com  Mon Nov 23 03:38:14 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Mon, 23 Nov 2015 09:38:14 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
In-Reply-To: <5652CA81.2020708@redhat.com>
References: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
	<564F1508.4080104@redhat.com>
	<CAF9aV_prtZwgc=eL+qgwSh__OqErCo3fxyn7y_xOUjHpBYcOWw@mail.gmail.com>
	<5652CA81.2020708@redhat.com>
Message-ID: <CAF9aV_qGfc9DLZfvK3pRrkdfS9oV6WbVDibgnBvvocW+hnzbCA@mail.gmail.com>

>From your message I don't see how you can use Keycloak adapters for a Java
client application (no UI) to access an API secured with Keycloak. The API
resource is secured with Keycloak and is using Keycloak adapter. The client
app should invoke those two URLs (or just the second one for direct
grants). I can see you only have a Javascript library (adapter) for this
purpose.

Regards,
Pavel Maslov, MS
oPAC fellow at Cosylab

On Mon, Nov 23, 2015 at 9:12 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Keycloak handles well this scenario. Adapters are used on both REST
> resource side, but also on UI application side (application which wants to
> redirect to Keycloak login and exchange code for token).
>
> One of Keycloak points is, that you don't need to code anything in order
> to handle OIDC / OAuth2 flow. The server part of specification is
> implemented by Keycloak auth-server and the client part of specification is
> implemented by our adapters. You don't need to care about redirection to
> keycloak login screen or to exchange code for token etc. Adapters is doing
> all of this for you. You can also enable "consent" for your client in which
> case, the user's consent screen will be displayed during authentication by
> keycloak server. Again, no need to code anything custom.
>
> When you want to send request to REST resource, you need to add
> accessToken to "Authorization: Bearer" header, which will authenticate the
> request.
>
> Take a look at our demo examples (customer-portal, product-portal,
> oauth-client) for more details.
>
> Marek
>
>
> On 20/11/15 13:58, Pavel Maslov wrote:
>
> Hey Marek,
>
>
> As far as I understood, adapters are used on the Resourse side (e.g. the
> API  you would like to secure with Keycloak).
> Here, I am calling the API (resource) from a 3rd party application
> (client). First it needs a user's consent to use the API on his behalf.
> Then it gets the auth_code, which is then used to obtain the access token.
> Then the client is free to utilize the API on behalf of the user.
>
> Does the Keycloak auth workflow differ slightly from the standard OAuth2.0
> procedure? Or am I missing something?
> Thanks.
>
>
> Regards,
> Pavel Maslov, MSc
>
> On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 20/11/15 12:18, Pavel Maslov wrote:
>>
>> Hi everyone,
>>
>>
>> >From the user documentation I could not find the authorization grant url
>> (a la github's  https://github.com/login/oauth/authorize) and Get token
>> url (a la  <https://github.com/login/oauth/access_token>
>> https://github.com/login/oauth/access_token).
>>
>> I presume it's
>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and
>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively,
>> but I am not sure.
>>
>> Yes, your URLs are correct. However if you want to use the default
>> Authorization Code Grant flow and browser applications, you can just use
>> our adapters. You don't even need to know the authorization grant url and
>> token URL as adapters handle all the redirections and exchanges for you.
>>
>> I suggest to take a look at our examples .
>>
>> And here is the docs for adapters:
>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
>>
>> Marek
>>
>>
>> I would like to follow the standard OAuth2.0 workflow:
>>
>>    1. Get Auth grant (GET on  <https://github.com/login/oauth/authorize>
>>    https://github.com/login/oauth/authorize)
>>    2. Get access token in exchange for the auth grant code (POST on
>>    <https://github.com/login/oauth/access_token>
>>    https://github.com/login/oauth/access_token)
>>    3. Use the resource using the access token gotten in step 2.
>>
>> Please, correct me if I am wrong.
>> Thanks.
>>
>> Regards,
>> Pavel Maslov, MSc
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/b6ff83ad/attachment.html 

From mposolda at redhat.com  Mon Nov 23 03:46:29 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Nov 2015 09:46:29 +0100
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
In-Reply-To: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
References: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
Message-ID: <5652D265.8020801@redhat.com>

You also need to enable adapter subsystem in standalone.xml :

<extension module="org.keycloak.keycloak-adapter-subsystem"/



Take a look at docs (especially adapter part) for more details.

Marek


On 22/11/15 18:53, Rens Verhage wrote:
> Hi all,
>
> I?m having some trouble securing a test application with Keycloak. I downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the datasource to PostgreSQL and in Keycloak configured my realm and generated a keycloak.json file.
>
> I copied keycloak.json to the WEB-INF folder of my war project and edited my web.xml, I added this:
>
> <login-config>
>     <auth-method>KEYCLOAK</auth-method>
>     <realm-name>PDC</realm-name>
> </login-config>
>
> <security-role>
>     <role-name>admin</role-name>
> </security-role>
> <security-role>
>     <role-name>user</role-name>
> </security-role>
>
> Upon boot however, Wildfly logs the following error:
>
> "WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./pdc-web" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./pdc-web: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>      Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>      Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK?}}
>
> The only hint to fix this error that I could find was to make sure that the Keycloak subsystem is enabled in standalone/configuration/standalone.xml, which is the case as I didn?t change the default config:
>
> <server xmlns="urn:jboss:domain:3.0">
>      <extensions>
> 	...
>          <extension module="org.keycloak.keycloak-server-subsystem"/>
>          ...
>      </extensions>
> ?
> </server>
>
> As my experience with Wildfly and knowledge of Keycloak is limited, what could be the problem here?
>
>
> Regards,
> Rens Verhage
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sascha.brose at adesso.ch  Mon Nov 23 03:51:33 2015
From: sascha.brose at adesso.ch (Brose, Sascha)
Date: Mon, 23 Nov 2015 08:51:33 +0000
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
Message-ID: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>

Hello,
I read in Keycloak documentation that there are plans to support Node.js, RAILS, GRAILS, and other non-Java applications.

Is this support already in developement or when is it planned for? Will there also be support for scripting languages, e.g. PHP?

Best regards,
Sascha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/938f2a45/attachment.html 

From mposolda at redhat.com  Mon Nov 23 03:52:21 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Nov 2015 09:52:21 +0100
Subject: [keycloak-user] Error upgrading database,
 1.2.0.Final to 1.6.1.Final
In-Reply-To: <CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
	<CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
	<CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
Message-ID: <5652D3C5.3020002@redhat.com>

When you look at clients of master realm, are you seeing master admin 
client for all of them? For example if you have 3 realms: "master", 
"demo", "foo", you should see all those clients under master realm:

- foo-realm
- master-realm
- demo-realm

Is it the case?

Thanks,
Marek

On 21/11/15 00:26, Travis Masselink wrote:
> That didn't work for me. I Tried 1.2 -> 1.5, 1.2 -> 1.4 and then 1.2 
> -> 1.3.1 (success) -> 1.4. But all failed. I then cloned the project 
> and built 1.7 and tried 1.2 -> 1.7. This also failed. In all cases it 
> looks like 1.4 is the problem as this is the exception I get with all 
> versions but 1.3.1:
>
> 6:10:43,401 ERROR 
> [org.keycloak.services.resources.KeycloakApplication] (ServerService 
> Thread Pool -- 62) Failed to migrate datamodel: 
> java.lang.NullPointerException
> at 
> org.keycloak.models.ImpersonationConstants.setupMasterRealmRole(ImpersonationConstants.java:26)
> at 
> org.keycloak.models.ImpersonationConstants.setupImpersonationService(ImpersonationConstants.java:47)
> at 
> org.keycloak.migration.migrators.*MigrateTo1_4_0*.migrate(MigrateTo1_4_0.java:30)
>
> On Tue, Nov 17, 2015 at 12:39 AM, Lohitha Chiranjeewa 
> <kalc04 at gmail.com <mailto:kalc04 at gmail.com>> wrote:
>
>     Had the exact problem a few moments ago, thanks for clarifying.
>
>     Regards,
>     Lohitha.
>
>     On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja
>     <felipe.braun at intelbras.com.br
>     <mailto:felipe.braun at intelbras.com.br>> wrote:
>
>         Great! Thanks for the quick reply. Upgraded now :)
>
>         Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
>         > Hi,
>         >
>         > There's an issue with upgrading to 1.6 from 1.2. It will be
>         fixed in
>         > 1.7, but you can bypass the issue by first upgrading to 1.5
>         then to 1.6
>         >
>         > On 16 November 2015 at 18:13, Felipe Braun Azambuja
>         > <felipe.braun at intelbras.com.br
>         <mailto:felipe.braun at intelbras.com.br>
>         <mailto:felipe.braun at intelbras.com.br
>         <mailto:felipe.braun at intelbras.com.br>>>
>         > wrote:
>         >
>         >     Hey all,
>         >
>         >     I'm trying to upgrade Keycloak in our test instance, but
>         I'm getting a
>         >     really generic error while trying to start the service:
>         >
>         >     15:09:35,559 INFO
>         >  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
>         >     (ServerService Thread Pool -- 60) HHH000397: Using
>         >     ASTQueryTranslatorFactory
>         >     15:09:35,594 INFO
>         [org.hibernate.validator.internal.util.Version]
>         >     (ServerService Thread Pool -- 60) HV000001: Hibernate
>         Validator
>         >     5.1.3.Final
>         >     15:09:38,643 ERROR
>         [org.keycloak.services.resources.KeycloakApplication]
>         >     (ServerService Thread Pool -- 60) Failed to migrate
>         datamodel:
>         >     java.lang.NullPointerException
>         >               at
>         >
>          org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>         >               at
>         >
>          org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>         >               at
>         >
>          org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>         >               at
>         >
>          org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>         >               at
>         >
>          sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>         Method)
>         >     (...)
>         >
>         >     Is there any way to increase logging level on the
>         migration part, so
>         >     that I can try and understand where's the problem with
>         our database?
>         >
>         >
>         >     Thanks!
>         >     --
>         >     Felipe Braun Azambuja
>         >     DBA
>         >     Tecnologia da Informa??o e Comunica??o
>         >     (48) 3281 9577
>         > felipe.braun at intelbras.com.br
>         <mailto:felipe.braun at intelbras.com.br>
>         <mailto:felipe.braun at intelbras.com.br
>         <mailto:felipe.braun at intelbras.com.br>>
>         >     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>         >     por lei, sujeitas a privil?gios e/ou confidencialidades,
>         n?o podendo
>         >     ser retransmitida, arquivada, divulgada ou copiada sem
>         autoriza??o
>         >     do remetente. O remetente utiliza o correio eletr?nico
>         no exerc?cio
>         >     do seu trabalho ou em raz?o dele, eximindo esta
>         institui??o de
>         >     qualquer responsabilidade por utiliza??o indevida. Caso
>         tenha
>         >     recebido esta mensagem por engano, por favor informe o
>         remetente
>         >     respondendo imediatamente a este e-mail, e em seguida
>         apague-a do
>         >     seu computador.
>         >
>         >     The information contained in this e-mail and its
>         attachments are
>         >     protected by law, subjected to privilege and/or
>         confidentiality and
>         >     cannot be retransmitted, filed, disclosed or copied without
>         >     authorization from the sender. The sender uses the
>         electronic mail
>         >     in the exercise of his/her work or by virtue thereof,
>         and the
>         >     institution accepts no liability from its undue use. If
>         you have
>         >     received this message by mistake, please notify us
>         immediately by
>         >     returning the e-mail and deleting this message from your
>         system.
>         >
>         >  _______________________________________________
>         >     keycloak-user mailing list
>         > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>         >
>         >
>
>         --
>         Felipe Braun Azambuja
>         DBA
>         Tecnologia da Informa??o e Comunica??o
>         (48) 3281 9577
>         felipe.braun at intelbras.com.br
>         <mailto:felipe.braun at intelbras.com.br>
>         Esta mensagem, incluindo seus anexos, cont?m informa??es
>         protegidas por lei, sujeitas a privil?gios e/ou
>         confidencialidades, n?o podendo ser retransmitida, arquivada,
>         divulgada ou copiada sem autoriza??o do remetente. O remetente
>         utiliza o correio eletr?nico no exerc?cio do seu trabalho ou
>         em raz?o dele, eximindo esta institui??o de qualquer
>         responsabilidade por utiliza??o indevida. Caso tenha recebido
>         esta mensagem por engano, por favor informe o remetente
>         respondendo imediatamente a este e-mail, e em seguida apague-a
>         do seu computador.
>
>         The information contained in this e-mail and its attachments
>         are protected by law, subjected to privilege and/or
>         confidentiality and cannot be retransmitted, filed, disclosed
>         or copied without authorization from the sender. The sender
>         uses the electronic mail in the exercise of his/her work or by
>         virtue thereof, and the institution accepts no liability from
>         its undue use. If you have received this message by mistake,
>         please notify us immediately by returning the e-mail and
>         deleting this message from your system.
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/88ab98c8/attachment-0001.html 

From Rens.Verhage at topicus.nl  Mon Nov 23 04:05:24 2015
From: Rens.Verhage at topicus.nl (Rens Verhage)
Date: Mon, 23 Nov 2015 09:05:24 +0000
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
In-Reply-To: <5652D265.8020801@redhat.com>
References: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
	<5652D265.8020801@redhat.com>
Message-ID: <0A0940F3-8A44-4420-97EE-5F648712E68A@topicus.nl>

Ah, I didn?t install the adapter. I was under the impression that everything in the download with wildfly container would be pre-configured. Having read the adapter chapter, I understand why this assumption was wrong.

Thanks!


> On Nov 23, 2015, at 09:46, Marek Posolda <mposolda at redhat.com> wrote:
> 
> You also need to enable adapter subsystem in standalone.xml :
> 
> <extension module="org.keycloak.keycloak-adapter-subsystem"/
> 
> 
> 
> Take a look at docs (especially adapter part) for more details.
> 
> Marek
> 
> 
> On 22/11/15 18:53, Rens Verhage wrote:
>> Hi all,
>> 
>> I?m having some trouble securing a test application with Keycloak. I downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the datasource to PostgreSQL and in Keycloak configured my realm and generated a keycloak.json file.
>> 
>> I copied keycloak.json to the WEB-INF folder of my war project and edited my web.xml, I added this:
>> 
>> <login-config>
>>    <auth-method>KEYCLOAK</auth-method>
>>    <realm-name>PDC</realm-name>
>> </login-config>
>> 
>> <security-role>
>>    <role-name>admin</role-name>
>> </security-role>
>> <security-role>
>>    <role-name>user</role-name>
>> </security-role>
>> 
>> Upon boot however, Wildfly logs the following error:
>> 
>> "WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./pdc-web" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./pdc-web: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>>     Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>>     Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK?}}
>> 
>> The only hint to fix this error that I could find was to make sure that the Keycloak subsystem is enabled in standalone/configuration/standalone.xml, which is the case as I didn?t change the default config:
>> 
>> <server xmlns="urn:jboss:domain:3.0">
>>     <extensions>
>> 	...
>>         <extension module="org.keycloak.keycloak-server-subsystem"/>
>>         ...
>>     </extensions>
>> ?
>> </server>
>> 
>> As my experience with Wildfly and knowledge of Keycloak is limited, what could be the problem here?
>> 
>> 
>> Regards,
>> Rens Verhage
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



From sthorger at redhat.com  Mon Nov 23 04:11:31 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:11:31 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
	<CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
	<564C8D48.4090209@binaryninja.de>
	<CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>
Message-ID: <CAJgngAe4-x3fN7iRfdv1oRjJdLCpK=1=er4TZoQXxh7wS=SuFg@mail.gmail.com>

For EAP 6.4 I would suggest running EAP 6.4 locally, then run the above
commands to install the adapter. Then copy standalone.xml to the sources
for your Docker image. In your Dockerfile then copy this file to the image.

You can also manually add the required changes to standalone.xml without
using the cli script. The documentation lists what elements you need to add.

On 18 November 2015 at 15:55, Marko Strukelj <mstrukel at redhat.com> wrote:

> You can give EAP 7 Alpha a try :)
>
> http://www.jboss.org/products/eap/download/
>
>
> On Wed, Nov 18, 2015 at 3:38 PM, Ataraxus <atx at binaryninja.de> wrote:
>
>> Sorry wasn't clear about that.
>> But I was looking for a solution with JBoss EAP 6.4
>>
>> Am 18.11.15 um 15:28 schrieb Marko Strukelj:
>>
>> If you put:
>>
>> embed-server
>>
>> as first command in your cli script, that will start embedded server in
>> administration mode, so you won't need an already started server.
>>
>> That only works since Wildfly 9.
>>
>> On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus <atx at binaryninja.de> wrote:
>>
>>> I'm setting up a docker container with keycloak. now i want to install
>>> the adapters,
>>> the usual way of installing is via
>>> ${JBOSS_HOME}/bin/jboss-cli.sh -c
>>> --file=${JBOSS_HOME}/bin/adapter-install.cli
>>> but therefore jboss needs to be running already, which is not
>>> good/possible on this step.
>>> is there a offline way of installing the adapters?
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/524d03b5/attachment.html 

From sthorger at redhat.com  Mon Nov 23 04:17:23 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:17:23 +0100
Subject: [keycloak-user] Problems with expired user action emails
In-Reply-To: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>
References: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>
Message-ID: <CAJgngAdbdDeZcUivJn+ebpyvemxDBimbkZH8fSF5OCtmjYRXPQ@mail.gmail.com>

How are you creating the user action emails? Is it through the admin
console?

On 19 November 2015 at 11:38, Samuel Otter <samuel.otter at gmail.com> wrote:

> Hi,
>
> We have discovered a somewhat strange behavior with the User Action
> timeouts. We need to have a fairly long User Action timeout but the links
> provided in the emails to the users expire well before that time. After
> some digging around in the source code I think this is because both a user
> and a client session is created for the user action, but when the user
> session expires and is removed the client session is also removed with it.
> If we set the User Session SSO timeout to the same value it does indeed
> seem to work as expected.
>
> This seems unintentional and I can't really see why the user session is
> created at all in this case as it is not really used as far as I can tell
> (the client session id is used in the email link)? OTOH I am not sure why
> the client session is removed when the user session expires? Or have we
> completely misunderstood how this is supposed to work?
>
> Anyway, as it is you can't really have a User Action timeout that is
> longer than the SSO Session timeout.
>
> Thanks,
> Samuel Otter
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/a3314cec/attachment.html 

From sthorger at redhat.com  Mon Nov 23 04:24:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:24:35 +0100
Subject: [keycloak-user] keycloak.js correct usage
In-Reply-To: <564DE136.7030501@binaryninja.de>
References: <CAG=THF1GHm7jt1eGWm6uzB8CMWUFkoC3pXahNhRrA4MQepE5RQ@mail.gmail.com>
	<564DE136.7030501@binaryninja.de>
Message-ID: <CAJgngAdx+=mXarpXj__nGdytqrZ4YNEG0GvA_k=v5aNuCGvaVA@mail.gmail.com>

On 19 November 2015 at 15:48, Ataraxus <atx at binaryninja.de> wrote:

> Hey,
>
> having 2 issues using the keycloak.js correct.
>
> As for now i deployed my keycloak.json in the WEB-INF folder, but
> keycloak.js needs it accessible so i have to put it outside of WEB-INF.
> This forces me to have it two times, is this correct?
>

As you're saying you need it twice I assume you have your rest services and
html5 pages in the same WAR? If so you need to have two different
keycloak.json files. Outside WEB-INF should be for the HTML5 app, which
should be a public client. Inside WEB-INF should be for your REST services
and should be a bearer-only client. Also, make sure your HTML pages and
js-scripts are public (aka doesn't have a security constraint in web.xml).

IMO though it would be cleaner to split the two into separate WARs.


>
> If I login to my test site which is essentially the view.html of the
> demo-template/customer-app-js example I'm forced to relogin.
> This is as far as I can tell due to the keycloak.init({ onLoad:
> 'login-required' }) "login-required" if i just call keycloak.init(),
> keycloak doesnt retrieve a token at all.
> How do i use this api correctly?
>

onLoad: login-required doesn't force you to re-login. It forces you to
login if you're not already logged-in. If you don't want to force login use
keycloak.login() and wire it up to a button or something. Please read the
docs at
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter


>
> Bonus Question: the "myapp/k_query_bearer_token " return an HTTP 200 but
> no token. i thought this one could have been an alternative to keycloak.js
>

If you are doing a HTML5/js app, you want to use keycloak.js that gives you
a much better experience. You could set a security-constraint in web.xml
for your index.html. Then use server-side login, but you end up with an
http session, etc.. Not very elegant.


>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/cb9dd7fb/attachment.html 

From adrianmatei at gmail.com  Mon Nov 23 04:29:05 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Mon, 23 Nov 2015 10:29:05 +0100
Subject: [keycloak-user] Proxy configuration issue (Bill Burke)
Message-ID: <CAG=THF1LTngtQzaQss9-KpN3ke_7rLu-eLcU5fxL5pc8_DdL-Q@mail.gmail.com>

Hi Bill,

The problem was that the proxy did not ask the user to "login", but it was
my error because I had forgotten to configure the "constraints" section in
proxy.json

The issue I am having now is that the "sign out" from another application
in the same realm, doesn't sign out the user in the proxied application
(the "session" cookie is still present) - should I configure something
special regarding this?

Here it is my working configuration now:
 {
    "target-url": "http://localhost:8280/",
    "send-access-token": true,
    "bind-address": "localhost",
    "http-port": "8080",
    "applications": [
        {
            "base-path": "/backend",
            "error-page": "/error.html",
            "adapter-config": {
                "realm": "demo",
                "resource": "proxy",
                "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GN....",
                "auth-server-url": "http://localhost:8180/auth",
                "ssl-required" : "external",
"principal-attribute": "name",
                "credentials": {
                    "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
                }

            }
   ,
            "constraints": [
                {
                    "pattern": "/*",
                    "roles-allowed": [
                        "user"
                    ]
                }
            ]

        }
    ]
}

Thanks,
Adrian

Message: 1
Date: Fri, 20 Nov 2015 10:09:59 -0500
From: Bill Burke <bburke at redhat.com>
Subject: Re: [keycloak-user] Proxy configuration issue (Bill Burke)
To: keycloak-user at lists.jboss.org
Message-ID: <564F37C7.9010007 at redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

That all looks right.  What are the problems you are seeing?  I don't
see them listed explicitly in this email thread.

On 11/20/2015 6:31 AM, Adrian Matei wrote:
> Hi Bill,
>
> Thank your for your answer, but I still don't seem to get Keycloak to
> "catch" my requests against the protected application.
> Let me make the scenario clear:
>
> 1. Application to be protected runs on http://localhost:*8280*/backend
>
> 2. Server proxy started and runs on http://localhost:*8080*, when I type
> http://localhost:8080/backend in the browser I see the protected
application
>
> 3. Keycloak server runs on http://localhost:*8180*/auth
>
> 4. The adapter config in the "applications" section corresponds now the
> proxy client I have  configured in the Keycloak realm:
>
>     Client ID: proxy
>
>     Client Protocol: openid-connect
>     Access Type: confidential
>     Valid Redirect URIs: http://localhost:8080/backend/*
>
>
> I am not sure how to configure the proxy Server - now I have the
following:
> {
>      "target-url": "*http://localhost:8280/*", ???
>      "send-access-token": false,
>      "bind-address": "localhost",
>      "http-port": "8080", ???
>      "applications": [
>          {
>              "base-path": "*/backend*",
>              "error-page": "/error.html",
>              "adapter-config": {
>                  "realm": "demo",
>                  "resource": "*proxy*",
>                  "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>                  "auth-server-url": "http://localhost:8180/auth",
>                  "ssl-required" : "external",
>                  "principal-attribute": "name",
>                  "credentials": {
>                      "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
>                  }
>              }
>          }
>      ]
> }
> Questions:
> 1. The target-url I set it to the URL of the application the proxy
> server is proxying - this means the server can only proxy applications
> on the same URL?
> 2. What am I doing wrong :((((?
>
>
> Thanks a bunch,
> Adrian
>
> "Can't really see the screenshot, but you have to point keycloak to the
> host/port of the proxy.
>
> On 11/19/2015 9:13 AM, Adrian Matei wrote:
>  > Hi everyone,
>  >
>  > I am trying to make a simple test and configure a keycloak proxy to
>  > protect an application running on http://localhost:8280/backend/
>
>      >on looks like the following:
>      >
>      > {
>      >      "target-url": "http://localhost:8280/",
>      >      "send-access-token": false,
>      >      "bind-address": "localhost",
>      >      "http-port": "8080",
>      >      "applications": [
>      >          {
>      >              "base-path": "/backend",
>      >              "error-page": "/error.html",
>      >              "adapter-config": {
>      >                  "realm": "demo",
>      >                  "resource": "sandbox-backend",
>      >                  "realm-public-key":
>      >
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
>      >                  "auth-server-url": "http://localhost:8180/auth",
>      >                  "ssl-required" : "external",
>      >                  "credentials": {
>      >                      "secret":
"9323cdd6-7e0e-46ce-814f-b5ac79581395"
>      >                  }
>      >              }
>      >          }
>      >      ]
>      > }
>      >
>      > 2.
>      > I've started the proxy server as specified in the documentation
"java
>      > -jar bin/launcher.jar proxy.json"
>      > I am getting an error "ERROR: UT005026: Jetty ALPN support not
>     found on
>      > boot class path, SPDY client will not be available.", but the
server
>      > still starts, I don't think there should be a problem with that...
>      >
>      > 3. In the admin console (keycloak running on port 8180) I've
>     configured
>      > the backend application like the following:
>      >
>      > Could you tell me what I am doing wrong? When I put in the app's
>     url in
>      > the browser it goes directly to the application...
>      >
>      > Thanks,
>      > Adrian"
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/50d45b0a/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 23 04:46:11 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:46:11 +0100
Subject: [keycloak-user] Securing dynamic services
In-Reply-To: <CAJcoKwwppuYUry2c0h-T_gqiQs2zLZqF2azc8mNY714Lheku_w@mail.gmail.com>
References: <CAJcoKwwppuYUry2c0h-T_gqiQs2zLZqF2azc8mNY714Lheku_w@mail.gmail.com>
Message-ID: <CAJgngAeAhZMV0szmwNj5VZDpY7h8Fv7CCUpK0udaw9_H1Z_xqw@mail.gmail.com>

We are currently doing a POC on adding authorization services to Keycloak.
In summary what roles can access what URLs, but much more flexible and
powerful than that. That's not going to be ready until sometime next year.

If you're interested you could give that a go, but it's pre-alpha at the
moment, so not something to use in production for sure.

On 21 November 2015 at 01:41, Jose Suero <josephsuero at gmail.com> wrote:

> i've installed keycloak to secure a software as a service application that
> allow users to create scripts they can run as services, for the
> authentication part keycloak works like a charm, users are required to
> enter a login and I get their roles and everything.
>
> The idea is to let users create services and roles, and assign them to
> users, this all works
>
> The issue i'm having is authorization, since i have no knowledge before
> and of what services or roles would be created i can't use Security
> Constrains on web.xml or annotations.
>
> Since I have the roles I could write a function that does auhorizations,
> but would love for keycloak to do it for me, I'm already passing realms to
> keycloak as the multi-tenant example, is there any way I could assign urls
> to roles I create so keycloak checks where or not I can access that url?
>
>
> thanks in advance
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/b297909b/attachment.html 

From sthorger at redhat.com  Mon Nov 23 04:48:08 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:48:08 +0100
Subject: [keycloak-user] mobile security
In-Reply-To: <CAJcoKwxUT+6+VSO+gqcakYbsjP6jw=Ef6ba0HmEY-HwEvy39Ug@mail.gmail.com>
References: <CAJcoKwxUT+6+VSO+gqcakYbsjP6jw=Ef6ba0HmEY-HwEvy39Ug@mail.gmail.com>
Message-ID: <CAJgngAdkd-8ajV4DYr6iPH=n_Q=-_ycJo5E8ukeChZaSkuLvgA@mail.gmail.com>

Depends on what type of mobile application you are writing. If it's a
Cordova (hybrid) app then you can use keycloak.js, which has built-in
support for Cordova. We have an example for it. If you are writing native
mobile applications take a look at AeroGear, they have native integration
available for Keycloak (
https://aerogear.org/docs/guides/security/oauth2-guide/).

On 21 November 2015 at 01:48, Jose Suero <josephsuero at gmail.com> wrote:

> I need to create a mobile application that consumes services from a
> keycloak protected services, users don't create an account, but I don't
> want people outside the app to consume the services.
>
> How can I send the token authenticate on the mobile app the same way I
> authenticate on websites. meaning having a keycloak.json key or something
>
> Any thoughts?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/fc8530d9/attachment.html 

From sthorger at redhat.com  Mon Nov 23 04:53:53 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:53:53 +0100
Subject: [keycloak-user] [OAuth2.0] Authorization grant & Get token urls
In-Reply-To: <CAF9aV_qGfc9DLZfvK3pRrkdfS9oV6WbVDibgnBvvocW+hnzbCA@mail.gmail.com>
References: <CAF9aV_r_x6JMGQZuBaDrph=j+1F3OuoEQ+kkg0WiPD=391rusw@mail.gmail.com>
	<564F1508.4080104@redhat.com>
	<CAF9aV_prtZwgc=eL+qgwSh__OqErCo3fxyn7y_xOUjHpBYcOWw@mail.gmail.com>
	<5652CA81.2020708@redhat.com>
	<CAF9aV_qGfc9DLZfvK3pRrkdfS9oV6WbVDibgnBvvocW+hnzbCA@mail.gmail.com>
Message-ID: <CAJgngAdLzMCijESgNbvK64t9TRn_VWDg4rZnZVHe29CXHqjdWA@mail.gmail.com>

For non-UI you have two options:

1. Use a browser to retrieve the token. Obviously only works for CLI's on a
workstation where a browser is available. Try the customer-app-cli from our
demo/examples which does this.
2. Resource Owner Password Credentials from Oauth2 (we refer to it as
direct grant in our docs, but it's the same protocol)

We currently don't have any libs for 2, but it's pretty simple to implement
yourself, or you can use any other OAuth2 RP lib.


On 23 November 2015 at 09:38, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> From your message I don't see how you can use Keycloak adapters for a Java
> client application (no UI) to access an API secured with Keycloak. The API
> resource is secured with Keycloak and is using Keycloak adapter. The client
> app should invoke those two URLs (or just the second one for direct
> grants). I can see you only have a Javascript library (adapter) for this
> purpose.
>
> Regards,
> Pavel Maslov, MS
> oPAC fellow at Cosylab
>
> On Mon, Nov 23, 2015 at 9:12 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Keycloak handles well this scenario. Adapters are used on both REST
>> resource side, but also on UI application side (application which wants to
>> redirect to Keycloak login and exchange code for token).
>>
>> One of Keycloak points is, that you don't need to code anything in order
>> to handle OIDC / OAuth2 flow. The server part of specification is
>> implemented by Keycloak auth-server and the client part of specification is
>> implemented by our adapters. You don't need to care about redirection to
>> keycloak login screen or to exchange code for token etc. Adapters is doing
>> all of this for you. You can also enable "consent" for your client in which
>> case, the user's consent screen will be displayed during authentication by
>> keycloak server. Again, no need to code anything custom.
>>
>> When you want to send request to REST resource, you need to add
>> accessToken to "Authorization: Bearer" header, which will authenticate the
>> request.
>>
>> Take a look at our demo examples (customer-portal, product-portal,
>> oauth-client) for more details.
>>
>> Marek
>>
>>
>> On 20/11/15 13:58, Pavel Maslov wrote:
>>
>> Hey Marek,
>>
>>
>> As far as I understood, adapters are used on the Resourse side (e.g. the
>> API  you would like to secure with Keycloak).
>> Here, I am calling the API (resource) from a 3rd party application
>> (client). First it needs a user's consent to use the API on his behalf.
>> Then it gets the auth_code, which is then used to obtain the access token.
>> Then the client is free to utilize the API on behalf of the user.
>>
>> Does the Keycloak auth workflow differ slightly from the standard
>> OAuth2.0 procedure? Or am I missing something?
>> Thanks.
>>
>>
>> Regards,
>> Pavel Maslov, MSc
>>
>> On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> On 20/11/15 12:18, Pavel Maslov wrote:
>>>
>>> Hi everyone,
>>>
>>>
>>> >From the user documentation I could not find the authorization grant
>>> url (a la github's  https://github.com/login/oauth/authorize) and Get
>>> token url (a la  <https://github.com/login/oauth/access_token>
>>> https://github.com/login/oauth/access_token).
>>>
>>> I presume it's
>>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
>>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and
>>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
>>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively,
>>> but I am not sure.
>>>
>>> Yes, your URLs are correct. However if you want to use the default
>>> Authorization Code Grant flow and browser applications, you can just use
>>> our adapters. You don't even need to know the authorization grant url and
>>> token URL as adapters handle all the redirections and exchanges for you.
>>>
>>> I suggest to take a look at our examples .
>>>
>>> And here is the docs for adapters:
>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
>>>
>>> Marek
>>>
>>>
>>> I would like to follow the standard OAuth2.0 workflow:
>>>
>>>    1. Get Auth grant (GET on  <https://github.com/login/oauth/authorize>
>>>    https://github.com/login/oauth/authorize)
>>>    2. Get access token in exchange for the auth grant code (POST on
>>>    <https://github.com/login/oauth/access_token>
>>>    https://github.com/login/oauth/access_token)
>>>    3. Use the resource using the access token gotten in step 2.
>>>
>>> Please, correct me if I am wrong.
>>> Thanks.
>>>
>>> Regards,
>>> Pavel Maslov, MSc
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/5443716b/attachment.html 

From sthorger at redhat.com  Mon Nov 23 04:55:11 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 10:55:11 +0100
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
Message-ID: <CAJgngAe6WcDSkFLyiEcW8T8C4dusWJH+5Q4y+Bmi_tMW_xECpg@mail.gmail.com>

We have Node.js available already
https://github.com/keycloak/keycloak-nodejs

For other languages we don't currently have the resources required to
implement it ourselves, but would love contributions :)

On 23 November 2015 at 09:51, Brose, Sascha <sascha.brose at adesso.ch> wrote:

> Hello,
>
> I read in Keycloak documentation that there are plans to support Node.js,
> RAILS, GRAILS, and other non-Java applications.
>
>
>
> Is this support already in developement or when is it planned for? Will
> there also be support for scripting languages, e.g. PHP?
>
>
>
> Best regards,
>
> Sascha
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/3016f455/attachment-0001.html 

From samuel.otter at gmail.com  Mon Nov 23 04:59:25 2015
From: samuel.otter at gmail.com (Samuel Otter)
Date: Mon, 23 Nov 2015 09:59:25 +0000
Subject: [keycloak-user] Problems with expired user action emails
In-Reply-To: <CAJgngAdbdDeZcUivJn+ebpyvemxDBimbkZH8fSF5OCtmjYRXPQ@mail.gmail.com>
References: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>
	<CAJgngAdbdDeZcUivJn+ebpyvemxDBimbkZH8fSF5OCtmjYRXPQ@mail.gmail.com>
Message-ID: <CAL_y9JGC9bUbaTUL8Dwf1EgnsZqcsY4S9DJcFfHxz2axUQOrWQ@mail.gmail.com>

Hi,

No we use the execute-actions-email REST endpoint.

m?n 23 nov. 2015 kl 10:17 skrev Stian Thorgersen <sthorger at redhat.com>:

> How are you creating the user action emails? Is it through the admin
> console?
>
> On 19 November 2015 at 11:38, Samuel Otter <samuel.otter at gmail.com> wrote:
>
>> Hi,
>>
>> We have discovered a somewhat strange behavior with the User Action
>> timeouts. We need to have a fairly long User Action timeout but the links
>> provided in the emails to the users expire well before that time. After
>> some digging around in the source code I think this is because both a user
>> and a client session is created for the user action, but when the user
>> session expires and is removed the client session is also removed with it.
>> If we set the User Session SSO timeout to the same value it does indeed
>> seem to work as expected.
>>
>> This seems unintentional and I can't really see why the user session is
>> created at all in this case as it is not really used as far as I can tell
>> (the client session id is used in the email link)? OTOH I am not sure why
>> the client session is removed when the user session expires? Or have we
>> completely misunderstood how this is supposed to work?
>>
>> Anyway, as it is you can't really have a User Action timeout that is
>> longer than the SSO Session timeout.
>>
>> Thanks,
>> Samuel Otter
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/2481085e/attachment.html 

From sthorger at redhat.com  Mon Nov 23 05:02:43 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 11:02:43 +0100
Subject: [keycloak-user] Problems with expired user action emails
In-Reply-To: <CAL_y9JGC9bUbaTUL8Dwf1EgnsZqcsY4S9DJcFfHxz2axUQOrWQ@mail.gmail.com>
References: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>
	<CAJgngAdbdDeZcUivJn+ebpyvemxDBimbkZH8fSF5OCtmjYRXPQ@mail.gmail.com>
	<CAL_y9JGC9bUbaTUL8Dwf1EgnsZqcsY4S9DJcFfHxz2axUQOrWQ@mail.gmail.com>
Message-ID: <CAJgngAcerFSoMOk2Q41xBOk5DcKasXVWoF0Enkc2q+YMNkNvEQ@mail.gmail.com>

Okay, basically same thing ;)

Please create a JIRA issue

On 23 November 2015 at 10:59, Samuel Otter <samuel.otter at gmail.com> wrote:

> Hi,
>
> No we use the execute-actions-email REST endpoint.
>
> m?n 23 nov. 2015 kl 10:17 skrev Stian Thorgersen <sthorger at redhat.com>:
>
>> How are you creating the user action emails? Is it through the admin
>> console?
>>
>> On 19 November 2015 at 11:38, Samuel Otter <samuel.otter at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> We have discovered a somewhat strange behavior with the User Action
>>> timeouts. We need to have a fairly long User Action timeout but the links
>>> provided in the emails to the users expire well before that time. After
>>> some digging around in the source code I think this is because both a user
>>> and a client session is created for the user action, but when the user
>>> session expires and is removed the client session is also removed with it.
>>> If we set the User Session SSO timeout to the same value it does indeed
>>> seem to work as expected.
>>>
>>> This seems unintentional and I can't really see why the user session is
>>> created at all in this case as it is not really used as far as I can tell
>>> (the client session id is used in the email link)? OTOH I am not sure why
>>> the client session is removed when the user session expires? Or have we
>>> completely misunderstood how this is supposed to work?
>>>
>>> Anyway, as it is you can't really have a User Action timeout that is
>>> longer than the SSO Session timeout.
>>>
>>> Thanks,
>>> Samuel Otter
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/7e4d0982/attachment.html 

From Joseph.George at finantix.com  Mon Nov 23 05:26:52 2015
From: Joseph.George at finantix.com (Joseph.George at finantix.com)
Date: Mon, 23 Nov 2015 11:26:52 +0100
Subject: [keycloak-user] SAML attribute extraction and invalid_redirect_uri
In-Reply-To: <OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
Message-ID: <OF10F4721A.20BE8523-ON48257F06.0037285F-48257F06.00396C77@finantix.com>

Dear All

May I ask - how to get the user id and other SAML  additional attribute
which server asserts.  Do you have any url for java program to extract
these info from client/service provider program


Secondly,
am running keycloak server in a standalone mode and defined realm - demo
with SAML and users/roles etc
Now, once i access http://localhost:8280/sample/, it is getting redirect to
IDP server ..but it is not challenging for user authentication..
it just says "Invalid redirect uri"..

"2015-11-23 17:15:03,998 WARN  [org.keycloak.events] (default task-1)
type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_redirect_uri"
My client application is a localhost application with url
http://localhost:8280/sample/* ..so I registerd same on Valid Redirect URIs
field.

am not sure how to debug it.. I enabled ALL for logger.  Kindly advice
please attached screen shots for client applicaiton and keycloak-saml.xml -
client application is running on tomcat 7




Client Application from keycloak server
(Embedded image moved to file: pic32702.jpg)

keycloak-saml.xml

(See attached file: keycloak-saml.xml)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic32702.jpg
Type: image/jpeg
Size: 142554 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/b2367b9f/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-saml.xml
Type: application/octet-stream
Size: 1482 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/b2367b9f/attachment-0001.obj 

From pavel.masloff at gmail.com  Mon Nov 23 06:17:46 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Mon, 23 Nov 2015 12:17:46 +0100
Subject: [keycloak-user] [OAuth2.0] scope parameter
Message-ID: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>

Hi everyone,


I am testing my API service (secured with Keycloak) using the Postman's
OAuth2.0 workflow. In my Keycloak client's role I have enabled the Scope
Param Required setting, but I am not being asked to consent to this role.

What is the format of the scope variable?
Thanks!


Regards,
Pavel Maslov, MS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/c154e0be/attachment.html 

From atx at binaryninja.de  Mon Nov 23 07:32:00 2015
From: atx at binaryninja.de (Ataraxus)
Date: Mon, 23 Nov 2015 13:32:00 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
Message-ID: <56530740.5060104@binaryninja.de>

Hey,

I'm writing my custum login provider which works great so far, but i 
stumbled upon a dependency issue:
I wan't to use mail in my authenticator, but when the authenticator gets 
actually loaded I get an class not found exception.
Somehow is java.mail.* not available in the classpath of providers which 
are dropped in the configuration/providers path.
How can i use these dependencies? I could include them into my jar, but 
i guess thats not the "right" way.

Thanks

From atx at binaryninja.de  Mon Nov 23 07:57:08 2015
From: atx at binaryninja.de (Ataraxus)
Date: Mon, 23 Nov 2015 13:57:08 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <56530740.5060104@binaryninja.de>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de>
Message-ID: <56530D24.50508@binaryninja.de>

Here is the code and the stacktrace just in case, maybe there is a 
better way to send email:

private void send(UserModel user, AuthenticationFlowContext context, 
String subject, String textBody, String htmlBody) throws EmailException {
         try {
             String address = user.getEmail();
             Map<String, String> config = 
context.getRealm().getSmtpConfig();

             Properties props = new Properties();
             props.setProperty("mail.smtp.host", config.get("host"));

             boolean auth = "true".equals(config.get("auth"));
             boolean ssl = "true".equals(config.get("ssl"));
             boolean starttls = "true".equals(config.get("starttls"));

             if (config.containsKey("port")) {
                 props.setProperty("mail.smtp.port", config.get("port"));
             }

             if (auth) {
                 props.put("mail.smtp.auth", "true");
             }

             if (ssl) {
                 props.put("mail.smtp.socketFactory.port", 
config.get("port"));
                 props.put("mail.smtp.socketFactory.class", 
"javax.net.ssl.SSLSocketFactory");
             }

             if (starttls) {
                 props.put("mail.smtp.starttls.enable", "true");
             }

             String from = config.get("from");

             Session session = Session.getInstance(props);

             Multipart multipart = new MimeMultipart("alternative");

             if (textBody != null) {
                 MimeBodyPart textPart = new MimeBodyPart();
                 textPart.setText(textBody, "UTF-8");
                 multipart.addBodyPart(textPart);
             }

             if (htmlBody != null) {
                 MimeBodyPart htmlPart = new MimeBodyPart();
                 htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
                 multipart.addBodyPart(htmlPart);
             }

             Message msg = new MimeMessage(session);
             msg.setFrom(new InternetAddress(from));
             msg.setHeader("To", address);
             msg.setSubject(subject);
             msg.setContent(multipart);
             msg.saveChanges();
             msg.setSentDate(new Date());

             Transport transport = session.getTransport("smtp");
             if (auth) {
                 transport.connect(config.get("user"), 
config.get("password"));
             } else {
                 transport.connect();
             }
             transport.sendMessage(msg, new InternetAddress[]{new 
InternetAddress(address)});
         } catch (Exception e) {
             throw new EmailException(e);
         }
     }

connect/auth

JBWEB000309: type JBWEB000066: Exception report

JBWEB000068: message request path: 
/auth/realms/MYAPP/protocol/openid-connect/auth

JBWEB000069: description JBWEB000145: The server encountered an internal 
error that prevented it from fulfilling this request.

JBWEB000070: exception

java.lang.RuntimeException: request path: 
/auth/realms/MYAPP/protocol/openid-connect/auth
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
JBWEB000071: root cause

org.jboss.resteasy.spi.UnhandledException: 
java.lang.NoClassDefFoundError: javax/mail/Multipart
org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.NoClassDefFoundError: javax/mail/Multipart
de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     java.lang.reflect.Method.invoke(Method.java:606)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.ClassNotFoundException: javax.mail.Multipart
     java.net.URLClassLoader$1.run(URLClassLoader.java:366)
     java.net.URLClassLoader$1.run(URLClassLoader.java:355)
     java.security.AccessController.doPrivileged(Native Method)
     java.net.URLClassLoader.findClass(URLClassLoader.java:354)
     java.lang.ClassLoader.loadClass(ClassLoader.java:425)
     java.lang.ClassLoader.loadClass(ClassLoader.java:358)
de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     java.lang.reflect.Method.invoke(Method.java:606)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)

Am 23.11.15 um 13:32 schrieb Ataraxus:
> Hey,
>
> I'm writing my custum login provider which works great so far, but i
> stumbled upon a dependency issue:
> I wan't to use mail in my authenticator, but when the authenticator gets
> actually loaded I get an class not found exception.
> Somehow is java.mail.* not available in the classpath of providers which
> are dropped in the configuration/providers path.
> How can i use these dependencies? I could include them into my jar, but
> i guess thats not the "right" way.
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/e11faa57/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 23 08:01:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 14:01:24 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <56530D24.50508@binaryninja.de>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
Message-ID: <CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>

We have the built in EmailProvider, but it doesn't have a generic sendMail
method, which it should have. You can create a JIRA issue to request that.

In the mean time you can package your provider as a module instead of a jar
to have more control of the classpath.

On 23 November 2015 at 13:57, Ataraxus <atx at binaryninja.de> wrote:

> Here is the code and the stacktrace just in case, maybe there is a better
> way to send email:
>
> private void send(UserModel user, AuthenticationFlowContext context,
> String subject, String textBody, String htmlBody) throws EmailException {
>         try {
>             String address = user.getEmail();
>             Map<String, String> config =
> context.getRealm().getSmtpConfig();
>
>             Properties props = new Properties();
>             props.setProperty("mail.smtp.host", config.get("host"));
>
>             boolean auth = "true".equals(config.get("auth"));
>             boolean ssl = "true".equals(config.get("ssl"));
>             boolean starttls = "true".equals(config.get("starttls"));
>
>             if (config.containsKey("port")) {
>                 props.setProperty("mail.smtp.port", config.get("port"));
>             }
>
>             if (auth) {
>                 props.put("mail.smtp.auth", "true");
>             }
>
>             if (ssl) {
>                 props.put("mail.smtp.socketFactory.port",
> config.get("port"));
>                 props.put("mail.smtp.socketFactory.class",
> "javax.net.ssl.SSLSocketFactory");
>             }
>
>             if (starttls) {
>                 props.put("mail.smtp.starttls.enable", "true");
>             }
>
>             String from = config.get("from");
>
>             Session session = Session.getInstance(props);
>
>             Multipart multipart = new MimeMultipart("alternative");
>
>             if (textBody != null) {
>                 MimeBodyPart textPart = new MimeBodyPart();
>                 textPart.setText(textBody, "UTF-8");
>                 multipart.addBodyPart(textPart);
>             }
>
>             if (htmlBody != null) {
>                 MimeBodyPart htmlPart = new MimeBodyPart();
>                 htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
>                 multipart.addBodyPart(htmlPart);
>             }
>
>             Message msg = new MimeMessage(session);
>             msg.setFrom(new InternetAddress(from));
>             msg.setHeader("To", address);
>             msg.setSubject(subject);
>             msg.setContent(multipart);
>             msg.saveChanges();
>             msg.setSentDate(new Date());
>
>             Transport transport = session.getTransport("smtp");
>             if (auth) {
>                 transport.connect(config.get("user"),
> config.get("password"));
>             } else {
>                 transport.connect();
>             }
>             transport.sendMessage(msg, new InternetAddress[]{new
> InternetAddress(address)});
>         } catch (Exception e) {
>             throw new EmailException(e);
>         }
>     }
>
> connect/auth
>
> JBWEB000309: type JBWEB000066: Exception report
>
> JBWEB000068: message request path:
> /auth/realms/MYAPP/protocol/openid-connect/auth
>
> JBWEB000069: description JBWEB000145: The server encountered an internal
> error that prevented it from fulfilling this request.
>
> JBWEB000070: exception
>
> java.lang.RuntimeException: request path:
> /auth/realms/MYAPP/protocol/openid-connect/auth
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
> JBWEB000071: root cause
>
> org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError:
> javax/mail/Multipart
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> JBWEB000071: root cause
>
> java.lang.NoClassDefFoundError: javax/mail/Multipart
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     java.lang.reflect.Method.invoke(Method.java:606)
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> JBWEB000071: root cause
>
> java.lang.ClassNotFoundException: javax.mail.Multipart
>     java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>     java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>     java.security.AccessController.doPrivileged(Native Method)
>     java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>     java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>     java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     java.lang.reflect.Method.invoke(Method.java:606)
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>
> Am 23.11.15 um 13:32 schrieb Ataraxus:
>
> Hey,
>
> I'm writing my custum login provider which works great so far, but i
> stumbled upon a dependency issue:
> I wan't to use mail in my authenticator, but when the authenticator gets
> actually loaded I get an class not found exception.
> Somehow is java.mail.* not available in the classpath of providers which
> are dropped in the configuration/providers path.
> How can i use these dependencies? I could include them into my jar, but
> i guess thats not the "right" way.
>
> Thanks
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/1431ff37/attachment-0001.html 

From erik.mulder at docdatapayments.com  Mon Nov 23 08:07:08 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Mon, 23 Nov 2015 14:07:08 +0100
Subject: [keycloak-user] Provider Dependencies
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>

Hi Ataraxus,


I think the way to solve this is 'tapping in' to the Wildfly module system. You need to add a module.xml to your provider jar under src/main/resources/modules/some/module/name/module.xml and include a reference to the java mail api there. That way you can tell Wildfly to include that on the classpath when it's loading your provider classes.

I'm sorry, but I'm not sure how exactly this works in detail with path names and module.xml contents. You can look at the keycloak sources for module.xml examples, read the Wildfly module system documentation or maybe someone else on the mailing list can answer you in more detail. Good luck!


________________________________
From: Ataraxus <atx at binaryninja.de><mailto:atx at binaryninja.de>
To: "ewjmulder at yahoo.com"<mailto:ewjmulder at yahoo.com> <ewjmulder at yahoo.com><mailto:ewjmulder at yahoo.com>
Sent: Monday, November 23, 2015 1:57 PM
Subject: Re: [keycloak-user] Provider Dependencies

Here is the code and the stacktrace just in case, maybe there is a better way to send email:

private void send(UserModel user, AuthenticationFlowContext context, String subject, String textBody, String htmlBody) throws EmailException {
        try {
            String address = user.getEmail();
            Map<String, String> config = context.getRealm().getSmtpConfig();

            Properties props = new Properties();
            props.setProperty("mail.smtp.host", config.get("host"));

            boolean auth = "true".equals(config.get("auth"));
            boolean ssl = "true".equals(config.get("ssl"));
            boolean starttls = "true".equals(config.get("starttls"));

            if (config.containsKey("port")) {
                props.setProperty("mail.smtp.port", config.get("port"));
            }

            if (auth) {
                props.put("mail.smtp.auth", "true");
            }

            if (ssl) {
                props.put("mail.smtp.socketFactory.port", config.get("port"));
                props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
            }

            if (starttls) {
                props.put("mail.smtp.starttls.enable", "true");
            }

            String from = config.get("from");

            Session session = Session.getInstance(props);

            Multipart multipart = new MimeMultipart("alternative");

            if (textBody != null) {
                MimeBodyPart textPart = new MimeBodyPart();
                textPart.setText(textBody, "UTF-8");
                multipart.addBodyPart(textPart);
            }

            if (htmlBody != null) {
                MimeBodyPart htmlPart = new MimeBodyPart();
                htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
                multipart.addBodyPart(htmlPart);
            }

            Message msg = new MimeMessage(session);
            msg.setFrom(new InternetAddress(from));
            msg.setHeader("To", address);
            msg.setSubject(subject);
            msg.setContent(multipart);
            msg.saveChanges();
            msg.setSentDate(new Date());

            Transport transport = session.getTransport("smtp");
            if (auth) {
                transport.connect(config.get("user"), config.get("password"));
            } else {
                transport.connect();
            }
            transport.sendMessage(msg, new InternetAddress[]{new InternetAddress(address)});
        } catch (Exception e) {
            throw new EmailException(e);
        }
    }

connect/auth

JBWEB000309: type JBWEB000066: Exception report

JBWEB000068: message request path: /auth/realms/MYAPP/protocol/openid-connect/auth

JBWEB000069: description JBWEB000145: The server encountered an internal error that prevented it from fulfilling this request.

JBWEB000070: exception

java.lang.RuntimeException: request path: /auth/realms/MYAPP/protocol/openid-connect/auth
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
JBWEB000071: root cause

org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: javax/mail/Multipart
    org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
    org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
    org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.NoClassDefFoundError: javax/mail/Multipart
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
    org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:606)
    org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
    org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
    org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.ClassNotFoundException: javax.mail.Multipart
    java.net.URLClassLoader$1.run(URLClassLoader.java:366)
    java.net.URLClassLoader$1.run(URLClassLoader.java:355)
    java.security.AccessController.doPrivileged(Native Method)
    java.net.URLClassLoader.findClass(URLClassLoader.java:354)
    java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    java.lang.ClassLoader.loadClass(ClassLoader.java:358)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
    org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:606)
    org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
    org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
    org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)

Am 23.11.15 um 13:32 schrieb Ataraxus:

Hey,

I'm writing my custum login provider which works great so far, but i
stumbled upon a dependency issue:
I wan't to use mail in my authenticator, but when the authenticator gets
actually loaded I get an class not found exception.
Somehow is java.mail.* not available in the classpath of providers which
are dropped in the configuration/providers path.
How can i use these dependencies? I could include them into my jar, but
i guess thats not the "right" way.

Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/94042fca/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 23 08:18:01 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 14:18:01 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
Message-ID: <CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>

Just look at Keycloak documentation:
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html#d4e458

On 23 November 2015 at 14:07, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:

> Hi Ataraxus,
>
>
> I think the way to solve this is 'tapping in' to the Wildfly module
> system. You need to add a module.xml to your provider jar under
> src/main/resources/modules/some/module/name/module.xml and include a
> reference to the java mail api there. That way you can tell Wildfly to
> include that on the classpath when it's loading your provider classes.
>
>
> I'm sorry, but I'm not sure how exactly this works in detail with path
> names and module.xml contents. You can look at the keycloak sources for
> module.xml examples, read the Wildfly module system documentation or maybe
> someone else on the mailing list can answer you in more detail. Good luck!
>
>
> ------------------------------
> *From:* Ataraxus <atx at binaryninja.de> <atx at binaryninja.de>
> *To:* "ewjmulder at yahoo.com" <ewjmulder at yahoo.com> <ewjmulder at yahoo.com>
> <ewjmulder at yahoo.com>
> *Sent:* Monday, November 23, 2015 1:57 PM
> *Subject:* Re: [keycloak-user] Provider Dependencies
>
> Here is the code and the stacktrace just in case, maybe there is a better
> way to send email:
>
> private void send(UserModel user, AuthenticationFlowContext context,
> String subject, String textBody, String htmlBody) throws EmailException {
>         try {
>             String address = user.getEmail();
>             Map<String, String> config =
> context.getRealm().getSmtpConfig();
>
>             Properties props = new Properties();
>             props.setProperty("mail.smtp.host", config.get("host"));
>
>             boolean auth = "true".equals(config.get("auth"));
>             boolean ssl = "true".equals(config.get("ssl"));
>             boolean starttls = "true".equals(config.get("starttls"));
>
>             if (config.containsKey("port")) {
>                 props.setProperty("mail.smtp.port", config.get("port"));
>             }
>
>             if (auth) {
>                 props.put("mail.smtp.auth", "true");
>             }
>
>             if (ssl) {
>                 props.put("mail.smtp.socketFactory.port",
> config.get("port"));
>                 props.put("mail.smtp.socketFactory.class",
> "javax.net.ssl.SSLSocketFactory");
>             }
>
>             if (starttls) {
>                 props.put("mail.smtp.starttls.enable", "true");
>             }
>
>             String from = config.get("from");
>
>             Session session = Session.getInstance(props);
>
>             Multipart multipart = new MimeMultipart("alternative");
>
>             if (textBody != null) {
>                 MimeBodyPart textPart = new MimeBodyPart();
>                 textPart.setText(textBody, "UTF-8");
>                 multipart.addBodyPart(textPart);
>             }
>
>             if (htmlBody != null) {
>                 MimeBodyPart htmlPart = new MimeBodyPart();
>                 htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
>                 multipart.addBodyPart(htmlPart);
>             }
>
>             Message msg = new MimeMessage(session);
>             msg.setFrom(new InternetAddress(from));
>             msg.setHeader("To", address);
>             msg.setSubject(subject);
>             msg.setContent(multipart);
>             msg.saveChanges();
>             msg.setSentDate(new Date());
>
>             Transport transport = session.getTransport("smtp");
>             if (auth) {
>                 transport.connect(config.get("user"),
> config.get("password"));
>             } else {
>                 transport.connect();
>             }
>             transport.sendMessage(msg, new InternetAddress[]{new
> InternetAddress(address)});
>         } catch (Exception e) {
>             throw new EmailException(e);
>         }
>     }
>
> connect/auth
>
> JBWEB000309: type JBWEB000066: Exception report
>
> JBWEB000068: message request path:
> /auth/realms/MYAPP/protocol/openid-connect/auth
>
> JBWEB000069: description JBWEB000145: The server encountered an internal
> error that prevented it from fulfilling this request.
>
> JBWEB000070: exception
>
> java.lang.RuntimeException: request path:
> /auth/realms/MYAPP/protocol/openid-connect/auth
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
> JBWEB000071: root cause
>
> org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError:
> javax/mail/Multipart
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
>
> org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> JBWEB000071: root cause
>
> java.lang.NoClassDefFoundError: javax/mail/Multipart
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     java.lang.reflect.Method.invoke(Method.java:606)
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> JBWEB000071: root cause
>
> java.lang.ClassNotFoundException: javax.mail.Multipart
>     java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>     java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>     java.security.AccessController.doPrivileged(Native Method)
>     java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>     java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>     java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>
> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     java.lang.reflect.Method.invoke(Method.java:606)
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>
> Am 23.11.15 um 13:32 schrieb Ataraxus:
>
> Hey,
>
> I'm writing my custum login provider which works great so far, but i
> stumbled upon a dependency issue:
> I wan't to use mail in my authenticator, but when the authenticator gets
> actually loaded I get an class not found exception.
> Somehow is java.mail.* not available in the classpath of providers which
> are dropped in the configuration/providers path.
> How can i use these dependencies? I could include them into my jar, but
> i guess thats not the "right" way.
>
> Thanks
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/110441ff/attachment-0001.html 

From erik.mulder at docdatapayments.com  Mon Nov 23 08:28:47 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Mon, 23 Nov 2015 14:28:47 +0100
Subject: [keycloak-user] Provider Dependencies
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
	<CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B08C@DDPEX01.DDP.dcloud.local>

Ah, of course, thanks Stian!

Sorry I didn't mention this, I'm poisened by too many poorly documented projects where you have to dive into the sources to get your answers. ;-)

But the Keycloak documentation is actually very good.


On 23/11/15 14:18, Stian Thorgersen wrote:
Just look at Keycloak documentation:
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html#d4e458

On 23 November 2015 at 14:07, Erik Mulder <erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:

Hi Ataraxus,


I think the way to solve this is 'tapping in' to the Wildfly module system. You need to add a module.xml to your provider jar under src/main/resources/modules/some/module/name/module.xml and include a reference to the java mail api there. That way you can tell Wildfly to include that on the classpath when it's loading your provider classes.

I'm sorry, but I'm not sure how exactly this works in detail with path names and module.xml contents. You can look at the keycloak sources for module.xml examples, read the Wildfly module system documentation or maybe someone else on the mailing list can answer you in more detail. Good luck!


________________________________
From: Ataraxus <atx at binaryninja.de><mailto:atx at binaryninja.de>
To: <mailto:ewjmulder at yahoo.com> "ewjmulder at yahoo.com"<mailto:ewjmulder at yahoo.com> <mailto:ewjmulder at yahoo.com> <ewjmulder at yahoo.com><mailto:ewjmulder at yahoo.com>
Sent: Monday, November 23, 2015 1:57 PM
Subject: Re: [keycloak-user] Provider Dependencies

Here is the code and the stacktrace just in case, maybe there is a better way to send email:

private void send(UserModel user, AuthenticationFlowContext context, String subject, String textBody, String htmlBody) throws EmailException {
        try {
            String address = user.getEmail();
            Map<String, String> config = context.getRealm().getSmtpConfig();

            Properties props = new Properties();
            props.setProperty("mail.smtp.host", config.get("host"));

            boolean auth = "true".equals(config.get("auth"));
            boolean ssl = "true".equals(config.get("ssl"));
            boolean starttls = "true".equals(config.get("starttls"));

            if (config.containsKey("port")) {
                props.setProperty("mail.smtp.port", config.get("port"));
            }

            if (auth) {
                props.put("mail.smtp.auth", "true");
            }

            if (ssl) {
                props.put("mail.smtp.socketFactory.port", config.get("port"));
                props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
            }

            if (starttls) {
                props.put("mail.smtp.starttls.enable", "true");
            }

            String from = config.get("from");

            Session session = Session.getInstance(props);

            Multipart multipart = new MimeMultipart("alternative");

            if (textBody != null) {
                MimeBodyPart textPart = new MimeBodyPart();
                textPart.setText(textBody, "UTF-8");
                multipart.addBodyPart(textPart);
            }

            if (htmlBody != null) {
                MimeBodyPart htmlPart = new MimeBodyPart();
                htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
                multipart.addBodyPart(htmlPart);
            }

            Message msg = new MimeMessage(session);
            msg.setFrom(new InternetAddress(from));
            msg.setHeader("To", address);
            msg.setSubject(subject);
            msg.setContent(multipart);
            msg.saveChanges();
            msg.setSentDate(new Date());

            Transport transport = session.getTransport("smtp");
            if (auth) {
                transport.connect(config.get("user"), config.get("password"));
            } else {
                transport.connect();
            }
            transport.sendMessage(msg, new InternetAddress[]{new InternetAddress(address)});
        } catch (Exception e) {
            throw new EmailException(e);
        }
    }

connect/auth

JBWEB000309: type JBWEB000066: Exception report

JBWEB000068: message request path: /auth/realms/MYAPP/protocol/openid-connect/auth

JBWEB000069: description JBWEB000145: The server encountered an internal error that prevented it from fulfilling this request.

JBWEB000070: exception

java.lang.RuntimeException: request path: /auth/realms/MYAPP/protocol/openid-connect/auth
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
JBWEB000071: root cause

org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: javax/mail/Multipart
    org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
    org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
    org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.NoClassDefFoundError: javax/mail/Multipart
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
    org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:606)
    org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
    org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
    org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
JBWEB000071: root cause

java.lang.ClassNotFoundException: javax.mail.Multipart
    java.net.URLClassLoader$1.run(URLClassLoader.java:366)
    java.net.URLClassLoader$1.run(URLClassLoader.java:355)
    java.security.AccessController.doPrivileged(Native Method)
    java.net.URLClassLoader.findClass(URLClassLoader.java:354)
    java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    java.lang.ClassLoader.loadClass(ClassLoader.java:358)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
    de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
    org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
    org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
    org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:606)
    org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
    org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
    org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
    org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
    org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
    org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
    org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
    org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
    org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)

Am 23.11.15 um 13:32 schrieb Ataraxus:

Hey,

I'm writing my custum login provider which works great so far, but i
stumbled upon a dependency issue:
I wan't to use mail in my authenticator, but when the authenticator gets
actually loaded I get an class not found exception.
Somehow is java.mail.* not available in the classpath of providers which
are dropped in the configuration/providers path.
How can i use these dependencies? I could include them into my jar, but
i guess thats not the "right" way.

Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/3b3b4b15/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 23 08:33:06 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 14:33:06 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B08C@DDPEX01.DDP.dcloud.local>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
	<CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08C@DDPEX01.DDP.dcloud.local>
Message-ID: <CAJgngAcfDL=4hdaiLa=WQ-OyYKUyKP_75cqchJBMQjkZf=bHhg@mail.gmail.com>

On 23 November 2015 at 14:28, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:

> Ah, of course, thanks Stian!
>
> Sorry I didn't mention this, I'm poisened by too many poorly documented
> projects where you have to dive into the sources to get your answers. ;-)
>
> But the Keycloak documentation is actually very good.
>

Thanks, please to know they're not to bad ;)


>
>
> On 23/11/15 14:18, Stian Thorgersen wrote:
>
> Just look at Keycloak documentation:
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html#d4e458
>
> On 23 November 2015 at 14:07, Erik Mulder <erik.mulder at docdatapayments.com
> > wrote:
>
>> Hi Ataraxus,
>>
>>
>> I think the way to solve this is 'tapping in' to the Wildfly module
>> system. You need to add a module.xml to your provider jar under
>> src/main/resources/modules/some/module/name/module.xml and include a
>> reference to the java mail api there. That way you can tell Wildfly to
>> include that on the classpath when it's loading your provider classes.
>>
>>
>> I'm sorry, but I'm not sure how exactly this works in detail with path
>> names and module.xml contents. You can look at the keycloak sources for
>> module.xml examples, read the Wildfly module system documentation or maybe
>> someone else on the mailing list can answer you in more detail. Good luck!
>>
>>
>> ------------------------------
>> *From:* Ataraxus <atx at binaryninja.de> <atx at binaryninja.de>
>> *To:*  <ewjmulder at yahoo.com>"ewjmulder at yahoo.com" <ewjmulder at yahoo.com>
>> <ewjmulder at yahoo.com><ewjmulder at yahoo.com> <ewjmulder at yahoo.com>
>> *Sent:* Monday, November 23, 2015 1:57 PM
>> *Subject:* Re: [keycloak-user] Provider Dependencies
>>
>> Here is the code and the stacktrace just in case, maybe there is a better
>> way to send email:
>>
>> private void send(UserModel user, AuthenticationFlowContext context,
>> String subject, String textBody, String htmlBody) throws EmailException {
>>         try {
>>             String address = user.getEmail();
>>             Map<String, String> config =
>> context.getRealm().getSmtpConfig();
>>
>>             Properties props = new Properties();
>>             props.setProperty("mail.smtp.host", config.get("host"));
>>
>>             boolean auth = "true".equals(config.get("auth"));
>>             boolean ssl = "true".equals(config.get("ssl"));
>>             boolean starttls = "true".equals(config.get("starttls"));
>>
>>             if (config.containsKey("port")) {
>>                 props.setProperty("mail.smtp.port", config.get("port"));
>>             }
>>
>>             if (auth) {
>>                 props.put("mail.smtp.auth", "true");
>>             }
>>
>>             if (ssl) {
>>                 props.put("mail.smtp.socketFactory.port",
>> config.get("port"));
>>                 props.put("mail.smtp.socketFactory.class",
>> "javax.net.ssl.SSLSocketFactory");
>>             }
>>
>>             if (starttls) {
>>                 props.put("mail.smtp.starttls.enable", "true");
>>             }
>>
>>             String from = config.get("from");
>>
>>             Session session = Session.getInstance(props);
>>
>>             Multipart multipart = new MimeMultipart("alternative");
>>
>>             if (textBody != null) {
>>                 MimeBodyPart textPart = new MimeBodyPart();
>>                 textPart.setText(textBody, "UTF-8");
>>                 multipart.addBodyPart(textPart);
>>             }
>>
>>             if (htmlBody != null) {
>>                 MimeBodyPart htmlPart = new MimeBodyPart();
>>                 htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
>>                 multipart.addBodyPart(htmlPart);
>>             }
>>
>>             Message msg = new MimeMessage(session);
>>             msg.setFrom(new InternetAddress(from));
>>             msg.setHeader("To", address);
>>             msg.setSubject(subject);
>>             msg.setContent(multipart);
>>             msg.saveChanges();
>>             msg.setSentDate(new Date());
>>
>>             Transport transport = session.getTransport("smtp");
>>             if (auth) {
>>                 transport.connect(config.get("user"),
>> config.get("password"));
>>             } else {
>>                 transport.connect();
>>             }
>>             transport.sendMessage(msg, new InternetAddress[]{new
>> InternetAddress(address)});
>>         } catch (Exception e) {
>>             throw new EmailException(e);
>>         }
>>     }
>>
>> connect/auth
>>
>> JBWEB000309: type JBWEB000066: Exception report
>>
>> JBWEB000068: message request path:
>> /auth/realms/MYAPP/protocol/openid-connect/auth
>>
>> JBWEB000069: description JBWEB000145: The server encountered an internal
>> error that prevented it from fulfilling this request.
>>
>> JBWEB000070: exception
>>
>> java.lang.RuntimeException: request path:
>> /auth/realms/MYAPP/protocol/openid-connect/auth
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
>> JBWEB000071: root cause
>>
>> org.jboss.resteasy.spi.UnhandledException:
>> java.lang.NoClassDefFoundError: javax/mail/Multipart
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> JBWEB000071: root cause
>>
>> java.lang.NoClassDefFoundError: javax/mail/Multipart
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>>
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>     java.lang.reflect.Method.invoke(Method.java:606)
>>
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>>
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> JBWEB000071: root cause
>>
>> java.lang.ClassNotFoundException: javax.mail.Multipart
>>     java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>>     java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>>     java.security.AccessController.doPrivileged(Native Method)
>>     java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>>     java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>>     java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>>
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>     java.lang.reflect.Method.invoke(Method.java:606)
>>
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>>
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>
>> Am 23.11.15 um 13:32 schrieb Ataraxus:
>>
>> Hey,
>>
>> I'm writing my custum login provider which works great so far, but i
>> stumbled upon a dependency issue:
>> I wan't to use mail in my authenticator, but when the authenticator gets
>> actually loaded I get an class not found exception.
>> Somehow is java.mail.* not available in the classpath of providers which
>> are dropped in the configuration/providers path.
>> How can i use these dependencies? I could include them into my jar, but
>> i guess thats not the "right" way.
>>
>> Thanks
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/e09ea002/attachment-0001.html 

From atx at binaryninja.de  Mon Nov 23 08:44:29 2015
From: atx at binaryninja.de (Ataraxus)
Date: Mon, 23 Nov 2015 14:44:29 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
	<CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>
Message-ID: <5653183D.2010000@binaryninja.de>

Hello Erik, Hey Stian,

thanks for clarification. I tried as suggested in the keycloak 
documentation, but somehow it didn't worked :(
I'm deploying it by dropping the jar into the providers folder and 
restarting jboss.
How can i verify if it was loaded as a module? I'm using EAP 6.4 Overlay 
btw.

This is the content of my .jar

MYAPP.authenticator
??? META-INF
?   ??? MANIFEST.MF
?   ??? maven
?   ?   ??? de.MYAPP.auth
?   ?       ??? MYAPP.authenticator
?   ?           ??? pom.properties
?   ?           ??? pom.xml
?   ??? services
?       ??? org.keycloak.authentication.AuthenticatorFactory
??? de
?   ??? MYAPP
?       ??? auth
?           ??? authenticator
?               ??? MYAPPEmailAuthenticator.class
?               ??? MYAPPEmailAuthenticatorFactory.class
?               ??? MYAPPSAPAuthenticator.class
?               ??? MYAPPSAPAuthenticatorFactory.class
?               ??? beans
?                   ??? ProfileBean.class
??? modules
     ??? de
         ??? MYAPP
             ??? auth
                 ??? authenticator
                     ??? module.xml

module.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="de.MYAPP.auth.authenticator">
     <resources>
         <resource-root path="MYAPP.authenticator.jar"/>
     </resources>
     <dependencies>
         <module name="org.keycloak.keycloak-core"/>
         <module name="org.keycloak.keycloak-model-api"/>
         <module name="org.keycloak.keycloak-events-api"/>
         <module name="org.keycloak.keycloak-services"/>
         <module name="org.keycloak.keycloak-services"/>
         <module name="org.keycloak.keycloak-login-api"/>
         <module name="org.jboss.logging.jboss-logging"/>
         <module name="javax.mail.mail"/>
     </dependencies>
</module>

Am 23.11.15 um 14:18 schrieb Stian Thorgersen:
> Just look at Keycloak documentation:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html#d4e458
>
> On 23 November 2015 at 14:07, Erik Mulder 
> <erik.mulder at docdatapayments.com 
> <mailto:erik.mulder at docdatapayments.com>> wrote:
>
>     Hi Ataraxus,
>
>
>     I think the way to solve this is 'tapping in' to the Wildfly
>     module system. You need to add a module.xml to your provider jar
>     under src/main/resources/modules/some/module/name/module.xml and
>     include a reference to the java mail api there. That way you can
>     tell Wildfly to include that on the classpath when it's loading
>     your provider classes.
>
>
>     I'm sorry, but I'm not sure how exactly this works in detail with
>     path names and module.xml contents. You can look at the keycloak
>     sources for module.xml examples, read the Wildfly module system
>     documentation or maybe someone else on the mailing list can answer
>     you in more detail. Good luck!
>
>
>         ------------------------------------------------------------------------
>         *From:*Ataraxus <atx at binaryninja.de> <mailto:atx at binaryninja.de>
>         *To:*"ewjmulder at yahoo.com" <mailto:ewjmulder at yahoo.com>
>         <ewjmulder at yahoo.com> <mailto:ewjmulder at yahoo.com>
>         *Sent:*Monday, November 23, 2015 1:57 PM
>         *Subject:*Re: [keycloak-user] Provider Dependencies
>
>         Here is the code and the stacktrace just in case, maybe there
>         is a better way to send email:
>
>         private void send(UserModel user, AuthenticationFlowContext
>         context, String subject, String textBody, String htmlBody)
>         throws EmailException {
>                 try {
>                     String address = user.getEmail();
>                     Map<String, String> config =
>         context.getRealm().getSmtpConfig();
>
>                     Properties props = new Properties();
>         props.setProperty("mail.smtp.host", config.get("host"));
>
>                     boolean auth = "true".equals(config.get("auth"));
>                     boolean ssl = "true".equals(config.get("ssl"));
>                     boolean starttls =
>         "true".equals(config.get("starttls"));
>
>                     if (config.containsKey("port")) {
>         props.setProperty("mail.smtp.port", config.get("port"));
>                     }
>
>                     if (auth) {
>         props.put("mail.smtp.auth", "true");
>                     }
>
>                     if (ssl) {
>         props.put("mail.smtp.socketFactory.port", config.get("port"));
>         props.put("mail.smtp.socketFactory.class",
>         "javax.net.ssl.SSLSocketFactory");
>                     }
>
>                     if (starttls) {
>         props.put("mail.smtp.starttls.enable", "true");
>                     }
>
>                     String from = config.get("from");
>
>                     Session session = Session.getInstance(props);
>
>                     Multipart multipart = new
>         MimeMultipart("alternative");
>
>                     if (textBody != null) {
>                         MimeBodyPart textPart = new MimeBodyPart();
>                         textPart.setText(textBody, "UTF-8");
>         multipart.addBodyPart(textPart);
>                     }
>
>                     if (htmlBody != null) {
>                         MimeBodyPart htmlPart = new MimeBodyPart();
>         htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
>         multipart.addBodyPart(htmlPart);
>                     }
>
>                     Message msg = new MimeMessage(session);
>                     msg.setFrom(new InternetAddress(from));
>                     msg.setHeader("To", address);
>                     msg.setSubject(subject);
>                     msg.setContent(multipart);
>                     msg.saveChanges();
>                     msg.setSentDate(new Date());
>
>                     Transport transport = session.getTransport("smtp");
>                     if (auth) {
>         transport.connect(config.get("user"), config.get("password"));
>                     } else {
>                         transport.connect();
>                     }
>                     transport.sendMessage(msg, new
>         InternetAddress[]{new InternetAddress(address)});
>                 } catch (Exception e) {
>                     throw new EmailException(e);
>                 }
>             }
>
>         connect/auth
>
>         JBWEB000309: type JBWEB000066: Exception report
>
>         JBWEB000068: message request path:
>         /auth/realms/MYAPP/protocol/openid-connect/auth
>
>         JBWEB000069: description JBWEB000145: The server encountered
>         an internal error that prevented it from fulfilling this request.
>
>         JBWEB000070: exception
>
>         java.lang.RuntimeException: request path:
>         /auth/realms/MYAPP/protocol/openid-connect/auth
>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
>         JBWEB000071: root cause
>
>         org.jboss.resteasy.spi.UnhandledException:
>         java.lang.NoClassDefFoundError: javax/mail/Multipart
>         org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
>         org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
>         org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
>         org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>         javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>         JBWEB000071: root cause
>
>         java.lang.NoClassDefFoundError: javax/mail/Multipart
>         de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>         de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>         org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>         org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>         org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         java.lang.reflect.Method.invoke(Method.java:606)
>         org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>         org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>         org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>         org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>         org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>         org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>         org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>         org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>         javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>         JBWEB000071: root cause
>
>         java.lang.ClassNotFoundException: javax.mail.Multipart
>         java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>         java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>         java.security.AccessController.doPrivileged(Native Method)
>         java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>         java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>         java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>         de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>         de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>         org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>         org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>         org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>         org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         java.lang.reflect.Method.invoke(Method.java:606)
>         org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>         org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>         org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>         org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>         org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>         org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>         org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>         org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>         javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>
>         Am 23.11.15 um 13:32 schrieb Ataraxus:
>>         Hey,
>>
>>         I'm writing my custum login provider which works great so far, but i
>>         stumbled upon a dependency issue:
>>         I wan't to use mail in my authenticator, but when the authenticator gets
>>         actually loaded I get an class not found exception.
>>         Somehow is java.mail.* not available in the classpath of providers which
>>         are dropped in the configuration/providers path.
>>         How can i use these dependencies? I could include them into my jar, but
>>         i guess thats not the "right" way.
>>
>>         Thanks
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/88683a23/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 23 08:50:23 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 14:50:23 +0100
Subject: [keycloak-user] Provider Dependencies
In-Reply-To: <5653183D.2010000@binaryninja.de>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
	<56530740.5060104@binaryninja.de> <56530D24.50508@binaryninja.de>
	<CAJgngAckFkBXTzgThe-1-VvN7Ad1Ti0dFx0AkWOi24XKbRR6TA@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B08B@DDPEX01.DDP.dcloud.local>
	<CAJgngAfTPouO3f1ZuHsvhv65Yhp9hYTwHm8Y+z6zPho9=qdLyQ@mail.gmail.com>
	<5653183D.2010000@binaryninja.de>
Message-ID: <CAJgngAdPeWeBhgD17M8XpBgWPWkZ-BwHuiJAUJzwMi2N1nvLuQ@mail.gmail.com>

If you are deploying as a module it should not be in the providers folder.
It should be in modules/... and you refer to it in keycloak-server.json by
adding a module: <module-name>

On 23 November 2015 at 14:44, Ataraxus <atx at binaryninja.de> wrote:

> Hello Erik, Hey Stian,
>
> thanks for clarification. I tried as suggested in the keycloak
> documentation, but somehow it didn't worked :(
> I'm deploying it by dropping the jar into the providers folder and
> restarting jboss.
> How can i verify if it was loaded as a module? I'm using EAP 6.4 Overlay
> btw.
>
> This is the content of my .jar
>
> MYAPP.authenticator
> ??? META-INF
> ?   ??? MANIFEST.MF
> ?   ??? maven
> ?   ?   ??? de.MYAPP.auth
> ?   ?       ??? MYAPP.authenticator
> ?   ?           ??? pom.properties
> ?   ?           ??? pom.xml
> ?   ??? services
> ?       ??? org.keycloak.authentication.AuthenticatorFactory
> ??? de
> ?   ??? MYAPP
> ?       ??? auth
> ?           ??? authenticator
> ?               ??? MYAPPEmailAuthenticator.class
> ?               ??? MYAPPEmailAuthenticatorFactory.class
> ?               ??? MYAPPSAPAuthenticator.class
> ?               ??? MYAPPSAPAuthenticatorFactory.class
> ?               ??? beans
> ?                   ??? ProfileBean.class
> ??? modules
>     ??? de
>         ??? MYAPP
>             ??? auth
>                 ??? authenticator
>                     ??? module.xml
>
> module.xml looks like this:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.1" name="de.MYAPP.auth.authenticator">
>     <resources>
>         <resource-root path="MYAPP.authenticator.jar"/>
>     </resources>
>     <dependencies>
>         <module name="org.keycloak.keycloak-core"/>
>         <module name="org.keycloak.keycloak-model-api"/>
>         <module name="org.keycloak.keycloak-events-api"/>
>         <module name="org.keycloak.keycloak-services"/>
>         <module name="org.keycloak.keycloak-services"/>
>         <module name="org.keycloak.keycloak-login-api"/>
>         <module name="org.jboss.logging.jboss-logging"/>
>         <module name="javax.mail.mail"/>
>     </dependencies>
> </module>
>
> Am 23.11.15 um 14:18 schrieb Stian Thorgersen:
>
> Just look at Keycloak documentation:
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html#d4e458
>
> On 23 November 2015 at 14:07, Erik Mulder <erik.mulder at docdatapayments.com
> > wrote:
>
>> Hi Ataraxus,
>>
>>
>> I think the way to solve this is 'tapping in' to the Wildfly module
>> system. You need to add a module.xml to your provider jar under
>> src/main/resources/modules/some/module/name/module.xml and include a
>> reference to the java mail api there. That way you can tell Wildfly to
>> include that on the classpath when it's loading your provider classes.
>>
>>
>> I'm sorry, but I'm not sure how exactly this works in detail with path
>> names and module.xml contents. You can look at the keycloak sources for
>> module.xml examples, read the Wildfly module system documentation or maybe
>> someone else on the mailing list can answer you in more detail. Good luck!
>>
>>
>> ------------------------------
>> *From:* Ataraxus <atx at binaryninja.de> <atx at binaryninja.de>
>> *To:*  <ewjmulder at yahoo.com>"ewjmulder at yahoo.com" <ewjmulder at yahoo.com>
>> <ewjmulder at yahoo.com><ewjmulder at yahoo.com> <ewjmulder at yahoo.com>
>> *Sent:* Monday, November 23, 2015 1:57 PM
>> *Subject:* Re: [keycloak-user] Provider Dependencies
>>
>> Here is the code and the stacktrace just in case, maybe there is a better
>> way to send email:
>>
>> private void send(UserModel user, AuthenticationFlowContext context,
>> String subject, String textBody, String htmlBody) throws EmailException {
>>         try {
>>             String address = user.getEmail();
>>             Map<String, String> config =
>> context.getRealm().getSmtpConfig();
>>
>>             Properties props = new Properties();
>>             props.setProperty("mail.smtp.host", config.get("host"));
>>
>>             boolean auth = "true".equals(config.get("auth"));
>>             boolean ssl = "true".equals(config.get("ssl"));
>>             boolean starttls = "true".equals(config.get("starttls"));
>>
>>             if (config.containsKey("port")) {
>>                 props.setProperty("mail.smtp.port", config.get("port"));
>>             }
>>
>>             if (auth) {
>>                 props.put("mail.smtp.auth", "true");
>>             }
>>
>>             if (ssl) {
>>                 props.put("mail.smtp.socketFactory.port",
>> config.get("port"));
>>                 props.put("mail.smtp.socketFactory.class",
>> "javax.net.ssl.SSLSocketFactory");
>>             }
>>
>>             if (starttls) {
>>                 props.put("mail.smtp.starttls.enable", "true");
>>             }
>>
>>             String from = config.get("from");
>>
>>             Session session = Session.getInstance(props);
>>
>>             Multipart multipart = new MimeMultipart("alternative");
>>
>>             if (textBody != null) {
>>                 MimeBodyPart textPart = new MimeBodyPart();
>>                 textPart.setText(textBody, "UTF-8");
>>                 multipart.addBodyPart(textPart);
>>             }
>>
>>             if (htmlBody != null) {
>>                 MimeBodyPart htmlPart = new MimeBodyPart();
>>                 htmlPart.setContent(htmlBody, "text/html; charset=UTF-8");
>>                 multipart.addBodyPart(htmlPart);
>>             }
>>
>>             Message msg = new MimeMessage(session);
>>             msg.setFrom(new InternetAddress(from));
>>             msg.setHeader("To", address);
>>             msg.setSubject(subject);
>>             msg.setContent(multipart);
>>             msg.saveChanges();
>>             msg.setSentDate(new Date());
>>
>>             Transport transport = session.getTransport("smtp");
>>             if (auth) {
>>                 transport.connect(config.get("user"),
>> config.get("password"));
>>             } else {
>>                 transport.connect();
>>             }
>>             transport.sendMessage(msg, new InternetAddress[]{new
>> InternetAddress(address)});
>>         } catch (Exception e) {
>>             throw new EmailException(e);
>>         }
>>     }
>>
>> connect/auth
>>
>> JBWEB000309: type JBWEB000066: Exception report
>>
>> JBWEB000068: message request path:
>> /auth/realms/MYAPP/protocol/openid-connect/auth
>>
>> JBWEB000069: description JBWEB000145: The server encountered an internal
>> error that prevented it from fulfilling this request.
>>
>> JBWEB000070: exception
>>
>> java.lang.RuntimeException: request path:
>> /auth/realms/MYAPP/protocol/openid-connect/auth
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
>> JBWEB000071: root cause
>>
>> org.jboss.resteasy.spi.UnhandledException:
>> java.lang.NoClassDefFoundError: javax/mail/Multipart
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:364)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:232)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:208)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:556)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> JBWEB000071: root cause
>>
>> java.lang.NoClassDefFoundError: javax/mail/Multipart
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>>
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>     java.lang.reflect.Method.invoke(Method.java:606)
>>
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>>
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>> JBWEB000071: root cause
>>
>> java.lang.ClassNotFoundException: javax.mail.Multipart
>>     java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>>     java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>>     java.security.AccessController.doPrivileged(Native Method)
>>     java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>>     java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>>     java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:27)
>>
>> de.MYAPP.auth.authenticator.MYAPPEmailAuthenticatorFactory.create(MYAPPEmailAuthenticatorFactory.java:19)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:124)
>>
>> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
>>
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:650)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.browserAuthentication(AuthorizationEndpoint.java:315)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:265)
>>
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:123)
>>     sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>     java.lang.reflect.Method.invoke(Method.java:606)
>>
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
>>
>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
>>
>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
>>
>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:541)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:523)
>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>>
>> Am 23.11.15 um 13:32 schrieb Ataraxus:
>>
>> Hey,
>>
>> I'm writing my custum login provider which works great so far, but i
>> stumbled upon a dependency issue:
>> I wan't to use mail in my authenticator, but when the authenticator gets
>> actually loaded I get an class not found exception.
>> Somehow is java.mail.* not available in the classpath of providers which
>> are dropped in the configuration/providers path.
>> How can i use these dependencies? I could include them into my jar, but
>> i guess thats not the "right" way.
>>
>> Thanks
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/2a8722a6/attachment-0001.html 

From bburke at redhat.com  Mon Nov 23 09:18:49 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Nov 2015 09:18:49 -0500
Subject: [keycloak-user] Proxy configuration issue (Bill Burke)
In-Reply-To: <CAG=THF1LTngtQzaQss9-KpN3ke_7rLu-eLcU5fxL5pc8_DdL-Q@mail.gmail.com>
References: <CAG=THF1LTngtQzaQss9-KpN3ke_7rLu-eLcU5fxL5pc8_DdL-Q@mail.gmail.com>
Message-ID: <56532049.5020502@redhat.com>



On 11/23/2015 4:29 AM, Adrian Matei wrote:
> Hi Bill,
>
> The problem was that the proxy did not ask the user to "login", but it
> was my error because I had forgotten to configure the "constraints"
> section in proxy.json
>

Doh!  Sorry, I should have thought of that.  I haven't looked at the 
Proxy in a year.

> The issue I am having now is that the "sign out" from another
> application in the same realm, doesn't sign out the user in the proxied
> application (the "session" cookie is still present) - should I configure
> something special regarding this?
>


Keycloak logout is a backchannel logout, meaning it doesn't go through 
the browser.  The user should be logged out of the proxy and will have 
to relogin again.  There's just no callback back to the application.

There maybe someting I can do here.  I'm not going to be able to look at 
it for a couple of weeks though as I have other stuff in the queue.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 23 09:22:47 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Nov 2015 09:22:47 -0500
Subject: [keycloak-user] SAML attribute extraction and
 invalid_redirect_uri
In-Reply-To: <OF10F4721A.20BE8523-ON48257F06.0037285F-48257F06.00396C77@finantix.com>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>
	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
	<OF10F4721A.20BE8523-ON48257F06.0037285F-48257F06.00396C77@finantix.com>
Message-ID: <56532137.40504@redhat.com>



On 11/23/2015 5:26 AM, Joseph.George at finantix.com wrote:
> Dear All
>
> May I ask - how to get the user id and other SAML  additional attribute
> which server asserts.  Do you have any url for java program to extract
> these info from client/service provider program
>

Did you see the "Mappers" tab within Client configuration in the admin 
console?  Hopefully the tooltips ( the little "?" on the screen) make 
this self-describing.

>
> Secondly,
> am running keycloak server in a standalone mode and defined realm - demo
> with SAML and users/roles etc
> Now, once i access http://localhost:8280/sample/, it is getting redirect to
> IDP server ..but it is not challenging for user authentication..
> it just says "Invalid redirect uri"..
>

You need to configure a valid redirect URI for your application in the 
Client tab in the keycloak admin console.  You also need to specify the 
Master SAML Processing URL or the Single Signon/Logout Service URL and 
the binding you want to use.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Mon Nov 23 10:12:39 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Nov 2015 16:12:39 +0100
Subject: [keycloak-user] [OAuth2.0] scope parameter
In-Reply-To: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
References: <CAF9aV_q4V+X-jJ00wraH-xMP6ymB2TJ+MKQ4POC2tsZM_BfY1Q@mail.gmail.com>
Message-ID: <56532CE7.7050901@redhat.com>

For now, it's just roleName for realm roles and clientId/roleName for 
client roles. For example with client "foo" and client role "bar" in it, 
you may have "foo/bar" . The param also needs to be encoded. Note that 
format may change in the future...

Marek

On 23/11/15 12:17, Pavel Maslov wrote:
> Hi everyone,
>
>
> I am testing my API service (secured with Keycloak) using the 
> Postman's OAuth2.0 workflow. In my Keycloak client's role I have 
> enabled the Scope Param Required setting, but I am not being asked to 
> consent to this role.
>
> What is the format of the scope variable?
> Thanks!
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/d4cbd505/attachment.html 

From pavel.masloff at gmail.com  Mon Nov 23 13:22:51 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Mon, 23 Nov 2015 19:22:51 +0100
Subject: [keycloak-user] [Identity Providers] set default roles for a Client
Message-ID: <CAF9aV_p_7d5ZB3M5W1bVdRpaR1YTKvYWRF6xYQnZ-ROja5AFHA@mail.gmail.com>

Hello everyone,


Is it possible to set default roles to all users of an Identity Provider
(e.g. github)?
Usecase: I have a client registered in my realm. This client has a set of
roles. I would like to apply those roles to all github users (no manual
assigning).

Thanks.

Regards,
Pavel Maslov, MS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/33d86f9c/attachment.html 

From haavard.wigtil at kantega.no  Mon Nov 23 14:00:37 2015
From: haavard.wigtil at kantega.no (=?UTF-8?Q?H=c3=a5vard_Wigtil?=)
Date: Mon, 23 Nov 2015 20:00:37 +0100
Subject: [keycloak-user] Are relative redirect URIs supported?
Message-ID: <56536255.20809@kantega.no>

I'm trying to get a relative (i.e. path only with no host) redirect URI 
for a Keycloak client to work. My client works with full host and path, 
but if I remove the host part I get an illegal parameter error.

The inline help bubble has the following sentence: "Relative path can be 
specified too, i.e. /my/relative/path/*."
So as far as I can tell, it should work according to the help message. 
As I was trying to find out more about this I came across Jira issue 
KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth 
2.0 spec. If I'm reading the spec correctly the redirect *must* be 
absolute to be conformant with the spec.

Is the inline help wrong, or is it something here that I don't get?

   H?vard


[1] https://issues.jboss.org/browse/KEYCLOAK-8
[2] https://tools.ietf.org/html/rfc6749#section-3.1.2

  



From sthorger at redhat.com  Mon Nov 23 14:17:55 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 20:17:55 +0100
Subject: [keycloak-user] Are relative redirect URIs supported?
In-Reply-To: <56536255.20809@kantega.no>
References: <56536255.20809@kantega.no>
Message-ID: <CAJgngAfSnOM6DrXFSOnZqRZj3+NGmeVm51pUon0B=s+nkfZZrw@mail.gmail.com>

On 23 November 2015 at 20:00, H?vard Wigtil <haavard.wigtil at kantega.no>
wrote:

> I'm trying to get a relative (i.e. path only with no host) redirect URI
> for a Keycloak client to work. My client works with full host and path,
> but if I remove the host part I get an illegal parameter error.
>

What do you mean you get an illegal parameter error?


>
> The inline help bubble has the following sentence: "Relative path can be
> specified too, i.e. /my/relative/path/*."
> So as far as I can tell, it should work according to the help message.
> As I was trying to find out more about this I came across Jira issue
> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
> absolute to be conformant with the spec.
>

Relative URLs are supported, but they are resolved to absolute URLs by
adding the Root URL of the client. If you don't specify the root URL the
root URL of Keycloak is used


>
> Is the inline help wrong, or is it something here that I don't get?
>
>    H?vard
>
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-8
> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/d15ab800/attachment.html 

From bburke at redhat.com  Mon Nov 23 14:19:28 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Nov 2015 14:19:28 -0500
Subject: [keycloak-user] Are relative redirect URIs supported?
In-Reply-To: <56536255.20809@kantega.no>
References: <56536255.20809@kantega.no>
Message-ID: <565366C0.2060006@redhat.com>

A relative URI *will not* be accepted if it is passed as a query 
parameter when a client is requesting a code.  An absolute URI *MUST BE* 
sent via the redirect_uri query parameter.  For admin console config, if 
you put in relative path in your valid redirect URIs, it uses the 
host/port of the auth server.  A bunch of the demos work that way.  So, 
if you host the auth server on mydomain.com, 
https://localhost/my/relative/path will match and 
https://mydomain.com/my/relative/path will work too.  Make sense?



On 11/23/2015 2:00 PM, H?vard Wigtil wrote:
> I'm trying to get a relative (i.e. path only with no host) redirect URI
> for a Keycloak client to work. My client works with full host and path,
> but if I remove the host part I get an illegal parameter error.
>
> The inline help bubble has the following sentence: "Relative path can be
> specified too, i.e. /my/relative/path/*."
> So as far as I can tell, it should work according to the help message.
> As I was trying to find out more about this I came across Jira issue
> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
> absolute to be conformant with the spec.
>
> Is the inline help wrong, or is it something here that I don't get?
>
>     H?vard
>
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-8
> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 23 14:31:48 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 23 Nov 2015 14:31:48 -0500
Subject: [keycloak-user] [Identity Providers] set default roles for a
 Client
In-Reply-To: <CAF9aV_p_7d5ZB3M5W1bVdRpaR1YTKvYWRF6xYQnZ-ROja5AFHA@mail.gmail.com>
References: <CAF9aV_p_7d5ZB3M5W1bVdRpaR1YTKvYWRF6xYQnZ-ROja5AFHA@mail.gmail.com>
Message-ID: <565369A4.9090305@redhat.com>

You have to use the HardcodedRole mapper.

On 11/23/2015 1:22 PM, Pavel Maslov wrote:
> Hello everyone,
>
>
> Is it possible to set default roles to all users of an Identity Provider
> (e.g. github)?
> Usecase: I have a client registered in my realm. This client has a set
> of roles. I would like to apply those roles to all github users (no
> manual assigning).
>
> Thanks.
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From traviskds at gmail.com  Mon Nov 23 14:45:46 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Mon, 23 Nov 2015 19:45:46 +0000
Subject: [keycloak-user] Securing dynamic services
In-Reply-To: <CAJgngAeAhZMV0szmwNj5VZDpY7h8Fv7CCUpK0udaw9_H1Z_xqw@mail.gmail.com>
References: <CAJcoKwwppuYUry2c0h-T_gqiQs2zLZqF2azc8mNY714Lheku_w@mail.gmail.com>
	<CAJgngAeAhZMV0szmwNj5VZDpY7h8Fv7CCUpK0udaw9_H1Z_xqw@mail.gmail.com>
Message-ID: <CACQJ6LRD-udbZrPApM-kKZsatRizOJT9J=66Z4E_9iBb78KgpA@mail.gmail.com>

What I have done is mapped my urls (i.e. resource) to roles in my own app.

Then I have a security filter that will get the user roles from keycloak
and check if the role has access to the urls (i.e. resource). Note my
services are JEE.

I am also very keen if this can be done within keycloak. Stain any pointers
to the POC that I can look into to understand the keycloak approach?

Cheers
Travis


On Mon, 23 Nov 2015 at 20:46 Stian Thorgersen <sthorger at redhat.com> wrote:

> We are currently doing a POC on adding authorization services to Keycloak.
> In summary what roles can access what URLs, but much more flexible and
> powerful than that. That's not going to be ready until sometime next year.
>
> If you're interested you could give that a go, but it's pre-alpha at the
> moment, so not something to use in production for sure.
>
> On 21 November 2015 at 01:41, Jose Suero <josephsuero at gmail.com> wrote:
>
>> i've installed keycloak to secure a software as a service application
>> that allow users to create scripts they can run as services, for the
>> authentication part keycloak works like a charm, users are required to
>> enter a login and I get their roles and everything.
>>
>> The idea is to let users create services and roles, and assign them to
>> users, this all works
>>
>> The issue i'm having is authorization, since i have no knowledge before
>> and of what services or roles would be created i can't use Security
>> Constrains on web.xml or annotations.
>>
>> Since I have the roles I could write a function that does auhorizations,
>> but would love for keycloak to do it for me, I'm already passing realms to
>> keycloak as the multi-tenant example, is there any way I could assign urls
>> to roles I create so keycloak checks where or not I can access that url?
>>
>>
>> thanks in advance
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/5acd0888/attachment.html 

From sthorger at redhat.com  Mon Nov 23 15:07:47 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 23 Nov 2015 21:07:47 +0100
Subject: [keycloak-user] Securing dynamic services
In-Reply-To: <CACQJ6LRD-udbZrPApM-kKZsatRizOJT9J=66Z4E_9iBb78KgpA@mail.gmail.com>
References: <CAJcoKwwppuYUry2c0h-T_gqiQs2zLZqF2azc8mNY714Lheku_w@mail.gmail.com>
	<CAJgngAeAhZMV0szmwNj5VZDpY7h8Fv7CCUpK0udaw9_H1Z_xqw@mail.gmail.com>
	<CACQJ6LRD-udbZrPApM-kKZsatRizOJT9J=66Z4E_9iBb78KgpA@mail.gmail.com>
Message-ID: <CAJgngAeMD5U-O2m-J-oFwYU4nQMHD-g3nCKA6=JAJmtQbR2i+g@mail.gmail.com>

We should hopefully have an early alpha ready in a few weeks.

On 23 November 2015 at 20:45, Travis De Silva <traviskds at gmail.com> wrote:

> What I have done is mapped my urls (i.e. resource) to roles in my own app.
>
> Then I have a security filter that will get the user roles from keycloak
> and check if the role has access to the urls (i.e. resource). Note my
> services are JEE.
>
> I am also very keen if this can be done within keycloak. Stain any
> pointers to the POC that I can look into to understand the keycloak
> approach?
>
> Cheers
> Travis
>
>
> On Mon, 23 Nov 2015 at 20:46 Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> We are currently doing a POC on adding authorization services to
>> Keycloak. In summary what roles can access what URLs, but much more
>> flexible and powerful than that. That's not going to be ready until
>> sometime next year.
>>
>> If you're interested you could give that a go, but it's pre-alpha at the
>> moment, so not something to use in production for sure.
>>
>> On 21 November 2015 at 01:41, Jose Suero <josephsuero at gmail.com> wrote:
>>
>>> i've installed keycloak to secure a software as a service application
>>> that allow users to create scripts they can run as services, for the
>>> authentication part keycloak works like a charm, users are required to
>>> enter a login and I get their roles and everything.
>>>
>>> The idea is to let users create services and roles, and assign them to
>>> users, this all works
>>>
>>> The issue i'm having is authorization, since i have no knowledge before
>>> and of what services or roles would be created i can't use Security
>>> Constrains on web.xml or annotations.
>>>
>>> Since I have the roles I could write a function that does auhorizations,
>>> but would love for keycloak to do it for me, I'm already passing realms to
>>> keycloak as the multi-tenant example, is there any way I could assign urls
>>> to roles I create so keycloak checks where or not I can access that url?
>>>
>>>
>>> thanks in advance
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/1dde9de4/attachment.html 

From haavard.wigtil at kantega.no  Mon Nov 23 15:26:52 2015
From: haavard.wigtil at kantega.no (=?UTF-8?Q?H=c3=a5vard_Wigtil?=)
Date: Mon, 23 Nov 2015 21:26:52 +0100
Subject: [keycloak-user] Are relative redirect URIs supported?
In-Reply-To: <565366C0.2060006@redhat.com>
References: <56536255.20809@kantega.no> <565366C0.2060006@redhat.com>
Message-ID: <5653768C.2030305@kantega.no>

I'm not sure that I'm asking the right question yet, so I'll try again.

We have Keycloak installed on keycloak.my.lan. We're running development 
on several developer PCs, which we access by their public IP because we 
test on several devices against our local development environment. So my 
application is hosted on 192.168.1.2 at the moment, my colleague is 
running her version of the same application at 192.168.1.4, and our IPs 
may change the next day.

If I configure the client "myclient" in the "Clients" section in 
Keycloak admin console with a "Valid redirect URI" of 
"http://192.168.1.2:3000/app/login" then login works. If I change this 
to only "/app/login" then I am presented with the error "We're sorry... 
Invalid parameter: redirect_uri" from Keycloak before I get a chance to 
enter my credentials.

The URL from my application in both cases is the URL below, so the 
redirect URI as sent from the application is always absolute:
https://keycloak.my.lan/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2F192.168.1.2:3000%2Fapp%2Flogin&state=3525097d-e0f8-4013-890f-08fba8439412&response_type=code

I left out the last relevant part of the help message (for brevity) in 
my first mail. In addition to "Relative path can be specified too, i.e. 
/my/relative/path/*" it also says "Relative paths will generate a 
redirect URI using the request's host and port". My reading of those two 
sentences together lead me to believe that I could leave out the

So my real question is: Is it possible to set a single "Valid redirect 
URI" in Keycloak console for my app that will work when the app is 
served from either http://192.168.1.2/app or http://192.168.1.4/app and 
possibly many similar URIs? Or do I have to specify every possible URI 
that my app could be served from under "Valid redirect URIs"?

   H?vard

Den 23. nov. 2015 20:19, skrev Bill Burke:
> A relative URI *will not* be accepted if it is passed as a query
> parameter when a client is requesting a code.  An absolute URI *MUST BE*
> sent via the redirect_uri query parameter.  For admin console config, if
> you put in relative path in your valid redirect URIs, it uses the
> host/port of the auth server.  A bunch of the demos work that way.  So,
> if you host the auth server on mydomain.com,
> https://localhost/my/relative/path will match and
> https://mydomain.com/my/relative/path will work too.  Make sense?
>
>
>
> On 11/23/2015 2:00 PM, H?vard Wigtil wrote:
>> I'm trying to get a relative (i.e. path only with no host) redirect URI
>> for a Keycloak client to work. My client works with full host and path,
>> but if I remove the host part I get an illegal parameter error.
>>
>> The inline help bubble has the following sentence: "Relative path can be
>> specified too, i.e. /my/relative/path/*."
>> So as far as I can tell, it should work according to the help message.
>> As I was trying to find out more about this I came across Jira issue
>> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
>> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
>> absolute to be conformant with the spec.
>>
>> Is the inline help wrong, or is it something here that I don't get?
>>
>>      H?vard
>>
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-8
>> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
H?vard Wigtil
arkitekt og utvikler, Kantega AS
tlf. +47 9384 6468



From mposolda at redhat.com  Mon Nov 23 15:31:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Nov 2015 21:31:26 +0100
Subject: [keycloak-user] Keycloak 1.6.1 possible bug. Deleting User
In-Reply-To: <1721610277.10340261.1447807151229.JavaMail.yahoo@mail.yahoo.com>
References: <1721610277.10340261.1447807151229.JavaMail.yahoo.ref@mail.yahoo.com>
	<1721610277.10340261.1447807151229.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <5653779E.4030908@redhat.com>

Hi,

sorry for late response. This might be some DB/transaction locking bug. 
Which DB type, version and JDBC driver are you using? Currently method 
deleteInvalidUser runs in separate transaction, which is maybe an issue...

Marek

On 18/11/15 01:39, alex orl wrote:
> Hi to all.
> Working on my custom user federation provider i'm facing up to a 
> possible bug.
> I used the last 1.6.1 final keycloak version.
> In my legacy user database i have 3 users:
> user1
> user2
> user3
>
> I try to log into my secured application with all three users' 
> credentials and all goes fine.
> This way all three users are present inside the keycloak properties 
> file so, if i open keycloak admin console and list all users by 
> clicking on the "view all users" button, inside the user section, 
> keycloak lists to me
> user1
> user2
> user3
>
> Now i delete user3 from my legacy database, then i come back to the 
> keycloak admin console in order to list users again.
> After clicking the "view all users" button... nothing is listed and 
> the page stucks in loading mode.
>
> Debugging my code, after "view all users" click... my user federation 
> provider executes the isValid() method for all the 3 users.
> The isValid method returns true for user1
>                    true for user2
>                    false for the deleted user3
> The last false value is returned to the
> UserModel validateAndProxy(RealmModel realm, UserModel local)
> method which will return a NULL UserModel object.
>
> ValidateAndProxy method passes the ball to 
> org.keycloak.models.UserFederationManager with its method:
>
> *protected* UserModel validateAndProxyUser(RealmModel realm, UserModel 
> user) {
> UserModel managed = managedUsers.get(user.getId());
> *if* (managed != *null*) {
> *return*managed;
> }
> UserFederationProvider link = getFederationLink(realm, user);
> *if* (link != *null*) {
> UserModel validatedProxyUser = link.validateAndProxy(realm, user);
> *if* (validatedProxyUser != *null*) {
> managedUsers.put(user.getId(), validatedProxyUser);
> *return*validatedProxyUser;
> } *else* {
> deleteInvalidUser(realm, user);
> *return**null*;
> }
>         }
>
> The UserModel NULL value triggers the deleteInvalidUser(...) method. 
> (row 135 of org.keycloak.models.UserFederationManager class). At this 
> point nothing happens and keycloak console stays in loading state.
>
> Am i wrong with anything? or is it a bug?
> thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/4c06f425/attachment-0001.html 

From sthorger at redhat.com  Tue Nov 24 03:12:09 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 09:12:09 +0100
Subject: [keycloak-user] Are relative redirect URIs supported?
In-Reply-To: <5653768C.2030305@kantega.no>
References: <56536255.20809@kantega.no> <565366C0.2060006@redhat.com>
	<5653768C.2030305@kantega.no>
Message-ID: <CAJgngAf82NbzUm_EBaUE3z_Z6XjMuV+ZZLtJSvQZz3PX0XOLVQ@mail.gmail.com>

You can use '*' to make it valid for all redirect URIs. Make sure you don't
do that in production though. Especially if you are using public clients
(html5 apps, etc..), in those cases the redirect uri is the main safe guard
that prevents malicious applications logging in.

On 23 November 2015 at 21:26, H?vard Wigtil <haavard.wigtil at kantega.no>
wrote:

> I'm not sure that I'm asking the right question yet, so I'll try again.
>
> We have Keycloak installed on keycloak.my.lan. We're running development
> on several developer PCs, which we access by their public IP because we
> test on several devices against our local development environment. So my
> application is hosted on 192.168.1.2 at the moment, my colleague is
> running her version of the same application at 192.168.1.4, and our IPs
> may change the next day.
>
> If I configure the client "myclient" in the "Clients" section in
> Keycloak admin console with a "Valid redirect URI" of
> "http://192.168.1.2:3000/app/login" then login works. If I change this
> to only "/app/login" then I am presented with the error "We're sorry...
> Invalid parameter: redirect_uri" from Keycloak before I get a chance to
> enter my credentials.
>
> The URL from my application in both cases is the URL below, so the
> redirect URI as sent from the application is always absolute:
>
> https://keycloak.my.lan/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2F192.168.1.2:3000%2Fapp%2Flogin&state=3525097d-e0f8-4013-890f-08fba8439412&response_type=code
>
> I left out the last relevant part of the help message (for brevity) in
> my first mail. In addition to "Relative path can be specified too, i.e.
> /my/relative/path/*" it also says "Relative paths will generate a
> redirect URI using the request's host and port". My reading of those two
> sentences together lead me to believe that I could leave out the
>
> So my real question is: Is it possible to set a single "Valid redirect
> URI" in Keycloak console for my app that will work when the app is
> served from either http://192.168.1.2/app or http://192.168.1.4/app and
> possibly many similar URIs? Or do I have to specify every possible URI
> that my app could be served from under "Valid redirect URIs"?
>
>    H?vard
>
> Den 23. nov. 2015 20:19, skrev Bill Burke:
> > A relative URI *will not* be accepted if it is passed as a query
> > parameter when a client is requesting a code.  An absolute URI *MUST BE*
> > sent via the redirect_uri query parameter.  For admin console config, if
> > you put in relative path in your valid redirect URIs, it uses the
> > host/port of the auth server.  A bunch of the demos work that way.  So,
> > if you host the auth server on mydomain.com,
> > https://localhost/my/relative/path will match and
> > https://mydomain.com/my/relative/path will work too.  Make sense?
> >
> >
> >
> > On 11/23/2015 2:00 PM, H?vard Wigtil wrote:
> >> I'm trying to get a relative (i.e. path only with no host) redirect URI
> >> for a Keycloak client to work. My client works with full host and path,
> >> but if I remove the host part I get an illegal parameter error.
> >>
> >> The inline help bubble has the following sentence: "Relative path can be
> >> specified too, i.e. /my/relative/path/*."
> >> So as far as I can tell, it should work according to the help message.
> >> As I was trying to find out more about this I came across Jira issue
> >> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
> >> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
> >> absolute to be conformant with the spec.
> >>
> >> Is the inline help wrong, or is it something here that I don't get?
> >>
> >>      H?vard
> >>
> >>
> >> [1] https://issues.jboss.org/browse/KEYCLOAK-8
> >> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
>
> --
> H?vard Wigtil
> arkitekt og utvikler, Kantega AS
> tlf. +47 9384 6468
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/d77def03/attachment.html 

From sascha.brose at adesso.ch  Tue Nov 24 04:59:16 2015
From: sascha.brose at adesso.ch (Brose, Sascha)
Date: Tue, 24 Nov 2015 09:59:16 +0000
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <CAJgngAe6WcDSkFLyiEcW8T8C4dusWJH+5Q4y+Bmi_tMW_xECpg@mail.gmail.com>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
	<CAJgngAe6WcDSkFLyiEcW8T8C4dusWJH+5Q4y+Bmi_tMW_xECpg@mail.gmail.com>
Message-ID: <c4e48f97ee9b42dab7fba3aded7251aa@EX2013-DB02.adesso.local>

Hi Stian,
thank you very much for your reply. Ok :).

Is there any further more detailed documentation about exchanged messages, e.g. also for logout scenario? I only saw some high level explanations in chapter 2 of the Keycloak documentation.

Best regards,
Sascha

Von: Stian Thorgersen [mailto:sthorger at redhat.com]
Gesendet: Montag, 23. November 2015 10:55
An: Brose, Sascha
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Planned support of Node.js, RAILS, GRAILS, and other non-Java applications

We have Node.js available already https://github.com/keycloak/keycloak-nodejs

For other languages we don't currently have the resources required to implement it ourselves, but would love contributions :)

On 23 November 2015 at 09:51, Brose, Sascha <sascha.brose at adesso.ch<mailto:sascha.brose at adesso.ch>> wrote:
Hello,
I read in Keycloak documentation that there are plans to support Node.js, RAILS, GRAILS, and other non-Java applications.

Is this support already in developement or when is it planned for? Will there also be support for scripting languages, e.g. PHP?

Best regards,
Sascha

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/7c7adda3/attachment.html 

From thomas.raehalme at aitiofinland.com  Tue Nov 24 05:27:04 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 24 Nov 2015 12:27:04 +0200
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
Message-ID: <CAPyAMoZ_hJegFcARmGHTzPxREU0wZ-ZWLZDi819OdzuAdnTLOg@mail.gmail.com>

Hi!

On Mon, Nov 23, 2015 at 10:51 AM, Brose, Sascha <sascha.brose at adesso.ch>
wrote:

>  Is this support already in developement or when is it planned for? Will
> there also be support for scripting languages, e.g. PHP?
>

Earlier this year I did a PoC for using Keycloak from a PHP application,
and contributed some code[1] to add a provider for PHP League's OAuth 2.0
Client[2].

[1] https://github.com/stevenmaguire/oauth2-keycloak
[2] https://github.com/thephpleague/oauth2-client

Please have a look if it suits your needs although it will probably need
some additional work depending on which features you want to use.

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/82018364/attachment-0001.html 

From atx at binaryninja.de  Tue Nov 24 05:38:34 2015
From: atx at binaryninja.de (Ataraxus)
Date: Tue, 24 Nov 2015 11:38:34 +0100
Subject: [keycloak-user] Adapter installation
In-Reply-To: <CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
	<CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
	<564C8D48.4090209@binaryninja.de>
	<CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>
Message-ID: <56543E2A.5020500@binaryninja.de>

Hey guys,

facing again some issues with deploying the adapters. In my setup 
Keycloak runs on a seperate machine and JBoss on which the actual app is 
running on a machine which is provisioned. Since I have only 
webinterface access to my JBoss app server, is there a way to install 
the Adapter as EAR, WAR or something which i can do through the 
webinterface?

Am 18.11.15 um 15:55 schrieb Marko Strukelj:
> You can give EAP 7 Alpha a try :)
>
> http://www.jboss.org/products/eap/download/
>
>
> On Wed, Nov 18, 2015 at 3:38 PM, Ataraxus <atx at binaryninja.de 
> <mailto:atx at binaryninja.de>> wrote:
>
>     Sorry wasn't clear about that.
>     But I was looking for a solution with JBoss EAP 6.4
>
>     Am 18.11.15 um 15:28 schrieb Marko Strukelj:
>>     If you put:
>>
>>     embed-server
>>
>>     as first command in your cli script, that will start embedded
>>     server in administration mode, so you won't need an already
>>     started server.
>>
>>     That only works since Wildfly 9.
>>
>>     On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus <atx at binaryninja.de
>>     <mailto:atx at binaryninja.de>> wrote:
>>
>>         I'm setting up a docker container with keycloak. now i want
>>         to install the adapters,
>>         the usual way of installing is via
>>         ${JBOSS_HOME}/bin/jboss-cli.sh -c
>>         --file=${JBOSS_HOME}/bin/adapter-install.cli
>>         but therefore jboss needs to be running already, which is not
>>         good/possible on this step.
>>         is there a offline way of installing the adapters?
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/a5c81fc4/attachment.html 

From samuel.otter at gmail.com  Tue Nov 24 07:50:55 2015
From: samuel.otter at gmail.com (Samuel Otter)
Date: Tue, 24 Nov 2015 12:50:55 +0000
Subject: [keycloak-user] Problems with expired user action emails
In-Reply-To: <CAJgngAcerFSoMOk2Q41xBOk5DcKasXVWoF0Enkc2q+YMNkNvEQ@mail.gmail.com>
References: <CAL_y9JH+hPMjP9uvLFu6EWcpNyhqCEut1UaXT5jMHG6O71gj9g@mail.gmail.com>
	<CAJgngAdbdDeZcUivJn+ebpyvemxDBimbkZH8fSF5OCtmjYRXPQ@mail.gmail.com>
	<CAL_y9JGC9bUbaTUL8Dwf1EgnsZqcsY4S9DJcFfHxz2axUQOrWQ@mail.gmail.com>
	<CAJgngAcerFSoMOk2Q41xBOk5DcKasXVWoF0Enkc2q+YMNkNvEQ@mail.gmail.com>
Message-ID: <CAL_y9JEa=2yFxNOdiiwE-+NgXVTsC_R4xykSbLLXtYTSJXva-A@mail.gmail.com>

Thanks, Issue created: https://issues.jboss.org/browse/KEYCLOAK-2125

m?n 23 nov. 2015 kl 11:02 skrev Stian Thorgersen <sthorger at redhat.com>:

> Okay, basically same thing ;)
>
> Please create a JIRA issue
>
> On 23 November 2015 at 10:59, Samuel Otter <samuel.otter at gmail.com> wrote:
>
>> Hi,
>>
>> No we use the execute-actions-email REST endpoint.
>>
>> m?n 23 nov. 2015 kl 10:17 skrev Stian Thorgersen <sthorger at redhat.com>:
>>
>>> How are you creating the user action emails? Is it through the admin
>>> console?
>>>
>>> On 19 November 2015 at 11:38, Samuel Otter <samuel.otter at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> We have discovered a somewhat strange behavior with the User Action
>>>> timeouts. We need to have a fairly long User Action timeout but the links
>>>> provided in the emails to the users expire well before that time. After
>>>> some digging around in the source code I think this is because both a user
>>>> and a client session is created for the user action, but when the user
>>>> session expires and is removed the client session is also removed with it.
>>>> If we set the User Session SSO timeout to the same value it does indeed
>>>> seem to work as expected.
>>>>
>>>> This seems unintentional and I can't really see why the user session is
>>>> created at all in this case as it is not really used as far as I can tell
>>>> (the client session id is used in the email link)? OTOH I am not sure why
>>>> the client session is removed when the user session expires? Or have we
>>>> completely misunderstood how this is supposed to work?
>>>>
>>>> Anyway, as it is you can't really have a User Action timeout that is
>>>> longer than the SSO Session timeout.
>>>>
>>>> Thanks,
>>>> Samuel Otter
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/5b0115d7/attachment.html 

From Martin.Hipfinger at oebb.at  Tue Nov 24 08:15:09 2015
From: Martin.Hipfinger at oebb.at (Hipfinger Martin (BCC.EXTERN))
Date: Tue, 24 Nov 2015 13:15:09 +0000
Subject: [keycloak-user] Error upgrading database,
 1.2.0.Final to 1.6.1.Final
In-Reply-To: <CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
	<CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
	<CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
Message-ID: <1CBE59D9C302B841A9562E1A3A6F5B7338F409C6@ARSEX004.oebb.at>

Hi,

with 1.2 username and e-mail wasn?t converted to lowercase & newer versions introduce a constraint on those two fields to enforce uniqueness ? did you check for duplicate values upfront?

br,
martin

Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Travis Masselink
Gesendet: Samstag, 21. November 2015 00:27
An: Lohitha Chiranjeewa <kalc04 at gmail.com>
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Error upgrading database, 1.2.0.Final to 1.6.1.Final

That didn't work for me. I Tried 1.2 -> 1.5, 1.2 -> 1.4 and then 1.2 -> 1.3.1 (success) -> 1.4. But all failed. I then cloned the project and built 1.7 and tried 1.2 -> 1.7. This also failed. In all cases it looks like 1.4 is the problem as this is the exception I get with all versions but 1.3.1:

6:10:43,401 ERROR [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 62) Failed to migrate datamodel: java.lang.NullPointerException
            at org.keycloak.models.ImpersonationConstants.setupMasterRealmRole(ImpersonationConstants.java:26)
            at org.keycloak.models.ImpersonationConstants.setupImpersonationService(ImpersonationConstants.java:47)
            at org.keycloak.migration.migrators.MigrateTo1_4_0.migrate(MigrateTo1_4_0.java:30)

On Tue, Nov 17, 2015 at 12:39 AM, Lohitha Chiranjeewa <kalc04 at gmail.com<mailto:kalc04 at gmail.com>> wrote:
Had the exact problem a few moments ago, thanks for clarifying.
Regards,
Lohitha.

On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja <felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br>> wrote:
Great! Thanks for the quick reply. Upgraded now :)

Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
> Hi,
>
> There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
> 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
>
> On 16 November 2015 at 18:13, Felipe Braun Azambuja
> <felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br> <mailto:felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br>>>
> wrote:
>
>     Hey all,
>
>     I'm trying to upgrade Keycloak in our test instance, but I'm getting a
>     really generic error while trying to start the service:
>
>     15:09:35,559 INFO
>     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
>     (ServerService Thread Pool -- 60) HHH000397: Using
>     ASTQueryTranslatorFactory
>     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
>     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
>     5.1.3.Final
>     15:09:38,643 ERROR [org.keycloak.services.resources.KeycloakApplication]
>     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
>     java.lang.NullPointerException
>               at
>     org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>               at
>     org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>               at
>     org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>               at
>     org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>               at
>     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>     (...)
>
>     Is there any way to increase logging level on the migration part, so
>     that I can try and understand where's the problem with our database?
>
>
>     Thanks!
>     --
>     Felipe Braun Azambuja
>     DBA
>     Tecnologia da Informa??o e Comunica??o
>     (48) 3281 9577
>     felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br> <mailto:felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br>>
>     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>     recebido esta mensagem por engano, por favor informe o remetente
>     respondendo imediatamente a este e-mail, e em seguida apague-a do
>     seu computador.
>
>     The information contained in this e-mail and its attachments are
>     protected by law, subjected to privilege and/or confidentiality and
>     cannot be retransmitted, filed, disclosed or copied without
>     authorization from the sender. The sender uses the electronic mail
>     in the exercise of his/her work or by virtue thereof, and the
>     institution accepts no liability from its undue use. If you have
>     received this message by mistake, please notify us immediately by
>     returning the e-mail and deleting this message from your system.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> <mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br<mailto:felipe.braun at intelbras.com.br>
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/c5b5c5ce/attachment-0001.html 

From bburke at redhat.com  Tue Nov 24 08:45:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 24 Nov 2015 08:45:21 -0500
Subject: [keycloak-user] Adapter installation
In-Reply-To: <56543E2A.5020500@binaryninja.de>
References: <1483902582.10992870.1447852197228.JavaMail.yahoo.ref@mail.yahoo.com>
	<1483902582.10992870.1447852197228.JavaMail.yahoo@mail.yahoo.com>
	<564C84F7.1030407@binaryninja.de>
	<CA+1OW+jtuch1V4K+dOvD77P8-cG-1kbqXfgpZirRYWPjsT=AUg@mail.gmail.com>
	<564C8D48.4090209@binaryninja.de>
	<CA+1OW+itQO2mYw+GezBZPnHFj8YyGY+P1=P2Au3P4pKOkF35Gw@mail.gmail.com>
	<56543E2A.5020500@binaryninja.de>
Message-ID: <565469F1.9000906@redhat.com>

Please read our docs on adapter installation.  If you still have 
questions after that then we'll help.

On 11/24/2015 5:38 AM, Ataraxus wrote:
> Hey guys,
>
> facing again some issues with deploying the adapters. In my setup
> Keycloak runs on a seperate machine and JBoss on which the actual app is
> running on a machine which is provisioned. Since I have only
> webinterface access to my JBoss app server, is there a way to install
> the Adapter as EAR, WAR or something which i can do through the
> webinterface?
>
> Am 18.11.15 um 15:55 schrieb Marko Strukelj:
>> You can give EAP 7 Alpha a try :)
>>
>> http://www.jboss.org/products/eap/download/
>>
>>
>> On Wed, Nov 18, 2015 at 3:38 PM, Ataraxus <atx at binaryninja.de
>> <mailto:atx at binaryninja.de>> wrote:
>>
>>     Sorry wasn't clear about that.
>>     But I was looking for a solution with JBoss EAP 6.4
>>
>>     Am 18.11.15 um 15:28 schrieb Marko Strukelj:
>>>     If you put:
>>>
>>>     embed-server
>>>
>>>     as first command in your cli script, that will start embedded
>>>     server in administration mode, so you won't need an already
>>>     started server.
>>>
>>>     That only works since Wildfly 9.
>>>
>>>     On Wed, Nov 18, 2015 at 3:02 PM, Ataraxus
>>>     <<mailto:atx at binaryninja.de>atx at binaryninja.de> wrote:
>>>
>>>         I'm setting up a docker container with keycloak. now i want
>>>         to install the adapters,
>>>         the usual way of installing is via
>>>         ${JBOSS_HOME}/bin/jboss-cli.sh -c
>>>         --file=${JBOSS_HOME}/bin/adapter-install.cli
>>>         but therefore jboss needs to be running already, which is not
>>>         good/possible on this step.
>>>         is there a offline way of installing the adapters?
>>>
>>>         _______________________________________________
>>>         keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Frank.vanVeen at planonsoftware.com  Tue Nov 24 09:04:23 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Tue, 24 Nov 2015 15:04:23 +0100
Subject: [keycloak-user] Configuration options SPI implementation
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E4924FF79C4B@NL-MAIL02.planon-fm.com>

Hi,

Currently i am setting up a user federation. Right now it is possible to add text fields to the user federation configuration page.
Is it also possible to add buttons and other elements?

Sincerely,

Frank van Veen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/b35b9995/attachment.html 

From josephsuero at gmail.com  Tue Nov 24 10:33:17 2015
From: josephsuero at gmail.com (Jose Suero)
Date: Tue, 24 Nov 2015 11:33:17 -0400
Subject: [keycloak-user] Verify token thru javascript api
Message-ID: <CAJcoKwyP8+7DcR20j9UdA8-ctvCPr7y-V7UW3RTY3D1VNs1VjQ@mail.gmail.com>

How can I periodically check if the token is still active? if I manually
logout users on the admin, what can I call from the browser to know that
token is still acive
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/c82a717e/attachment.html 

From tmasselink at selcouth.org  Tue Nov 24 11:26:14 2015
From: tmasselink at selcouth.org (Travis Masselink)
Date: Tue, 24 Nov 2015 09:26:14 -0700
Subject: [keycloak-user] Error upgrading database,
	1.2.0.Final to 1.6.1.Final
In-Reply-To: <1CBE59D9C302B841A9562E1A3A6F5B7338F409C6@ARSEX004.oebb.at>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
	<CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
	<CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
	<1CBE59D9C302B841A9562E1A3A6F5B7338F409C6@ARSEX004.oebb.at>
Message-ID: <CAJPq-9qMWMKhzco9x4koSK-e2KVCeMmUsay6QCZw_EJFvDEyFw@mail.gmail.com>

I had been playing with the admin api as I was trying to script
realm/client creation. So I deleted the one realm that was there that I had
created that way. I also deleted one user that had a duplicate email
address. Now I just upgraded from 1.2 -> 1.5 -> 1.6.1.

I was going to connect a debugger, set some break points and figure out
exactly where it was failing today but as I don't have a lot of time on my
hands I'm grateful for the help. Thanks!

On Tue, Nov 24, 2015 at 6:15 AM, Hipfinger Martin (BCC.EXTERN) <
Martin.Hipfinger at oebb.at> wrote:

> Hi,
>
>
>
> with 1.2 username and e-mail wasn?t converted to lowercase & newer
> versions introduce a constraint on those two fields to enforce uniqueness ?
> did you check for duplicate values upfront?
>
>
>
> br,
>
> martin
>
>
>
> *Von:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *Im Auftrag von *Travis Masselink
> *Gesendet:* Samstag, 21. November 2015 00:27
> *An:* Lohitha Chiranjeewa <kalc04 at gmail.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Error upgrading database, 1.2.0.Final to
> 1.6.1.Final
>
>
>
> That didn't work for me. I Tried 1.2 -> 1.5, 1.2 -> 1.4 and then 1.2 ->
> 1.3.1 (success) -> 1.4. But all failed. I then cloned the project and built
> 1.7 and tried 1.2 -> 1.7. This also failed. In all cases it looks like 1.4
> is the problem as this is the exception I get with all versions but 1.3.1:
>
>
>
> 6:10:43,401 ERROR [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 62) Failed to migrate datamodel:
> java.lang.NullPointerException
>
>             at
> org.keycloak.models.ImpersonationConstants.setupMasterRealmRole(ImpersonationConstants.java:26)
>
>             at
> org.keycloak.models.ImpersonationConstants.setupImpersonationService(ImpersonationConstants.java:47)
>
>             at org.keycloak.migration.migrators.*MigrateTo1_4_0*
> .migrate(MigrateTo1_4_0.java:30)
>
>
>
> On Tue, Nov 17, 2015 at 12:39 AM, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
> Had the exact problem a few moments ago, thanks for clarifying.
>
> Regards,
>
> Lohitha.
>
>
>
> On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja <
> felipe.braun at intelbras.com.br> wrote:
>
> Great! Thanks for the quick reply. Upgraded now :)
>
> Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
> > Hi,
> >
> > There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
> > 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
> >
> > On 16 November 2015 at 18:13, Felipe Braun Azambuja
> > <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
>
> > wrote:
> >
> >     Hey all,
> >
> >     I'm trying to upgrade Keycloak in our test instance, but I'm getting
> a
> >     really generic error while trying to start the service:
> >
> >     15:09:35,559 INFO
> >     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> >     (ServerService Thread Pool -- 60) HHH000397: Using
> >     ASTQueryTranslatorFactory
> >     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
> >     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
> >     5.1.3.Final
> >     15:09:38,643 ERROR
> [org.keycloak.services.resources.KeycloakApplication]
> >     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
> >     java.lang.NullPointerException
> >               at
> >
>  org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
> >               at
> >
>  org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
> >               at
> >
>  org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
> >               at
> >
>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
> >               at
> >     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> >     (...)
> >
> >     Is there any way to increase logging level on the migration part, so
> >     that I can try and understand where's the problem with our database?
> >
> >
> >     Thanks!
> >     --
> >     Felipe Braun Azambuja
> >     DBA
> >     Tecnologia da Informa??o e Comunica??o
> >     (48) 3281 9577
>
> >     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
> >     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
> >     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
> >     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
> >     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
> >     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
> >     qualquer responsabilidade por utiliza??o indevida. Caso tenha
> >     recebido esta mensagem por engano, por favor informe o remetente
> >     respondendo imediatamente a este e-mail, e em seguida apague-a do
> >     seu computador.
> >
> >     The information contained in this e-mail and its attachments are
> >     protected by law, subjected to privilege and/or confidentiality and
> >     cannot be retransmitted, filed, disclosed or copied without
> >     authorization from the sender. The sender uses the electronic mail
> >     in the exercise of his/her work or by virtue thereof, and the
> >     institution accepts no liability from its undue use. If you have
> >     received this message by mistake, please notify us immediately by
> >     returning the e-mail and deleting this message from your system.
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> >
> >
>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
> por engano, por favor informe o remetente respondendo imediatamente a este
> e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her work
> or by virtue thereof, and the institution accepts no liability from its
> undue use. If you have received this message by mistake, please notify us
> immediately by returning the e-mail and deleting this message from your
> system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/05c9cb35/attachment-0001.html 

From pblair at clearme.com  Tue Nov 24 11:37:55 2015
From: pblair at clearme.com (Paul Blair)
Date: Tue, 24 Nov 2015 16:37:55 +0000
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <CAJcoKwyP8+7DcR20j9UdA8-ctvCPr7y-V7UW3RTY3D1VNs1VjQ@mail.gmail.com>
Message-ID: <D279FBD3.101C2%pblair@clearme.com>

I've been reading that the Wildfly management console can be secured using Keycloak as of Wildfly 9. Would it be hazardous to do that with the console for the Keycloak server itself? Is there a straightforward way to deploy Keycloak onto Wildfly 9?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/58decbef/attachment.html 

From sthorger at redhat.com  Tue Nov 24 13:26:18 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 19:26:18 +0100
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <D279FBD3.101C2%pblair@clearme.com>
References: <CAJcoKwyP8+7DcR20j9UdA8-ctvCPr7y-V7UW3RTY3D1VNs1VjQ@mail.gmail.com>
	<D279FBD3.101C2%pblair@clearme.com>
Message-ID: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>

On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com> wrote:

> I've been reading that the Wildfly management console can be secured using
> Keycloak as of Wildfly 9. Would it be hazardous to do that with the console
> for the Keycloak server itself? Is there a straightforward way to deploy
> Keycloak onto Wildfly 9?
>

Where did you read it? AFAIK it's not ready yet, certainly not in WildFly 9.

Not sure what you mean about console for Keycloak server. The Keycloak
servers admin console has always been secured with Keycloak.

You can add Keycloak server overlay to an existing WildFly 9. Read the docs
for instructions. We will move to WildFly 10 once Final is released and we
won't support adding the overlay to WildFly 9 anymore.


>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/b06dd3e0/attachment.html 

From pblair at clearme.com  Tue Nov 24 13:52:20 2015
From: pblair at clearme.com (Paul Blair)
Date: Tue, 24 Nov 2015 18:52:20 +0000
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>
Message-ID: <D27A1B51.101EC%pblair@clearme.com>

I'm referring to the Wildfly management console. This was in preview in July of 2014:

https://developer.jboss.org/wiki/PreviewKeycloak-securedManagementInWildFly9



From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Reply-To: <stian at redhat.com<mailto:stian at redhat.com>>
Date: Tue, 24 Nov 2015 19:26:18 +0100
To: "pblair at clearme.com<mailto:pblair at clearme.com>" <pblair at clearme.com<mailto:pblair at clearme.com>>
Cc: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Wildfly 9?



On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com<mailto:pblair at clearme.com>> wrote:
I've been reading that the Wildfly management console can be secured using Keycloak as of Wildfly 9. Would it be hazardous to do that with the console for the Keycloak server itself? Is there a straightforward way to deploy Keycloak onto Wildfly 9?

Where did you read it? AFAIK it's not ready yet, certainly not in WildFly 9.

Not sure what you mean about console for Keycloak server. The Keycloak servers admin console has always been secured with Keycloak.

You can add Keycloak server overlay to an existing WildFly 9. Read the docs for instructions. We will move to WildFly 10 once Final is released and we won't support adding the overlay to WildFly 9 anymore.



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/454a5dbd/attachment.html 

From sthorger at redhat.com  Tue Nov 24 14:14:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 20:14:13 +0100
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <D27A1B51.101EC%pblair@clearme.com>
References: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>
	<D27A1B51.101EC%pblair@clearme.com>
Message-ID: <CAJgngAdzhL_dzJAqxt0K8RsD8-xTJbdpakKCBmNTezeQn8sv9Q@mail.gmail.com>

I'm pretty sure the changes have not been merged into WildFly yet.

Stan can comment when he gets back what the status is.

On 24 November 2015 at 19:52, Paul Blair <pblair at clearme.com> wrote:

> I'm referring to the Wildfly management console. This was in preview in
> July of 2014:
>
>
> https://developer.jboss.org/wiki/PreviewKeycloak-securedManagementInWildFly9
>
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Reply-To: <stian at redhat.com>
> Date: Tue, 24 Nov 2015 19:26:18 +0100
> To: "pblair at clearme.com" <pblair at clearme.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Wildfly 9?
>
>
>
> On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com> wrote:
>
>> I've been reading that the Wildfly management console can be secured
>> using Keycloak as of Wildfly 9. Would it be hazardous to do that with the
>> console for the Keycloak server itself? Is there a straightforward way to
>> deploy Keycloak onto Wildfly 9?
>>
>
> Where did you read it? AFAIK it's not ready yet, certainly not in WildFly
> 9.
>
> Not sure what you mean about console for Keycloak server. The Keycloak
> servers admin console has always been secured with Keycloak.
>
> You can add Keycloak server overlay to an existing WildFly 9. Read the
> docs for instructions. We will move to WildFly 10 once Final is released
> and we won't support adding the overlay to WildFly 9 anymore.
>
>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/ea88a105/attachment.html 

From sthorger at redhat.com  Tue Nov 24 14:18:38 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 20:18:38 +0100
Subject: [keycloak-user] Error upgrading database,
	1.2.0.Final to 1.6.1.Final
In-Reply-To: <CAJPq-9qMWMKhzco9x4koSK-e2KVCeMmUsay6QCZw_EJFvDEyFw@mail.gmail.com>
References: <564A0EA6.1090208@intelbras.com.br>
	<CAJgngAfrfUhWeFcpA2Bv3mHGY9uYsFBx8eEp+_OTdyEN6bHtqA@mail.gmail.com>
	<564A2BF8.8040301@intelbras.com.br>
	<CAPj1eSwBBYXnX6aFCiLhmZFCGzsipr0jSHiWXKVmW4dQPbP2rQ@mail.gmail.com>
	<CAJPq-9oUAOU6HqBJjcFy9KtQZjrvJtKikcFPbqKn=4uwcKYaRA@mail.gmail.com>
	<1CBE59D9C302B841A9562E1A3A6F5B7338F409C6@ARSEX004.oebb.at>
	<CAJPq-9qMWMKhzco9x4koSK-e2KVCeMmUsay6QCZw_EJFvDEyFw@mail.gmail.com>
Message-ID: <CAJgngAcGa6pw7_a9vMeKSF9a70f89b-AkvBpgSa_5dkOQpxzHA@mail.gmail.com>

If you can create a realm export or provides us to step to reproduce the
issue then we could look into it. Otherwise it's pretty difficult for us to
reproduce.

On 24 November 2015 at 17:26, Travis Masselink <tmasselink at selcouth.org>
wrote:

> I had been playing with the admin api as I was trying to script
> realm/client creation. So I deleted the one realm that was there that I had
> created that way. I also deleted one user that had a duplicate email
> address. Now I just upgraded from 1.2 -> 1.5 -> 1.6.1.
>
> I was going to connect a debugger, set some break points and figure out
> exactly where it was failing today but as I don't have a lot of time on my
> hands I'm grateful for the help. Thanks!
>
> On Tue, Nov 24, 2015 at 6:15 AM, Hipfinger Martin (BCC.EXTERN) <
> Martin.Hipfinger at oebb.at> wrote:
>
>> Hi,
>>
>>
>>
>> with 1.2 username and e-mail wasn?t converted to lowercase & newer
>> versions introduce a constraint on those two fields to enforce uniqueness ?
>> did you check for duplicate values upfront?
>>
>>
>>
>> br,
>>
>> martin
>>
>>
>>
>> *Von:* keycloak-user-bounces at lists.jboss.org [mailto:
>> keycloak-user-bounces at lists.jboss.org] *Im Auftrag von *Travis Masselink
>> *Gesendet:* Samstag, 21. November 2015 00:27
>> *An:* Lohitha Chiranjeewa <kalc04 at gmail.com>
>> *Cc:* keycloak-user at lists.jboss.org
>> *Betreff:* Re: [keycloak-user] Error upgrading database, 1.2.0.Final to
>> 1.6.1.Final
>>
>>
>>
>> That didn't work for me. I Tried 1.2 -> 1.5, 1.2 -> 1.4 and then 1.2 ->
>> 1.3.1 (success) -> 1.4. But all failed. I then cloned the project and built
>> 1.7 and tried 1.2 -> 1.7. This also failed. In all cases it looks like 1.4
>> is the problem as this is the exception I get with all versions but 1.3.1:
>>
>>
>>
>> 6:10:43,401 ERROR [org.keycloak.services.resources.KeycloakApplication]
>> (ServerService Thread Pool -- 62) Failed to migrate datamodel:
>> java.lang.NullPointerException
>>
>>             at
>> org.keycloak.models.ImpersonationConstants.setupMasterRealmRole(ImpersonationConstants.java:26)
>>
>>             at
>> org.keycloak.models.ImpersonationConstants.setupImpersonationService(ImpersonationConstants.java:47)
>>
>>             at org.keycloak.migration.migrators.*MigrateTo1_4_0*
>> .migrate(MigrateTo1_4_0.java:30)
>>
>>
>>
>> On Tue, Nov 17, 2015 at 12:39 AM, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>> Had the exact problem a few moments ago, thanks for clarifying.
>>
>> Regards,
>>
>> Lohitha.
>>
>>
>>
>> On Tue, Nov 17, 2015 at 12:48 AM, Felipe Braun Azambuja <
>> felipe.braun at intelbras.com.br> wrote:
>>
>> Great! Thanks for the quick reply. Upgraded now :)
>>
>> Il 16/11/2015 16:13, Stian Thorgersen ha scritto:
>> > Hi,
>> >
>> > There's an issue with upgrading to 1.6 from 1.2. It will be fixed in
>> > 1.7, but you can bypass the issue by first upgrading to 1.5 then to 1.6
>> >
>> > On 16 November 2015 at 18:13, Felipe Braun Azambuja
>> > <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
>>
>> > wrote:
>> >
>> >     Hey all,
>> >
>> >     I'm trying to upgrade Keycloak in our test instance, but I'm
>> getting a
>> >     really generic error while trying to start the service:
>> >
>> >     15:09:35,559 INFO
>> >     [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
>> >     (ServerService Thread Pool -- 60) HHH000397: Using
>> >     ASTQueryTranslatorFactory
>> >     15:09:35,594 INFO  [org.hibernate.validator.internal.util.Version]
>> >     (ServerService Thread Pool -- 60) HV000001: Hibernate Validator
>> >     5.1.3.Final
>> >     15:09:38,643 ERROR
>> [org.keycloak.services.resources.KeycloakApplication]
>> >     (ServerService Thread Pool -- 60) Failed to migrate datamodel:
>> >     java.lang.NullPointerException
>> >               at
>> >
>>  org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
>> >               at
>> >
>>  org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
>> >               at
>> >
>>  org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
>> >               at
>> >
>>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
>> >               at
>> >     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> >     (...)
>> >
>> >     Is there any way to increase logging level on the migration part, so
>> >     that I can try and understand where's the problem with our database?
>> >
>> >
>> >     Thanks!
>> >     --
>> >     Felipe Braun Azambuja
>> >     DBA
>> >     Tecnologia da Informa??o e Comunica??o
>> >     (48) 3281 9577
>>
>> >     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br
>> >
>> >     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>> >     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>> >     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>> >     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>> >     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>> >     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>> >     recebido esta mensagem por engano, por favor informe o remetente
>> >     respondendo imediatamente a este e-mail, e em seguida apague-a do
>> >     seu computador.
>> >
>> >     The information contained in this e-mail and its attachments are
>> >     protected by law, subjected to privilege and/or confidentiality and
>> >     cannot be retransmitted, filed, disclosed or copied without
>> >     authorization from the sender. The sender uses the electronic mail
>> >     in the exercise of his/her work or by virtue thereof, and the
>> >     institution accepts no liability from its undue use. If you have
>> >     received this message by mistake, please notify us immediately by
>> >     returning the e-mail and deleting this message from your system.
>> >
>> >     _______________________________________________
>> >     keycloak-user mailing list
>> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>> >
>> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> >
>> >
>>
>> --
>> Felipe Braun Azambuja
>> DBA
>> Tecnologia da Informa??o e Comunica??o
>> (48) 3281 9577
>> felipe.braun at intelbras.com.br
>> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
>> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
>> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
>> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
>> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
>> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
>> por engano, por favor informe o remetente respondendo imediatamente a este
>> e-mail, e em seguida apague-a do seu computador.
>>
>> The information contained in this e-mail and its attachments are
>> protected by law, subjected to privilege and/or confidentiality and cannot
>> be retransmitted, filed, disclosed or copied without authorization from the
>> sender. The sender uses the electronic mail in the exercise of his/her work
>> or by virtue thereof, and the institution accepts no liability from its
>> undue use. If you have received this message by mistake, please notify us
>> immediately by returning the e-mail and deleting this message from your
>> system.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/432ed76d/attachment-0001.html 

From sthorger at redhat.com  Tue Nov 24 14:21:16 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 20:21:16 +0100
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <c4e48f97ee9b42dab7fba3aded7251aa@EX2013-DB02.adesso.local>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
	<CAJgngAe6WcDSkFLyiEcW8T8C4dusWJH+5Q4y+Bmi_tMW_xECpg@mail.gmail.com>
	<c4e48f97ee9b42dab7fba3aded7251aa@EX2013-DB02.adesso.local>
Message-ID: <CAJgngAdnLndF7itjJVT7p7DEB5zEZmLsrGRoURjv981aSxP2GA@mail.gmail.com>

It's pretty much stock OpenID Connect, but with our own backchannel logout
(OpenID Connect spec wasn't ready in time). We also have an adapter
configuration file and would be nice if any additional adapters can be
configured using that.

On 24 November 2015 at 10:59, Brose, Sascha <sascha.brose at adesso.ch> wrote:

> Hi Stian,
>
> thank you very much for your reply. Ok :).
>
>
>
> Is there any further more detailed documentation about exchanged messages,
> e.g. also for logout scenario? I only saw some high level explanations in
> chapter 2 of the Keycloak documentation.
>
>
>
> Best regards,
>
> Sascha
>
>
>
> *Von:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Gesendet:* Montag, 23. November 2015 10:55
> *An:* Brose, Sascha
> *Cc:* keycloak-user at lists.jboss.org
> *Betreff:* Re: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
> and other non-Java applications
>
>
>
> We have Node.js available already
> https://github.com/keycloak/keycloak-nodejs
>
>
>
> For other languages we don't currently have the resources required to
> implement it ourselves, but would love contributions :)
>
>
>
> On 23 November 2015 at 09:51, Brose, Sascha <sascha.brose at adesso.ch>
> wrote:
>
> Hello,
>
> I read in Keycloak documentation that there are plans to support Node.js,
> RAILS, GRAILS, and other non-Java applications.
>
>
>
> Is this support already in developement or when is it planned for? Will
> there also be support for scripting languages, e.g. PHP?
>
>
>
> Best regards,
>
> Sascha
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/21baa1a6/attachment.html 

From sthorger at redhat.com  Tue Nov 24 15:38:48 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Nov 2015 21:38:48 +0100
Subject: [keycloak-user] Verify token thru javascript api
In-Reply-To: <CAJcoKwyP8+7DcR20j9UdA8-ctvCPr7y-V7UW3RTY3D1VNs1VjQ@mail.gmail.com>
References: <CAJcoKwyP8+7DcR20j9UdA8-ctvCPr7y-V7UW3RTY3D1VNs1VjQ@mail.gmail.com>
Message-ID: <CAJgngAcG9EjL2a9Og95CDjzH9n6Vz4xm1dFkUOxTsDR6D8-4tw@mail.gmail.com>

The access token should have a short lifespan (min) and keycloak.js will
quickly refresh the token once a request is made. This is only an issue wif
amdin logs out, as if the user itself logs out it is detected by
keycloak.js even if the user logs out from a different app.

There's also a verify token endpoint that can be invoked to check if token
is valid without refreshing it. This will incur extra requests to the
server though, so be careful with this one if you have a lot of users.
There isn't support in keycloak.js for it, but would be relatively easy to
add and I'd happily accept a PR for it. The endpoint is
'/auth/realms/<realm>/protocols/openid-connect/validate?access_token=<access
token>' it will return the json of the token or 400 with a error
description if not valid.

On 24 November 2015 at 16:33, Jose Suero <josephsuero at gmail.com> wrote:

> How can I periodically check if the token is still active? if I manually
> logout users on the admin, what can I call from the browser to know that
> token is still acive
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/854f103b/attachment.html 

From carlosthe19916 at gmail.com  Tue Nov 24 18:00:15 2015
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Tue, 24 Nov 2015 18:00:15 -0500
Subject: [keycloak-user] Keycloak offline token
Message-ID: <CAAdSQ6iMPoCZwSPQrW8BYHf0CD4n2F41WS+iGLaTmghk2n03uw@mail.gmail.com>

Hello. I migrated my keycloak to keycloak-1.6.1.Final and i have a problem
with the session persistence.

I have a pure javascript application, this uses javacript adapter. When i
had other version of keycloak, the session is close when i do logout or
close the browser, but now in keycloak-1.6.1.Final the session is not
detroyed when i close the browser, i see that session is on cookie.

I delete the offline role of my users and roles but the session don't
close. How can i delete the session when i close the brower? Please help me.

this is my angular interceptor an bootstrap method:

keycloak.init({onLoad: 'login-required'}).success(function () {
  window.auth.authz = keycloak;

  angular.module('mean').factory('Auth', function () {
    return window.auth;
  });

//Then init the app

  angular.bootstrap(document,
[ApplicationConfiguration.applicationModuleName]);

}).error(function () {
  window.location.reload();
});


angular.module('mean').factory('authInterceptor', function ($q, Auth) {
  return {
    request: function (config) {
      if (!config.url.match(/.html$/)) {
        var deferred = $q.defer();
        if (Auth.authz.token) {
          Auth.authz.updateToken(5).success(function () {
            config.headers = config.headers || {};
            config.headers.Authorization = 'Bearer ' + Auth.authz.token;

            deferred.resolve(config);
          }).error(function () {
            location.reload();
          });
        }
        return deferred.promise;
      } else {
        return config;
      }
    }
  };
});




-- 
Carlos E. Feria Vila
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/bc1f4bb9/attachment.html 

From sascha.brose at adesso.ch  Wed Nov 25 02:34:27 2015
From: sascha.brose at adesso.ch (Brose, Sascha)
Date: Wed, 25 Nov 2015 07:34:27 +0000
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <CAPyAMoZ_hJegFcARmGHTzPxREU0wZ-ZWLZDi819OdzuAdnTLOg@mail.gmail.com>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
	<CAPyAMoZ_hJegFcARmGHTzPxREU0wZ-ZWLZDi819OdzuAdnTLOg@mail.gmail.com>
Message-ID: <b1bb28ce53d8416296661a47c7e117ee@EX2013-DB02.adesso.local>

Hi Thomas,
thank you very much for your message. That sounds great. We will definitely have a look on it!

Best regards,
Sascha

Von: Thomas Raehalme [mailto:thomas.raehalme at aitiofinland.com]
Gesendet: Dienstag, 24. November 2015 11:27
An: Brose, Sascha
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Planned support of Node.js, RAILS, GRAILS, and other non-Java applications

Hi!

On Mon, Nov 23, 2015 at 10:51 AM, Brose, Sascha <sascha.brose at adesso.ch<mailto:sascha.brose at adesso.ch>> wrote:
 Is this support already in developement or when is it planned for? Will there also be support for scripting languages, e.g. PHP?

Earlier this year I did a PoC for using Keycloak from a PHP application, and contributed some code[1] to add a provider for PHP League's OAuth 2.0 Client[2].

[1] https://github.com/stevenmaguire/oauth2-keycloak
[2] https://github.com/thephpleague/oauth2-client

Please have a look if it suits your needs although it will probably need some additional work depending on which features you want to use.

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/c35f0f64/attachment-0001.html 

From sascha.brose at adesso.ch  Wed Nov 25 02:39:10 2015
From: sascha.brose at adesso.ch (Brose, Sascha)
Date: Wed, 25 Nov 2015 07:39:10 +0000
Subject: [keycloak-user] Planned support of Node.js, RAILS, GRAILS,
 and other non-Java applications
In-Reply-To: <CAJgngAdnLndF7itjJVT7p7DEB5zEZmLsrGRoURjv981aSxP2GA@mail.gmail.com>
References: <26b9e8574ecf42f987af557f9505935f@EX2013-DB01.adesso.local>
	<CAJgngAe6WcDSkFLyiEcW8T8C4dusWJH+5Q4y+Bmi_tMW_xECpg@mail.gmail.com>
	<c4e48f97ee9b42dab7fba3aded7251aa@EX2013-DB02.adesso.local>
	<CAJgngAdnLndF7itjJVT7p7DEB5zEZmLsrGRoURjv981aSxP2GA@mail.gmail.com>
Message-ID: <665f5de505ca443d860cf88b2d3600d9@EX2013-DB02.adesso.local>

Ok, great! Thanks for your reply again.

Best regards,
Sascha

Von: Stian Thorgersen [mailto:sthorger at redhat.com]
Gesendet: Dienstag, 24. November 2015 20:21
An: Brose, Sascha
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Planned support of Node.js, RAILS, GRAILS, and other non-Java applications

It's pretty much stock OpenID Connect, but with our own backchannel logout (OpenID Connect spec wasn't ready in time). We also have an adapter configuration file and would be nice if any additional adapters can be configured using that.

On 24 November 2015 at 10:59, Brose, Sascha <sascha.brose at adesso.ch<mailto:sascha.brose at adesso.ch>> wrote:
Hi Stian,
thank you very much for your reply. Ok :).

Is there any further more detailed documentation about exchanged messages, e.g. also for logout scenario? I only saw some high level explanations in chapter 2 of the Keycloak documentation.

Best regards,
Sascha

Von: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Gesendet: Montag, 23. November 2015 10:55
An: Brose, Sascha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Planned support of Node.js, RAILS, GRAILS, and other non-Java applications

We have Node.js available already https://github.com/keycloak/keycloak-nodejs

For other languages we don't currently have the resources required to implement it ourselves, but would love contributions :)

On 23 November 2015 at 09:51, Brose, Sascha <sascha.brose at adesso.ch<mailto:sascha.brose at adesso.ch>> wrote:
Hello,
I read in Keycloak documentation that there are plans to support Node.js, RAILS, GRAILS, and other non-Java applications.

Is this support already in developement or when is it planned for? Will there also be support for scripting languages, e.g. PHP?

Best regards,
Sascha

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/feeea1e3/attachment.html 

From thomas at schweizer.fr  Wed Nov 25 04:42:11 2015
From: thomas at schweizer.fr (Thomas Schweizer-Bolzonello)
Date: Wed, 25 Nov 2015 10:42:11 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google Apps
Message-ID: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>

Hello,
Does someone have documentation on how to implement Keycloak with Google Apps ?
I tried to implement a SAML client in a Keycloak realm but I'm lost
with settings when creating one.

Tried to use the official documentation and to search on the web but
to no avail.

If someone could point me to what settings to use in the SAML client I
created, it would be great.
I already took the key generated for the realm and uploaded it to Google Apps.

Best regards,
Thomas

From mposolda at redhat.com  Wed Nov 25 05:33:11 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 25 Nov 2015 11:33:11 +0100
Subject: [keycloak-user] Keycloak offline token
In-Reply-To: <CAAdSQ6iMPoCZwSPQrW8BYHf0CD4n2F41WS+iGLaTmghk2n03uw@mail.gmail.com>
References: <CAAdSQ6iMPoCZwSPQrW8BYHf0CD4n2F41WS+iGLaTmghk2n03uw@mail.gmail.com>
Message-ID: <56558E67.6030600@redhat.com>

This doesn't seem to be related to offline tokens. Are your cookies 
KEYCLOAK_IDENTITY and KEYCLOAK_SESSION persistent or transient? Could 
you check if you don't have "remember me" enabled for your realm and 
login session?

Marek

On 25/11/15 00:00, Carlos Feria wrote:
> Hello. I migrated my keycloak to keycloak-1.6.1.Final and i have a 
> problem with the session persistence.
>
> I have a pure javascript application, this uses javacript adapter. 
> When i had other version of keycloak, the session is close when i do 
> logout or close the browser, but now in keycloak-1.6.1.Final the 
> session is not detroyed when i close the browser, i see that session 
> is on cookie.
>
> I delete the offline role of my users and roles but the session don't 
> close. How can i delete the session when i close the brower? Please 
> help me.
>
> this is my angular interceptor an bootstrap method:
>
> keycloak.init({onLoad:'login-required'}).success(function () {
>    window.auth.authz  =keycloak;
> angular.module('mean').factory('Auth',function () {
>      return window.auth;
>    });
>    //Then init the app
> angular.bootstrap(document, [ApplicationConfiguration.applicationModuleName]);
> }).error(function () {
>    window.location.reload();
> });
> angular.module('mean').factory('authInterceptor',function ($q, Auth) {
>    return {
>      request:function (config) {
>        if (!config.url.match(/.html$/)) {
>          var deferred = $q.defer();
>          if (Auth.authz.token) {
>            Auth.authz.updateToken(5).success(function () {
>              config.headers = config.headers || {};
>              config.headers.Authorization ='Bearer ' + Auth.authz.token;
>
>              deferred.resolve(config);
>            }).error(function () {
>              location.reload();
>            });
>          }
>          return deferred.promise;
>        }else {
>          return config;
>        }
>      }
>    };
> });
>
> -- 
> Carlos E. Feria Vila
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/d6a4943b/attachment-0001.html 

From mposolda at redhat.com  Wed Nov 25 05:51:38 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 25 Nov 2015 11:51:38 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google
 Apps
In-Reply-To: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
References: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
Message-ID: <565592BA.20105@redhat.com>

Longer time ago, I did the integration of picketlink with Google Apps, 
which is documented here: 
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP 
. Some steps might be outdated, but hopefully most of them is still 
applicable and can be (maybe with some tweaks) applied for Keycloak as 
well. Especially the part for configuring on Google side. I did not 
tried in practice with Keycloak yet, but I think that you may want to:
- Use clientId like "|google.com/a/yourdomain.com" for your client where 
yourdomain.com is your Google-Apps domain|
- Select "Sign assertions" so google-apps will verify the signature on 
assertion with the realm key you uploaded

Other options might be kept default probably (not sure at 100% as I 
didn't try it myself yet)

Marek

On 25/11/15 10:42, Thomas Schweizer-Bolzonello wrote:
> Hello,
> Does someone have documentation on how to implement Keycloak with Google Apps ?
> I tried to implement a SAML client in a Keycloak realm but I'm lost
> with settings when creating one.
>
> Tried to use the official documentation and to search on the web but
> to no avail.
>
> If someone could point me to what settings to use in the SAML client I
> created, it would be great.
> I already took the key generated for the realm and uploaded it to Google Apps.
>
> Best regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/b2914891/attachment.html 

From mposolda at redhat.com  Wed Nov 25 05:57:25 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 25 Nov 2015 11:57:25 +0100
Subject: [keycloak-user] Configuration options SPI implementation
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E4924FF79C4B@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E4924FF79C4B@NL-MAIL02.planon-fm.com>
Message-ID: <56559415.3040204@redhat.com>

On 24/11/15 15:04, Frank van Veen wrote:
>
> Hi,
>
> Currently i am setting up a user federation. Right now it is possible 
> to add text fields to the user federation configuration page.
>
> Is it also possible to add buttons and other elements?
>
Yes, for text fields. You don't even need to do any changes on UI side, 
you just need to properly implement your 
UserFederationProviderFactory.getConfigurationOptions() . See the 
federation example ( examples/providers/federation-provider ) for more 
details.

With buttons it's more tricky. We don't officially support this way. 
Here you will likely need to implement custom UI page and change some of 
our angular files (like configure the page in app.js and possibly add 
new controller etc). You can figure it from existing LDAP federation 
provider, which doesn't use the "generic" federation provider page.

Marek
>
> Sincerely,
>
> Frank van Veen
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/12b2a3d5/attachment.html 

From favez.steve at gmail.com  Wed Nov 25 07:46:49 2015
From: favez.steve at gmail.com (Steve Favez)
Date: Wed, 25 Nov 2015 13:46:49 +0100
Subject: [keycloak-user] OpenId Identity Broker exception - keycloak 1.6.1
Message-ID: <CAO71Vek8dcCm84GOvN=8DozbgOK+N9o6ox6R+=N+CkxvaFYofA@mail.gmail.com>

Hi all,

I'm trying to use keycloak as identity broker in front of openAm 12, using
openId Connect 1.0.
After authenticating against openAM, (so, redirection is ok), I get the
following error in keycloak when validating the token :
Caused by: org.codehaus.jackson.JsonParseException: Numeric value
(1448455006000
) out of range of int
......
at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:84)
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdent
ityProvider.java:290)

Here's the returned jwt :
eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiNGJkYmQ0NzYtNmE1ZS00ZTZkLTk3MzEtNGEyNmNjZmQ2NGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJpbXBsaWNpdGNsaWVudCIsICJzdWIiOiAiYW1hZG1pbiIsICJhdF9oYXNoIjogIkFqTDJGSHpQTXlKWGJoODBrY2UwQ1EiLCAiaXNzIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9vcGVuYW0iLCAiaWF0IjogMTQ0ODQ1NDQwNiwgImF1dGhfdGltZSI6IDE0NDg0NTQ0MDYsICJleHAiOiAxNDQ4NDU1MDA2MDAwLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgInJlYWxtIjogIi8iLCAiYXVkIjogWyAiaW1wbGljaXRjbGllbnQiIF0sICJjX2hhc2giOiAia0x1ajJfdEJMdVllZVRaWXpETFl4ZyIsICJvcHMiOiAiYTQ5ZWE5OTAtYTFiMS00MGViLWI5ZDMtYTI2YmNiMDE0OGEwIiB9.oiPF0jQP7YRfPeHWV3szNrQ1TYdDieAav0_j2dGXM0iOoMCg4Mk_2tSANQRLRct6Lr_erSFqxFE6Wo6Jvd8aaVWzX6CyS_jD4jYgXywZE5XvkUWuebw8jaODSJddlqelMnEN1bWA1U6i5uaxFDT-occhcM6J5Xpf3j7oGZ1s1i0

-> {
 tokenName: "id_token",
 azp: "implicitclient",
 sub: "amadmin",
 at_hash: "AjL2FHzPMyJXbh80kce0CQ",
 iss: "http://localhost:8080/openam",
 iat: 1448454406,
 auth_time: 1448454406,
 exp: 1448455006000,
 tokenType: "JWTToken",
 realm: "/",
 aud: [
  "implicitclient"
 ],
 c_hash: "kLuj2_tBLuYeeTZYzDLYxg",
 ops: "a49ea990-a1b1-40eb-b9d3-a26bcb0148a0"
}.

So far, as we can see using a jwt decoder ( http://calebb.net/ ) the "out
of range int" is the exp (expiration date)

As I can see in class "JsonWebToken ", expiration is an int... Isn't it
supposed to be a long ?

(same for iat and auth_time)
Thanks in advance for your help

Regards
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/a3c4b9c5/attachment.html 

From bburke at redhat.com  Wed Nov 25 08:46:25 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 25 Nov 2015 08:46:25 -0500
Subject: [keycloak-user] OpenId Identity Broker exception - keycloak
	1.6.1
In-Reply-To: <CAO71Vek8dcCm84GOvN=8DozbgOK+N9o6ox6R+=N+CkxvaFYofA@mail.gmail.com>
References: <CAO71Vek8dcCm84GOvN=8DozbgOK+N9o6ox6R+=N+CkxvaFYofA@mail.gmail.com>
Message-ID: <5655BBB1.2020005@redhat.com>

exp is supposed to be seconds since epoch, not milliseconds.  Looks like 
a bug in openAM.

See section 2. NumericDate:

https://tools.ietf.org/html/rfc7519



On 11/25/2015 7:46 AM, Steve Favez wrote:
> Hi all,
>
> I'm trying to use keycloak as identity broker in front of openAm 12,
> using openId Connect 1.0.
> After authenticating against openAM, (so, redirection is ok), I get the
> following error in keycloak when validating the token :
> Caused by: org.codehaus.jackson.JsonParseException: Numeric value
> (1448455006000
> ) out of range of int
> ......
> at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:84)
> at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdent
> ityProvider.java:290)
>
> Here's the returned jwt :
> eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiNGJkYmQ0NzYtNmE1ZS00ZTZkLTk3MzEtNGEyNmNjZmQ2NGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJpbXBsaWNpdGNsaWVudCIsICJzdWIiOiAiYW1hZG1pbiIsICJhdF9oYXNoIjogIkFqTDJGSHpQTXlKWGJoODBrY2UwQ1EiLCAiaXNzIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9vcGVuYW0iLCAiaWF0IjogMTQ0ODQ1NDQwNiwgImF1dGhfdGltZSI6IDE0NDg0NTQ0MDYsICJleHAiOiAxNDQ4NDU1MDA2MDAwLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgInJlYWxtIjogIi8iLCAiYXVkIjogWyAiaW1wbGljaXRjbGllbnQiIF0sICJjX2hhc2giOiAia0x1ajJfdEJMdVllZVRaWXpETFl4ZyIsICJvcHMiOiAiYTQ5ZWE5OTAtYTFiMS00MGViLWI5ZDMtYTI2YmNiMDE0OGEwIiB9.oiPF0jQP7YRfPeHWV3szNrQ1TYdDieAav0_j2dGXM0iOoMCg4Mk_2tSANQRLRct6Lr_erSFqxFE6Wo6Jvd8aaVWzX6CyS_jD4jYgXywZE5XvkUWuebw8jaODSJddlqelMnEN1bWA1U6i5uaxFDT-occhcM6J5Xpf3j7oGZ1s1i0
>
> -> {
> tokenName: "id_token",
> azp: "implicitclient",
> sub: "amadmin",
> at_hash: "AjL2FHzPMyJXbh80kce0CQ",
> iss: "http://localhost:8080/openam",
> iat: 1448454406,
> auth_time: 1448454406,
> exp: 1448455006000,
> tokenType: "JWTToken",
> realm: "/",
> aud: [
> "implicitclient"
> ],
> c_hash: "kLuj2_tBLuYeeTZYzDLYxg",
> ops: "a49ea990-a1b1-40eb-b9d3-a26bcb0148a0"
> }.
>
> So far, as we can see using a jwt decoder ( http://calebb.net/ ) the
> "out of range int" is the exp (expiration date)
>
> As I can see in class "JsonWebToken", expiration is an int... Isn't it
> supposed to be a long ?
>
> (same for iat and auth_time)
> Thanks in advance for your help
>
> Regards
> Steve
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sebastian.olscher at traveltainment.de  Wed Nov 25 09:01:11 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Wed, 25 Nov 2015 14:01:11 +0000
Subject: [keycloak-user] Email is unique within one realm
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>

Hello,

the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?

For example:

Username: I_Am_An_Admin
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(gets roles for every client within the realm)

Username: I_Am_A_Normal_User
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(get roles from only one client within the realm)

Is this unambiguity of the email address configurable?

Thanks,
Sebastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/343ced5c/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 25 09:03:54 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Nov 2015 15:03:54 +0100
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>

That's not possible at the moment. Out of curiosity why would you have two
different accounts for the same person?

On 25 November 2015 at 15:01, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> Hello,
>
>
>
> the email address is unique within one realm. Is there a possibility to
> fulfill the requirement to have different user (different usernames) for
> different applications within one realm which were managed and used by the
> same person/entity?
>
>
> For example:
>
>
>
> Username: I_Am_An_Admin
>
> Email: user at traveltainment.de
>
> (gets roles for every client within the realm)
>
>
>
> Username: I_Am_A_Normal_User
>
> Email: user at traveltainment.de
>
> (get roles from only one client within the realm)
>
>
>
> Is this unambiguity of the email address configurable?
>
>
>
> Thanks,
>
> Sebastian
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/53151584/attachment.html 

From sebastian.olscher at traveltainment.de  Wed Nov 25 09:57:32 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Wed, 25 Nov 2015 14:57:32 +0000
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>

This receives importance if we are talking about users which will be used by a system and not a human person. These users may have the same responsible contact person as there is a system using this account and no real human. The contact person is identified by the email address. Our own specific information will be designed as user attributes.

For example:

Username: sys_customer1
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer1

Username: sys_customer2
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer2

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Wednesday, November 25, 2015 3:04 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Email is unique within one realm

That's not possible at the moment. Out of curiosity why would you have two different accounts for the same person?

On 25 November 2015 at 15:01, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Hello,

the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?

For example:

Username: I_Am_An_Admin
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(gets roles for every client within the realm)

Username: I_Am_A_Normal_User
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(get roles from only one client within the realm)

Is this unambiguity of the email address configurable?

Thanks,
Sebastian

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/ddba906f/attachment.html 

From josephsuero at gmail.com  Wed Nov 25 10:46:06 2015
From: josephsuero at gmail.com (Jose Suero)
Date: Wed, 25 Nov 2015 11:46:06 -0400
Subject: [keycloak-user] Limit sessions per user
Message-ID: <B3CB6D37-57AA-442E-AA0E-A129B8514B79@gmail.com>

Is there a way to limit user sessions. So if I logon and have a previous active session for that session to be immediately expired?

Maybe have a configuration for this per realm 

From jahenao at itroisolutions.com  Wed Nov 25 11:37:08 2015
From: jahenao at itroisolutions.com (Jairo Alonso Henao Rojas)
Date: Wed, 25 Nov 2015 16:37:08 +0000
Subject: [keycloak-user] How to refresh the account data
Message-ID: <CY1PR0401MB1225E7E05F21A57AD42A914ED0050@CY1PR0401MB1225.namprd04.prod.outlook.com>

Hello,

When the user edits the data of your account and returns to an application, i read the KeycloakSecurityContext but contains the old information, the new information is not loaded. :(

To get the new data, i have to logout/login.


Jairo Henao Rojas
IT ROI Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/94ef2b63/attachment-0001.html 

From ssilvert at redhat.com  Wed Nov 25 12:03:46 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 25 Nov 2015 12:03:46 -0500
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <CAJgngAdzhL_dzJAqxt0K8RsD8-xTJbdpakKCBmNTezeQn8sv9Q@mail.gmail.com>
References: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>
	<D27A1B51.101EC%pblair@clearme.com>
	<CAJgngAdzhL_dzJAqxt0K8RsD8-xTJbdpakKCBmNTezeQn8sv9Q@mail.gmail.com>
Message-ID: <5655E9F2.3050208@redhat.com>

On 11/24/2015 2:14 PM, Stian Thorgersen wrote:
> I'm pretty sure the changes have not been merged into WildFly yet.
>
> Stan can comment when he gets back what the status is.
The changes were never merged because of the impending Elytron work.  
Now, the changes are so out of date that it's basically impossible to 
put Humpty Dumpty back together again.

As of now, we are still waiting on Elytron to be mature enough to handle 
a Keycloak adapter.  Hopefully, that will be soon but I don't know the 
status.

>
> On 24 November 2015 at 19:52, Paul Blair <pblair at clearme.com 
> <mailto:pblair at clearme.com>> wrote:
>
>     I'm referring to the Wildfly management console. This was in
>     preview in July of 2014:
>
>     https://developer.jboss.org/wiki/PreviewKeycloak-securedManagementInWildFly9
>
>
>
>     From: Stian Thorgersen <sthorger at redhat.com
>     <mailto:sthorger at redhat.com>>
>     Reply-To: <stian at redhat.com <mailto:stian at redhat.com>>
>     Date: Tue, 24 Nov 2015 19:26:18 +0100
>     To: "pblair at clearme.com <mailto:pblair at clearme.com>"
>     <pblair at clearme.com <mailto:pblair at clearme.com>>
>     Cc: "keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>"
>     <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>     Subject: Re: [keycloak-user] Wildfly 9?
>
>
>
>     On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com
>     <mailto:pblair at clearme.com>> wrote:
>
>         I've been reading that the Wildfly management console can be
>         secured using Keycloak as of Wildfly 9. Would it be hazardous
>         to do that with the console for the Keycloak server itself? Is
>         there a straightforward way to deploy Keycloak onto Wildfly 9?
>
>
>     Where did you read it? AFAIK it's not ready yet, certainly not in
>     WildFly 9.
>
>     Not sure what you mean about console for Keycloak server. The
>     Keycloak servers admin console has always been secured with Keycloak.
>
>     You can add Keycloak server overlay to an existing WildFly 9. Read
>     the docs for instructions. We will move to WildFly 10 once Final
>     is released and we won't support adding the overlay to WildFly 9
>     anymore.
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/c41c1b4e/attachment.html 

From Rens.Verhage at topicus.nl  Wed Nov 25 12:58:20 2015
From: Rens.Verhage at topicus.nl (Rens Verhage)
Date: Wed, 25 Nov 2015 17:58:20 +0000
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
In-Reply-To: <0A0940F3-8A44-4420-97EE-5F648712E68A@topicus.nl>
References: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
	<5652D265.8020801@redhat.com>
	<0A0940F3-8A44-4420-97EE-5F648712E68A@topicus.nl>
Message-ID: <73CB5671-5ABD-4681-AC7C-4670890FB193@topicus.nl>

Unfortunately, installing the adapter didn?t solve my problem. After installing the adapter, I ran the adapter-install.cli script and checked that the following has been added to my standalone.xml configuration:

Under extensions:

        <extension module="org.keycloak.keycloak-adapter-subsystem?/>

There is a subsystem added in the profiles section:

        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
        </subsystem>

Also, the following security-domain has been added within the <subsystem xmlns=?urn:jobs:domain:security:1.2?> element:

        <security-domain name="keycloak">
            <authentication>
                <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
            </authentication>
        </security-domain>

Still, I get the same ?UT010039: Unknown authentication mechanism KEYCLOAK? error. Could there be more configuration that I have missed?

By the way, my first attempt was based on the video tutorials by Bill Burke, they seem to be outdated.


/Rens


> On Nov 23, 2015, at 10:05, Rens Verhage <Rens.Verhage at topicus.nl> wrote:
> 
> Ah, I didn?t install the adapter. I was under the impression that everything in the download with wildfly container would be pre-configured. Having read the adapter chapter, I understand why this assumption was wrong.
> 
> Thanks!
> 
> 
>> On Nov 23, 2015, at 09:46, Marek Posolda <mposolda at redhat.com> wrote:
>> 
>> You also need to enable adapter subsystem in standalone.xml :
>> 
>> <extension module="org.keycloak.keycloak-adapter-subsystem"/
>> 
>> 
>> 
>> Take a look at docs (especially adapter part) for more details.
>> 
>> Marek
>> 
>> 
>> On 22/11/15 18:53, Rens Verhage wrote:
>>> Hi all,
>>> 
>>> I?m having some trouble securing a test application with Keycloak. I downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the datasource to PostgreSQL and in Keycloak configured my realm and generated a keycloak.json file.
>>> 
>>> I copied keycloak.json to the WEB-INF folder of my war project and edited my web.xml, I added this:
>>> 
>>> <login-config>
>>>   <auth-method>KEYCLOAK</auth-method>
>>>   <realm-name>PDC</realm-name>
>>> </login-config>
>>> 
>>> <security-role>
>>>   <role-name>admin</role-name>
>>> </security-role>
>>> <security-role>
>>>   <role-name>user</role-name>
>>> </security-role>
>>> 
>>> Upon boot however, Wildfly logs the following error:
>>> 
>>> "WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./pdc-web" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./pdc-web: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>>>    Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
>>>    Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK?}}
>>> 
>>> The only hint to fix this error that I could find was to make sure that the Keycloak subsystem is enabled in standalone/configuration/standalone.xml, which is the case as I didn?t change the default config:
>>> 
>>> <server xmlns="urn:jboss:domain:3.0">
>>>    <extensions>
>>> 	...
>>>        <extension module="org.keycloak.keycloak-server-subsystem"/>
>>>        ...
>>>    </extensions>
>>> ?
>>> </server>
>>> 
>>> As my experience with Wildfly and knowledge of Keycloak is limited, what could be the problem here?
>>> 
>>> 
>>> Regards,
>>> Rens Verhage
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Wed Nov 25 13:05:32 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Nov 2015 19:05:32 +0100
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <5655E9F2.3050208@redhat.com>
References: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>
	<D27A1B51.101EC%pblair@clearme.com>
	<CAJgngAdzhL_dzJAqxt0K8RsD8-xTJbdpakKCBmNTezeQn8sv9Q@mail.gmail.com>
	<5655E9F2.3050208@redhat.com>
Message-ID: <CAJgngAdZQdAU_A2e0s=DQ6eHh_9zFsc9TDPqmtoHdWQmRayQHA@mail.gmail.com>

Elytron is delayed for WF11 isn't it?

On 25 November 2015 at 18:03, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/24/2015 2:14 PM, Stian Thorgersen wrote:
>
> I'm pretty sure the changes have not been merged into WildFly yet.
>
> Stan can comment when he gets back what the status is.
>
> The changes were never merged because of the impending Elytron work.  Now,
> the changes are so out of date that it's basically impossible to put Humpty
> Dumpty back together again.
>
> As of now, we are still waiting on Elytron to be mature enough to handle a
> Keycloak adapter.  Hopefully, that will be soon but I don't know the status.
>
>
> On 24 November 2015 at 19:52, Paul Blair <pblair at clearme.com> wrote:
>
>> I'm referring to the Wildfly management console. This was in preview in
>> July of 2014:
>>
>>
>> https://developer.jboss.org/wiki/PreviewKeycloak-securedManagementInWildFly9
>>
>>
>>
>> From: Stian Thorgersen <sthorger at redhat.com>
>> Reply-To: <stian at redhat.com>
>> Date: Tue, 24 Nov 2015 19:26:18 +0100
>> To: "pblair at clearme.com" <pblair at clearme.com>
>> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Wildfly 9?
>>
>>
>>
>> On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com> wrote:
>>
>>> I've been reading that the Wildfly management console can be secured
>>> using Keycloak as of Wildfly 9. Would it be hazardous to do that with the
>>> console for the Keycloak server itself? Is there a straightforward way to
>>> deploy Keycloak onto Wildfly 9?
>>>
>>
>> Where did you read it? AFAIK it's not ready yet, certainly not in WildFly
>> 9.
>>
>> Not sure what you mean about console for Keycloak server. The Keycloak
>> servers admin console has always been secured with Keycloak.
>>
>> You can add Keycloak server overlay to an existing WildFly 9. Read the
>> docs for instructions. We will move to WildFly 10 once Final is released
>> and we won't support adding the overlay to WildFly 9 anymore.
>>
>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/ee017b6b/attachment-0001.html 

From ssilvert at redhat.com  Wed Nov 25 13:13:57 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 25 Nov 2015 13:13:57 -0500
Subject: [keycloak-user] Wildfly 9?
In-Reply-To: <CAJgngAdZQdAU_A2e0s=DQ6eHh_9zFsc9TDPqmtoHdWQmRayQHA@mail.gmail.com>
References: <CAJgngAeKLeWOugEw2HUE3aSWLRXpabdwATmXcPxGOCKX0yC2Bg@mail.gmail.com>
	<D27A1B51.101EC%pblair@clearme.com>
	<CAJgngAdzhL_dzJAqxt0K8RsD8-xTJbdpakKCBmNTezeQn8sv9Q@mail.gmail.com>
	<5655E9F2.3050208@redhat.com>
	<CAJgngAdZQdAU_A2e0s=DQ6eHh_9zFsc9TDPqmtoHdWQmRayQHA@mail.gmail.com>
Message-ID: <5655FA65.9060609@redhat.com>

On 11/25/2015 1:05 PM, Stian Thorgersen wrote:
> Elytron is delayed for WF11 isn't it?
I don't know.
>
> On 25 November 2015 at 18:03, Stan Silvert <ssilvert at redhat.com 
> <mailto:ssilvert at redhat.com>> wrote:
>
>     On 11/24/2015 2:14 PM, Stian Thorgersen wrote:
>>     I'm pretty sure the changes have not been merged into WildFly yet.
>>
>>     Stan can comment when he gets back what the status is.
>     The changes were never merged because of the impending Elytron
>     work.  Now, the changes are so out of date that it's basically
>     impossible to put Humpty Dumpty back together again.
>
>     As of now, we are still waiting on Elytron to be mature enough to
>     handle a Keycloak adapter.  Hopefully, that will be soon but I
>     don't know the status.
>
>>
>>     On 24 November 2015 at 19:52, Paul Blair <pblair at clearme.com
>>     <mailto:pblair at clearme.com>> wrote:
>>
>>         I'm referring to the Wildfly management console. This was in
>>         preview in July of 2014:
>>
>>         https://developer.jboss.org/wiki/PreviewKeycloak-securedManagementInWildFly9
>>
>>
>>
>>         From: Stian Thorgersen <sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>         Reply-To: <stian at redhat.com <mailto:stian at redhat.com>>
>>         Date: Tue, 24 Nov 2015 19:26:18 +0100
>>         To: "pblair at clearme.com <mailto:pblair at clearme.com>"
>>         <pblair at clearme.com <mailto:pblair at clearme.com>>
>>         Cc: "keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>"
>>         <keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         Subject: Re: [keycloak-user] Wildfly 9?
>>
>>
>>
>>         On 24 November 2015 at 17:37, Paul Blair <pblair at clearme.com
>>         <mailto:pblair at clearme.com>> wrote:
>>
>>             I've been reading that the Wildfly management console can
>>             be secured using Keycloak as of Wildfly 9. Would it be
>>             hazardous to do that with the console for the Keycloak
>>             server itself? Is there a straightforward way to deploy
>>             Keycloak onto Wildfly 9?
>>
>>
>>         Where did you read it? AFAIK it's not ready yet, certainly
>>         not in WildFly 9.
>>
>>         Not sure what you mean about console for Keycloak server. The
>>         Keycloak servers admin console has always been secured with
>>         Keycloak.
>>
>>         You can add Keycloak server overlay to an existing WildFly 9.
>>         Read the docs for instructions. We will move to WildFly 10
>>         once Final is released and we won't support adding the
>>         overlay to WildFly 9 anymore.
>>
>>
>>
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/26b46b3f/attachment.html 

From sthorger at redhat.com  Wed Nov 25 14:31:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Nov 2015 20:31:24 +0100
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>

In that case could you just set the contact email address as an attribute
instead? The email field has to be unique has it can be in place of
username. You could even use protocol mappers to map either email or the
attribute to the same claim in the token.

On 25 November 2015 at 15:57, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> This receives importance if we are talking about users which will be used
> by a system and not a human person. These users may have the same
> responsible contact person as there is a system using this account and no
> real human. The contact person is identified by the email address. Our own
> specific information will be designed as user attributes.
>
>
>
> For example:
>
>
>
> Username: sys_customer1
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer1
>
>
>
> Username: sys_customer2
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer2
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 3:04 PM
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> That's not possible at the moment. Out of curiosity why would you have two
> different accounts for the same person?
>
>
>
> On 25 November 2015 at 15:01, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> Hello,
>
>
>
> the email address is unique within one realm. Is there a possibility to
> fulfill the requirement to have different user (different usernames) for
> different applications within one realm which were managed and used by the
> same person/entity?
>
>
> For example:
>
>
>
> Username: I_Am_An_Admin
>
> Email: user at traveltainment.de
>
> (gets roles for every client within the realm)
>
>
>
> Username: I_Am_A_Normal_User
>
> Email: user at traveltainment.de
>
> (get roles from only one client within the realm)
>
>
>
> Is this unambiguity of the email address configurable?
>
>
>
> Thanks,
>
> Sebastian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/40b29507/attachment.html 

From sthorger at redhat.com  Wed Nov 25 14:35:07 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Nov 2015 20:35:07 +0100
Subject: [keycloak-user] Limit sessions per user
In-Reply-To: <B3CB6D37-57AA-442E-AA0E-A129B8514B79@gmail.com>
References: <B3CB6D37-57AA-442E-AA0E-A129B8514B79@gmail.com>
Message-ID: <CAJgngAebj2yPE5zp_mnW0Dg=x3DmT0nv820FWb83JRALQF7ZkA@mail.gmail.com>

We don't have support for that built-in, but you can use the authenticator
spi to add it yourself.

On 25 November 2015 at 16:46, Jose Suero <josephsuero at gmail.com> wrote:

> Is there a way to limit user sessions. So if I logon and have a previous
> active session for that session to be immediately expired?
>
> Maybe have a configuration for this per realm
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/4edd2a5d/attachment-0001.html 

From sthorger at redhat.com  Wed Nov 25 14:36:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Nov 2015 20:36:13 +0100
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
In-Reply-To: <73CB5671-5ABD-4681-AC7C-4670890FB193@topicus.nl>
References: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
	<5652D265.8020801@redhat.com>
	<0A0940F3-8A44-4420-97EE-5F648712E68A@topicus.nl>
	<73CB5671-5ABD-4681-AC7C-4670890FB193@topicus.nl>
Message-ID: <CAJgngAdthSWXjPOJ35CY0a2GdPHMc-=x78v6ObEqU8ayCVjWpg@mail.gmail.com>

Try following:
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html

And see if you can get it working.

On 25 November 2015 at 18:58, Rens Verhage <Rens.Verhage at topicus.nl> wrote:

> Unfortunately, installing the adapter didn?t solve my problem. After
> installing the adapter, I ran the adapter-install.cli script and checked
> that the following has been added to my standalone.xml configuration:
>
> Under extensions:
>
>         <extension module="org.keycloak.keycloak-adapter-subsystem?/>
>
> There is a subsystem added in the profiles section:
>
>         <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>             <web-context>auth</web-context>
>         </subsystem>
>
> Also, the following security-domain has been added within the <subsystem
> xmlns=?urn:jobs:domain:security:1.2?> element:
>
>         <security-domain name="keycloak">
>             <authentication>
>                 <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>             </authentication>
>         </security-domain>
>
> Still, I get the same ?UT010039: Unknown authentication mechanism
> KEYCLOAK? error. Could there be more configuration that I have missed?
>
> By the way, my first attempt was based on the video tutorials by Bill
> Burke, they seem to be outdated.
>
>
> /Rens
>
>
> > On Nov 23, 2015, at 10:05, Rens Verhage <Rens.Verhage at topicus.nl> wrote:
> >
> > Ah, I didn?t install the adapter. I was under the impression that
> everything in the download with wildfly container would be pre-configured.
> Having read the adapter chapter, I understand why this assumption was wrong.
> >
> > Thanks!
> >
> >
> >> On Nov 23, 2015, at 09:46, Marek Posolda <mposolda at redhat.com> wrote:
> >>
> >> You also need to enable adapter subsystem in standalone.xml :
> >>
> >> <extension module="org.keycloak.keycloak-adapter-subsystem"/
> >>
> >>
> >>
> >> Take a look at docs (especially adapter part) for more details.
> >>
> >> Marek
> >>
> >>
> >> On 22/11/15 18:53, Rens Verhage wrote:
> >>> Hi all,
> >>>
> >>> I?m having some trouble securing a test application with Keycloak. I
> downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the
> datasource to PostgreSQL and in Keycloak configured my realm and generated
> a keycloak.json file.
> >>>
> >>> I copied keycloak.json to the WEB-INF folder of my war project and
> edited my web.xml, I added this:
> >>>
> >>> <login-config>
> >>>   <auth-method>KEYCLOAK</auth-method>
> >>>   <realm-name>PDC</realm-name>
> >>> </login-config>
> >>>
> >>> <security-role>
> >>>   <role-name>admin</role-name>
> >>> </security-role>
> >>> <security-role>
> >>>   <role-name>user</role-name>
> >>> </security-role>
> >>>
> >>> Upon boot however, Wildfly logs the following error:
> >>>
> >>> "WFLYCTL0080: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./pdc-web" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./pdc-web:
> java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
> authentication mechanism KEYCLOAK
> >>>    Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
> UT010039: Unknown authentication mechanism KEYCLOAK
> >>>    Caused by: java.lang.RuntimeException: UT010039: Unknown
> authentication mechanism KEYCLOAK?}}
> >>>
> >>> The only hint to fix this error that I could find was to make sure
> that the Keycloak subsystem is enabled in
> standalone/configuration/standalone.xml, which is the case as I didn?t
> change the default config:
> >>>
> >>> <server xmlns="urn:jboss:domain:3.0">
> >>>    <extensions>
> >>>     ...
> >>>        <extension module="org.keycloak.keycloak-server-subsystem"/>
> >>>        ...
> >>>    </extensions>
> >>> ?
> >>> </server>
> >>>
> >>> As my experience with Wildfly and knowledge of Keycloak is limited,
> what could be the problem here?
> >>>
> >>>
> >>> Regards,
> >>> Rens Verhage
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/0bb228d1/attachment.html 

From josephsuero at gmail.com  Wed Nov 25 14:45:20 2015
From: josephsuero at gmail.com (Jose Suero)
Date: Wed, 25 Nov 2015 15:45:20 -0400
Subject: [keycloak-user] Limit sessions per user
In-Reply-To: <CAJgngAebj2yPE5zp_mnW0Dg=x3DmT0nv820FWb83JRALQF7ZkA@mail.gmail.com>
References: <B3CB6D37-57AA-442E-AA0E-A129B8514B79@gmail.com>
	<CAJgngAebj2yPE5zp_mnW0Dg=x3DmT0nv820FWb83JRALQF7ZkA@mail.gmail.com>
Message-ID: <954C5E4E-82BD-413D-BFDD-E4E7002BABF1@gmail.com>

Any samples I can look at?

Sent from my iPhone

> On Nov 25, 2015, at 3:35 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> We don't have support for that built-in, but you can use the authenticator spi to add it yourself. 
> 
>> On 25 November 2015 at 16:46, Jose Suero <josephsuero at gmail.com> wrote:
>> Is there a way to limit user sessions. So if I logon and have a previous active session for that session to be immediately expired?
>> 
>> Maybe have a configuration for this per realm
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/703e078d/attachment.html 

From mstrukel at redhat.com  Wed Nov 25 15:32:27 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 25 Nov 2015 21:32:27 +0100
Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK
In-Reply-To: <CAJgngAdthSWXjPOJ35CY0a2GdPHMc-=x78v6ObEqU8ayCVjWpg@mail.gmail.com>
References: <9A724D14-7F34-4AE4-BDCC-345C8BFA770B@topicus.nl>
	<5652D265.8020801@redhat.com>
	<0A0940F3-8A44-4420-97EE-5F648712E68A@topicus.nl>
	<73CB5671-5ABD-4681-AC7C-4670890FB193@topicus.nl>
	<CAJgngAdthSWXjPOJ35CY0a2GdPHMc-=x78v6ObEqU8ayCVjWpg@mail.gmail.com>
Message-ID: <CA+1OW+ik0=+Krz1WFf6bbLyDeQonGG-ORk4iMoLbX2r5-LZaXg@mail.gmail.com>

Sounds as if the last line from adapter-install.cli (
https://github.com/keycloak/keycloak/blob/master/distribution/adapters/shared-cli/adapter-install.cli)
wasn't executed.

It should result in the following line in your standalone.xml:

<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
On Nov 25, 2015 20:37, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> Try following:
>
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
>
> And see if you can get it working.
>
> On 25 November 2015 at 18:58, Rens Verhage <Rens.Verhage at topicus.nl>
> wrote:
>
>> Unfortunately, installing the adapter didn?t solve my problem. After
>> installing the adapter, I ran the adapter-install.cli script and checked
>> that the following has been added to my standalone.xml configuration:
>>
>> Under extensions:
>>
>>         <extension module="org.keycloak.keycloak-adapter-subsystem?/>
>>
>> There is a subsystem added in the profiles section:
>>
>>         <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>             <web-context>auth</web-context>
>>         </subsystem>
>>
>> Also, the following security-domain has been added within the <subsystem
>> xmlns=?urn:jobs:domain:security:1.2?> element:
>>
>>         <security-domain name="keycloak">
>>             <authentication>
>>                 <login-module
>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>             </authentication>
>>         </security-domain>
>>
>> Still, I get the same ?UT010039: Unknown authentication mechanism
>> KEYCLOAK? error. Could there be more configuration that I have missed?
>>
>> By the way, my first attempt was based on the video tutorials by Bill
>> Burke, they seem to be outdated.
>>
>>
>> /Rens
>>
>>
>> > On Nov 23, 2015, at 10:05, Rens Verhage <Rens.Verhage at topicus.nl>
>> wrote:
>> >
>> > Ah, I didn?t install the adapter. I was under the impression that
>> everything in the download with wildfly container would be pre-configured.
>> Having read the adapter chapter, I understand why this assumption was wrong.
>> >
>> > Thanks!
>> >
>> >
>> >> On Nov 23, 2015, at 09:46, Marek Posolda <mposolda at redhat.com> wrote:
>> >>
>> >> You also need to enable adapter subsystem in standalone.xml :
>> >>
>> >> <extension module="org.keycloak.keycloak-adapter-subsystem"/
>> >>
>> >>
>> >>
>> >> Take a look at docs (especially adapter part) for more details.
>> >>
>> >> Marek
>> >>
>> >>
>> >> On 22/11/15 18:53, Rens Verhage wrote:
>> >>> Hi all,
>> >>>
>> >>> I?m having some trouble securing a test application with Keycloak. I
>> downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the
>> datasource to PostgreSQL and in Keycloak configured my realm and generated
>> a keycloak.json file.
>> >>>
>> >>> I copied keycloak.json to the WEB-INF folder of my war project and
>> edited my web.xml, I added this:
>> >>>
>> >>> <login-config>
>> >>>   <auth-method>KEYCLOAK</auth-method>
>> >>>   <realm-name>PDC</realm-name>
>> >>> </login-config>
>> >>>
>> >>> <security-role>
>> >>>   <role-name>admin</role-name>
>> >>> </security-role>
>> >>> <security-role>
>> >>>   <role-name>user</role-name>
>> >>> </security-role>
>> >>>
>> >>> Upon boot however, Wildfly logs the following error:
>> >>>
>> >>> "WFLYCTL0080: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./pdc-web" =>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./pdc-web:
>> java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
>> authentication mechanism KEYCLOAK
>> >>>    Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
>> UT010039: Unknown authentication mechanism KEYCLOAK
>> >>>    Caused by: java.lang.RuntimeException: UT010039: Unknown
>> authentication mechanism KEYCLOAK?}}
>> >>>
>> >>> The only hint to fix this error that I could find was to make sure
>> that the Keycloak subsystem is enabled in
>> standalone/configuration/standalone.xml, which is the case as I didn?t
>> change the default config:
>> >>>
>> >>> <server xmlns="urn:jboss:domain:3.0">
>> >>>    <extensions>
>> >>>     ...
>> >>>        <extension module="org.keycloak.keycloak-server-subsystem"/>
>> >>>        ...
>> >>>    </extensions>
>> >>> ?
>> >>> </server>
>> >>>
>> >>> As my experience with Wildfly and knowledge of Keycloak is limited,
>> what could be the problem here?
>> >>>
>> >>>
>> >>> Regards,
>> >>> Rens Verhage
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151125/2bbc1cd1/attachment-0001.html 

From thomas at schweizer.fr  Wed Nov 25 17:33:09 2015
From: thomas at schweizer.fr (Thomas Schweizer-Bolzonello)
Date: Wed, 25 Nov 2015 23:33:09 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google
	Apps
In-Reply-To: <565592BA.20105@redhat.com>
References: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
	<565592BA.20105@redhat.com>
Message-ID: <CALFZZP4boYGe3fhbTWD9aDTpadAYvVn4SVG_UEP_P80v6sznFA@mail.gmail.com>

Hello Marek,

Thanks for pointing me on this ressource. Very useful.
I'm now on these settings :

Client ID : googleapps
Name : My Test Saml
Enabled : On
Include AuthnStatement : On
Sign Assertions : On (RSA_SHA256, EXCLUSIVE)
Client Signature Required : On
Name ID Format : email
IDP Initiated SSO URL Name : googleapps
==
Assertion Consumer Service Redirect Binding URL :
https://www.google.com/a/mydomain.com/acs

When I'm accessing (manually or set via Google Admin console in SSO
settings) the following URL :
https://xyz/realms/myrealmname/protocol/saml/googleapps .. i'm facing
a totally blank page

Error in Wildfly log :
23:25:04,136 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
task-107) failed to execute: javax.ws.rs.NotFoundException: Could not
find resource for full path:
https://xyz/realms/myrealmname/protocol/saml/googleapps

Any idea ?

Thanks

Best regards,
Thomas

2015-11-25 11:51 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> Longer time ago, I did the integration of picketlink with Google Apps, which
> is documented here:
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
> . Some steps might be outdated, but hopefully most of them is still
> applicable and can be (maybe with some tweaks) applied for Keycloak as well.
> Especially the part for configuring on Google side. I did not tried in
> practice with Keycloak yet, but I think that you may want to:
> - Use clientId like "google.com/a/yourdomain.com" for your client where
> yourdomain.com is your Google-Apps domain
> - Select "Sign assertions" so google-apps will verify the signature on
> assertion with the realm key you uploaded
>
> Other options might be kept default probably (not sure at 100% as I didn't
> try it myself yet)
>
> Marek
>
>
> On 25/11/15 10:42, Thomas Schweizer-Bolzonello wrote:
>
> Hello,
> Does someone have documentation on how to implement Keycloak with Google
> Apps ?
> I tried to implement a SAML client in a Keycloak realm but I'm lost
> with settings when creating one.
>
> Tried to use the official documentation and to search on the web but
> to no avail.
>
> If someone could point me to what settings to use in the SAML client I
> created, it would be great.
> I already took the key generated for the realm and uploaded it to Google
> Apps.
>
> Best regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From Joseph.George at finantix.com  Thu Nov 26 00:48:17 2015
From: Joseph.George at finantix.com (Joseph.George at finantix.com)
Date: Thu, 26 Nov 2015 12:48:17 +0700
Subject: [keycloak-user] Mobile  SSO - web brower+ native iOS
In-Reply-To: <OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
Message-ID: <OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>

Dear All

we have a situation where users have applications  both html5 based web and
also native iOS apps accessing from iPads

The requirement is that users access the web based application within a
iPad, which will be redirected to Keyclock IDP server for login.
Once user logins, next time, if the same user just tap on the native app
within the same device, it should not again prompt for userid/password,
rather SSO takes care of it

We need to design  so that users can toggle back and forth among mobile
browser apps and mobile apps.
This is ideal for agents, sales reps, who to need to switch quickly among
programs while on the go.,

Would like to know - is this something KeyCloak with SAML 2.0 supports out
of the box please?

Thanks and Regards
Joseph


From sebastian.olscher at traveltainment.de  Thu Nov 26 02:29:30 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Thu, 26 Nov 2015 07:29:30 +0000
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>

Unfortunately this is not easily possible because we want to use out-of-the-box features such as ?update profile email?, ?reset password email? and others, where Keycloak uses the email address of the account.

As I understood the reason why the email address was designed as unique is that it could be also used as the username. Would it be possible to implement this as a feature within the realm config? You can configure if you want to allow the usage of the email address as the username. If not, the email address has not to be unique. For us, this would make totally sense and helps us to fulfill the requirement. Would that be possible if there are no other preventing side effects?

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Wednesday, November 25, 2015 8:31 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Email is unique within one realm

In that case could you just set the contact email address as an attribute instead? The email field has to be unique has it can be in place of username. You could even use protocol mappers to map either email or the attribute to the same claim in the token.

On 25 November 2015 at 15:57, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
This receives importance if we are talking about users which will be used by a system and not a human person. These users may have the same responsible contact person as there is a system using this account and no real human. The contact person is identified by the email address. Our own specific information will be designed as user attributes.

For example:

Username: sys_customer1
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer1

Username: sys_customer2
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer2

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, November 25, 2015 3:04 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

That's not possible at the moment. Out of curiosity why would you have two different accounts for the same person?

On 25 November 2015 at 15:01, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Hello,

the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?

For example:

Username: I_Am_An_Admin
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(gets roles for every client within the realm)

Username: I_Am_A_Normal_User
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(get roles from only one client within the realm)

Is this unambiguity of the email address configurable?

Thanks,
Sebastian

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/1570400d/attachment-0001.html 

From parul.com at gmail.com  Thu Nov 26 02:30:16 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Thu, 26 Nov 2015 13:00:16 +0530
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
Message-ID: <CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>

I want to implement the SAML Service provider(SP) for my application. I
used picketlink earlier (servlet filter) to configure my application as
SAML SP. However, when I tried the same with Keycloak, it is not working as
expected. There is no proper documentation/example on how keycloak saml SP
configuration has to be done.

I did the following things.
1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
directory
2. Configured the security domain as below
    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
3. I built the keycloak saml example "redirect-with-signature" and deployed.
4. I am using the picketlink as my IDP.
5. The redirect does not redirecting to my picketlink IDP.

Can some one tell how to configure keycloak SAML SP.?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/d57f0323/attachment.html 

From sthorger at redhat.com  Thu Nov 26 02:40:48 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 08:40:48 +0100
Subject: [keycloak-user] Limit sessions per user
In-Reply-To: <954C5E4E-82BD-413D-BFDD-E4E7002BABF1@gmail.com>
References: <B3CB6D37-57AA-442E-AA0E-A129B8514B79@gmail.com>
	<CAJgngAebj2yPE5zp_mnW0Dg=x3DmT0nv820FWb83JRALQF7ZkA@mail.gmail.com>
	<954C5E4E-82BD-413D-BFDD-E4E7002BABF1@gmail.com>
Message-ID: <CAJgngAeyaLK8eZew1ydeNW1kfNbs9fUjT3UoBH90QLM1dNznzQ@mail.gmail.com>

Yes, there are examples for custom authenticators in the examples download

On 25 November 2015 at 20:45, Jose Suero <josephsuero at gmail.com> wrote:

> Any samples I can look at?
>
> Sent from my iPhone
>
> On Nov 25, 2015, at 3:35 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> We don't have support for that built-in, but you can use the authenticator
> spi to add it yourself.
>
> On 25 November 2015 at 16:46, Jose Suero <josephsuero at gmail.com> wrote:
>
>> Is there a way to limit user sessions. So if I logon and have a previous
>> active session for that session to be immediately expired?
>>
>> Maybe have a configuration for this per realm
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/214b50d7/attachment.html 

From sthorger at redhat.com  Thu Nov 26 02:42:59 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 08:42:59 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google
	Apps
In-Reply-To: <CALFZZP4boYGe3fhbTWD9aDTpadAYvVn4SVG_UEP_P80v6sznFA@mail.gmail.com>
References: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
	<565592BA.20105@redhat.com>
	<CALFZZP4boYGe3fhbTWD9aDTpadAYvVn4SVG_UEP_P80v6sznFA@mail.gmail.com>
Message-ID: <CAJgngAfdbPPY1q4aXEjtfv_OrgNDf+v1iD1Kr30Rk-gbLLfaBw@mail.gmail.com>

Blank page with a 403?

The URL is missing '/auth/'. Unless you've changed the context-path
Keycloak is deployed to the url should be
https://xyz/auth/realms/myrealmname/protocol/saml/googleapps
<https://xyz/realms/myrealmname/protocol/saml/googleapps>

On 25 November 2015 at 23:33, Thomas Schweizer-Bolzonello <
thomas at schweizer.fr> wrote:

> Hello Marek,
>
> Thanks for pointing me on this ressource. Very useful.
> I'm now on these settings :
>
> Client ID : googleapps
> Name : My Test Saml
> Enabled : On
> Include AuthnStatement : On
> Sign Assertions : On (RSA_SHA256, EXCLUSIVE)
> Client Signature Required : On
> Name ID Format : email
> IDP Initiated SSO URL Name : googleapps
> ==
> Assertion Consumer Service Redirect Binding URL :
> https://www.google.com/a/mydomain.com/acs
>
> When I'm accessing (manually or set via Google Admin console in SSO
> settings) the following URL :
> https://xyz/realms/myrealmname/protocol/saml/googleapps .. i'm facing
> a totally blank page
>
> Error in Wildfly log :
> 23:25:04,136 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> task-107) failed to execute: javax.ws.rs.NotFoundException: Could not
> find resource for full path:
> https://xyz/realms/myrealmname/protocol/saml/googleapps
>
> Any idea ?
>
> Thanks
>
> Best regards,
> Thomas
>
> 2015-11-25 11:51 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> > Longer time ago, I did the integration of picketlink with Google Apps,
> which
> > is documented here:
> >
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
> > . Some steps might be outdated, but hopefully most of them is still
> > applicable and can be (maybe with some tweaks) applied for Keycloak as
> well.
> > Especially the part for configuring on Google side. I did not tried in
> > practice with Keycloak yet, but I think that you may want to:
> > - Use clientId like "google.com/a/yourdomain.com" for your client where
> > yourdomain.com is your Google-Apps domain
> > - Select "Sign assertions" so google-apps will verify the signature on
> > assertion with the realm key you uploaded
> >
> > Other options might be kept default probably (not sure at 100% as I
> didn't
> > try it myself yet)
> >
> > Marek
> >
> >
> > On 25/11/15 10:42, Thomas Schweizer-Bolzonello wrote:
> >
> > Hello,
> > Does someone have documentation on how to implement Keycloak with Google
> > Apps ?
> > I tried to implement a SAML client in a Keycloak realm but I'm lost
> > with settings when creating one.
> >
> > Tried to use the official documentation and to search on the web but
> > to no avail.
> >
> > If someone could point me to what settings to use in the SAML client I
> > created, it would be great.
> > I already took the key generated for the realm and uploaded it to Google
> > Apps.
> >
> > Best regards,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/31f922ba/attachment.html 

From sthorger at redhat.com  Thu Nov 26 02:53:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 08:53:24 +0100
Subject: [keycloak-user] Mobile SSO - web brower+ native iOS
In-Reply-To: <OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>
	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
	<OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>
Message-ID: <CAJgngAfB6Bb1DbGNR0pQdzyzGE=CiYG0jJSW1hFjOSTXgZ_nwg@mail.gmail.com>

Hi,

For native mobile integration with Keycloak you should look at AeroGear (
aerogear.org). We don't have the experience on our team to develop native
mobile integration.

Does it have to be SAMLv2 though? OpenID Connect is better designed for
html5 and mobile use cases.

On 26 November 2015 at 06:48, <Joseph.George at finantix.com> wrote:

> Dear All
>
> we have a situation where users have applications  both html5 based web and
> also native iOS apps accessing from iPads
>
> The requirement is that users access the web based application within a
> iPad, which will be redirected to Keyclock IDP server for login.
> Once user logins, next time, if the same user just tap on the native app
> within the same device, it should not again prompt for userid/password,
> rather SSO takes care of it
>
> We need to design  so that users can toggle back and forth among mobile
> browser apps and mobile apps.
> This is ideal for agents, sales reps, who to need to switch quickly among
> programs while on the go.,
>
> Would like to know - is this something KeyCloak with SAML 2.0 supports out
> of the box please?
>
> Thanks and Regards
> Joseph
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/f1ddc29a/attachment.html 

From sthorger at redhat.com  Thu Nov 26 02:58:14 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 08:58:14 +0100
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAdJpNfc57+ZdG0r=5kSjFnPo1Njhbkqm2p9rQZFskMGCQ@mail.gmail.com>

I meant that you'd use the attribute option only for the "server accounts"
where it's not the email of the user, but a contact email. For regular
users you'd continue using the email field. Would that work? You can even
write a custom protocol mapper that takes either and adds it to the same
claim in the token.

The email field has a unique constraint in the database and that's not
something we can enable/disable with a realm option. I think we'd have to
add an additional field or store the email as an attribute. Could be a bit
messy and quite a bit of work to do.

On 26 November 2015 at 08:29, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> Unfortunately this is not easily possible because we want to use
> out-of-the-box features such as ?update profile email?, ?reset password
> email? and others, where Keycloak uses the email address of the account.
>
>
>
> As I understood the reason why the email address was designed as unique is
> that it could be also used as the username. Would it be possible to
> implement this as a feature within the realm config? You can configure if
> you want to allow the usage of the email address as the username. If not,
> the email address has not to be unique. For us, this would make totally
> sense and helps us to fulfill the requirement. Would that be possible if
> there are no other preventing side effects?
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 8:31 PM
>
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> In that case could you just set the contact email address as an attribute
> instead? The email field has to be unique has it can be in place of
> username. You could even use protocol mappers to map either email or the
> attribute to the same claim in the token.
>
>
>
> On 25 November 2015 at 15:57, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> This receives importance if we are talking about users which will be used
> by a system and not a human person. These users may have the same
> responsible contact person as there is a system using this account and no
> real human. The contact person is identified by the email address. Our own
> specific information will be designed as user attributes.
>
>
>
> For example:
>
>
>
> Username: sys_customer1
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer1
>
>
>
> Username: sys_customer2
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer2
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 3:04 PM
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> That's not possible at the moment. Out of curiosity why would you have two
> different accounts for the same person?
>
>
>
> On 25 November 2015 at 15:01, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> Hello,
>
>
>
> the email address is unique within one realm. Is there a possibility to
> fulfill the requirement to have different user (different usernames) for
> different applications within one realm which were managed and used by the
> same person/entity?
>
>
> For example:
>
>
>
> Username: I_Am_An_Admin
>
> Email: user at traveltainment.de
>
> (gets roles for every client within the realm)
>
>
>
> Username: I_Am_A_Normal_User
>
> Email: user at traveltainment.de
>
> (get roles from only one client within the realm)
>
>
>
> Is this unambiguity of the email address configurable?
>
>
>
> Thanks,
>
> Sebastian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/5e2683ff/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 26 02:58:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 08:58:51 +0100
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
Message-ID: <CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>

Documentation is here
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
- did you read that?

On 26 November 2015 at 08:30, Arulkumar Ponnusamy <parul.com at gmail.com>
wrote:

> I want to implement the SAML Service provider(SP) for my application. I
> used picketlink earlier (servlet filter) to configure my application as
> SAML SP. However, when I tried the same with Keycloak, it is not working as
> expected. There is no proper documentation/example on how keycloak saml SP
> configuration has to be done.
>
> I did the following things.
> 1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
> directory
> 2. Configured the security domain as below
>     <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
> flag="required"/>
> 3. I built the keycloak saml example "redirect-with-signature" and
> deployed.
> 4. I am using the picketlink as my IDP.
> 5. The redirect does not redirecting to my picketlink IDP.
>
> Can some one tell how to configure keycloak SAML SP.?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/ad2331cf/attachment.html 

From thomas at schweizer.fr  Thu Nov 26 03:10:52 2015
From: thomas at schweizer.fr (Thomas Schweizer-Bolzonello)
Date: Thu, 26 Nov 2015 09:10:52 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google
	Apps
In-Reply-To: <CAJgngAfdbPPY1q4aXEjtfv_OrgNDf+v1iD1Kr30Rk-gbLLfaBw@mail.gmail.com>
References: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
	<565592BA.20105@redhat.com>
	<CALFZZP4boYGe3fhbTWD9aDTpadAYvVn4SVG_UEP_P80v6sznFA@mail.gmail.com>
	<CAJgngAfdbPPY1q4aXEjtfv_OrgNDf+v1iD1Kr30Rk-gbLLfaBw@mail.gmail.com>
Message-ID: <CALFZZP5VcTbjO21wzk9HWAfni2s3cNwL-iRfqc7uL+oQTsqSKA@mail.gmail.com>

Hello Stian,
Blank page with a 404

I removed /auth because I redeployed Keycloak on root context with this :
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e426

I tried to create a new realm but same problem : blank page + 404

Full error in log is here :
https://gist.github.com/ThomasSchweizer/a1ce825bd245d5261250

Thomas

2015-11-26 8:42 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
> Blank page with a 403?
>
> The URL is missing '/auth/'. Unless you've changed the context-path Keycloak
> is deployed to the url should be
> https://xyz/auth/realms/myrealmname/protocol/saml/googleapps
>
> On 25 November 2015 at 23:33, Thomas Schweizer-Bolzonello
> <thomas at schweizer.fr> wrote:
>>
>> Hello Marek,
>>
>> Thanks for pointing me on this ressource. Very useful.
>> I'm now on these settings :
>>
>> Client ID : googleapps
>> Name : My Test Saml
>> Enabled : On
>> Include AuthnStatement : On
>> Sign Assertions : On (RSA_SHA256, EXCLUSIVE)
>> Client Signature Required : On
>> Name ID Format : email
>> IDP Initiated SSO URL Name : googleapps
>> ==
>> Assertion Consumer Service Redirect Binding URL :
>> https://www.google.com/a/mydomain.com/acs
>>
>> When I'm accessing (manually or set via Google Admin console in SSO
>> settings) the following URL :
>> https://xyz/realms/myrealmname/protocol/saml/googleapps .. i'm facing
>> a totally blank page
>>
>> Error in Wildfly log :
>> 23:25:04,136 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
>> task-107) failed to execute: javax.ws.rs.NotFoundException: Could not
>> find resource for full path:
>> https://xyz/realms/myrealmname/protocol/saml/googleapps
>>
>> Any idea ?
>>
>> Thanks
>>
>> Best regards,
>> Thomas
>>
>> 2015-11-25 11:51 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>> > Longer time ago, I did the integration of picketlink with Google Apps,
>> > which
>> > is documented here:
>> >
>> > https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
>> > . Some steps might be outdated, but hopefully most of them is still
>> > applicable and can be (maybe with some tweaks) applied for Keycloak as
>> > well.
>> > Especially the part for configuring on Google side. I did not tried in
>> > practice with Keycloak yet, but I think that you may want to:
>> > - Use clientId like "google.com/a/yourdomain.com" for your client where
>> > yourdomain.com is your Google-Apps domain
>> > - Select "Sign assertions" so google-apps will verify the signature on
>> > assertion with the realm key you uploaded
>> >
>> > Other options might be kept default probably (not sure at 100% as I
>> > didn't
>> > try it myself yet)
>> >
>> > Marek
>> >
>> >
>> > On 25/11/15 10:42, Thomas Schweizer-Bolzonello wrote:
>> >
>> > Hello,
>> > Does someone have documentation on how to implement Keycloak with Google
>> > Apps ?
>> > I tried to implement a SAML client in a Keycloak realm but I'm lost
>> > with settings when creating one.
>> >
>> > Tried to use the official documentation and to search on the web but
>> > to no avail.
>> >
>> > If someone could point me to what settings to use in the SAML client I
>> > created, it would be great.
>> > I already took the key generated for the realm and uploaded it to Google
>> > Apps.
>> >
>> > Best regards,
>> > Thomas
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From sthorger at redhat.com  Thu Nov 26 03:22:23 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 09:22:23 +0100
Subject: [keycloak-user] Implementation of Keycloak (SAML) with Google
	Apps
In-Reply-To: <CALFZZP5VcTbjO21wzk9HWAfni2s3cNwL-iRfqc7uL+oQTsqSKA@mail.gmail.com>
References: <CALFZZP7uy21tRQ9RwSmWXaOj5SzV9a+wz17X2fz00+FDp_x-TA@mail.gmail.com>
	<565592BA.20105@redhat.com>
	<CALFZZP4boYGe3fhbTWD9aDTpadAYvVn4SVG_UEP_P80v6sznFA@mail.gmail.com>
	<CAJgngAfdbPPY1q4aXEjtfv_OrgNDf+v1iD1Kr30Rk-gbLLfaBw@mail.gmail.com>
	<CALFZZP5VcTbjO21wzk9HWAfni2s3cNwL-iRfqc7uL+oQTsqSKA@mail.gmail.com>
Message-ID: <CAJgngAfUgfxG-gv2WSUt8q_0UbTaWGBrQuFzO4RJatkfgbugpA@mail.gmail.com>

Try "https://xyz/realms/myrealmname/protocol/saml
<https://xyz/realms/myrealmname/protocol/saml/googleapps>", dropping
"googleapps"

On 26 November 2015 at 09:10, Thomas Schweizer-Bolzonello <
thomas at schweizer.fr> wrote:

> Hello Stian,
> Blank page with a 404
>
> I removed /auth because I redeployed Keycloak on root context with this :
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e426
>
> I tried to create a new realm but same problem : blank page + 404
>
> Full error in log is here :
> https://gist.github.com/ThomasSchweizer/a1ce825bd245d5261250
>
> Thomas
>
> 2015-11-26 8:42 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
> > Blank page with a 403?
> >
> > The URL is missing '/auth/'. Unless you've changed the context-path
> Keycloak
> > is deployed to the url should be
> > https://xyz/auth/realms/myrealmname/protocol/saml/googleapps
> >
> > On 25 November 2015 at 23:33, Thomas Schweizer-Bolzonello
> > <thomas at schweizer.fr> wrote:
> >>
> >> Hello Marek,
> >>
> >> Thanks for pointing me on this ressource. Very useful.
> >> I'm now on these settings :
> >>
> >> Client ID : googleapps
> >> Name : My Test Saml
> >> Enabled : On
> >> Include AuthnStatement : On
> >> Sign Assertions : On (RSA_SHA256, EXCLUSIVE)
> >> Client Signature Required : On
> >> Name ID Format : email
> >> IDP Initiated SSO URL Name : googleapps
> >> ==
> >> Assertion Consumer Service Redirect Binding URL :
> >> https://www.google.com/a/mydomain.com/acs
> >>
> >> When I'm accessing (manually or set via Google Admin console in SSO
> >> settings) the following URL :
> >> https://xyz/realms/myrealmname/protocol/saml/googleapps .. i'm facing
> >> a totally blank page
> >>
> >> Error in Wildfly log :
> >> 23:25:04,136 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
> >> task-107) failed to execute: javax.ws.rs.NotFoundException: Could not
> >> find resource for full path:
> >> https://xyz/realms/myrealmname/protocol/saml/googleapps
> >>
> >> Any idea ?
> >>
> >> Thanks
> >>
> >> Best regards,
> >> Thomas
> >>
> >> 2015-11-25 11:51 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> >> > Longer time ago, I did the integration of picketlink with Google Apps,
> >> > which
> >> > is documented here:
> >> >
> >> >
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP
> >> > . Some steps might be outdated, but hopefully most of them is still
> >> > applicable and can be (maybe with some tweaks) applied for Keycloak as
> >> > well.
> >> > Especially the part for configuring on Google side. I did not tried in
> >> > practice with Keycloak yet, but I think that you may want to:
> >> > - Use clientId like "google.com/a/yourdomain.com" for your client
> where
> >> > yourdomain.com is your Google-Apps domain
> >> > - Select "Sign assertions" so google-apps will verify the signature on
> >> > assertion with the realm key you uploaded
> >> >
> >> > Other options might be kept default probably (not sure at 100% as I
> >> > didn't
> >> > try it myself yet)
> >> >
> >> > Marek
> >> >
> >> >
> >> > On 25/11/15 10:42, Thomas Schweizer-Bolzonello wrote:
> >> >
> >> > Hello,
> >> > Does someone have documentation on how to implement Keycloak with
> Google
> >> > Apps ?
> >> > I tried to implement a SAML client in a Keycloak realm but I'm lost
> >> > with settings when creating one.
> >> >
> >> > Tried to use the official documentation and to search on the web but
> >> > to no avail.
> >> >
> >> > If someone could point me to what settings to use in the SAML client I
> >> > created, it would be great.
> >> > I already took the key generated for the realm and uploaded it to
> Google
> >> > Apps.
> >> >
> >> > Best regards,
> >> > Thomas
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/304b20c0/attachment.html 

From parul.com at gmail.com  Thu Nov 26 03:28:59 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Thu, 26 Nov 2015 13:58:59 +0530
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
	<CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
Message-ID: <CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>

Hi Stian,
Thanks for your response. Yes. I followed the same. I followed the
instruction of Chapter-7 Java servlet Filter Adapter. as specified I added
the SAMLFilter class in filter mapping of my web.xml.


In picketlink, we have handler and Listener which makes our application as
SAML provider. Picketlink also has lot of sample project which we can
try/tweak as per our need. However in keycloak, i see neither of them.

On Thu, Nov 26, 2015 at 1:28 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Documentation is here
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
> - did you read that?
>
> On 26 November 2015 at 08:30, Arulkumar Ponnusamy <parul.com at gmail.com>
> wrote:
>
>> I want to implement the SAML Service provider(SP) for my application. I
>> used picketlink earlier (servlet filter) to configure my application as
>> SAML SP. However, when I tried the same with Keycloak, it is not working as
>> expected. There is no proper documentation/example on how keycloak saml SP
>> configuration has to be done.
>>
>> I did the following things.
>> 1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
>> directory
>> 2. Configured the security domain as below
>>     <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>> flag="required"/>
>> 3. I built the keycloak saml example "redirect-with-signature" and
>> deployed.
>> 4. I am using the picketlink as my IDP.
>> 5. The redirect does not redirecting to my picketlink IDP.
>>
>> Can some one tell how to configure keycloak SAML SP.?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/452f1d6e/attachment-0001.html 

From sthorger at redhat.com  Thu Nov 26 04:35:04 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 10:35:04 +0100
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
	<CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
	<CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>
Message-ID: <CAJgngAf1kpDPO7ui8ioLqF+cRbUJTvouSzWvF9W8fJ_Y9g3NBg@mail.gmail.com>

On 26 November 2015 at 09:28, Arulkumar Ponnusamy <parul.com at gmail.com>
wrote:

> Hi Stian,
> Thanks for your response. Yes. I followed the same. I followed the
> instruction of Chapter-7 Java servlet Filter Adapter. as specified I added
> the SAMLFilter class in filter mapping of my web.xml.
>
>
We have a few examples for SAML in our examples download. Did you look at
those?


>
> In picketlink, we have handler and Listener which makes our application as
> SAML provider. Picketlink also has lot of sample project which we can
> try/tweak as per our need. However in keycloak, i see neither of them.
>

Do you mean SAML Identity Provider or Service Provider? With Keycloak,
Keycloak server is the Identity Provider and you configure/tweak it through
the admin console.


>
>
> On Thu, Nov 26, 2015 at 1:28 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Documentation is here
>> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>> - did you read that?
>>
>> On 26 November 2015 at 08:30, Arulkumar Ponnusamy <parul.com at gmail.com>
>> wrote:
>>
>>> I want to implement the SAML Service provider(SP) for my application. I
>>> used picketlink earlier (servlet filter) to configure my application as
>>> SAML SP. However, when I tried the same with Keycloak, it is not working as
>>> expected. There is no proper documentation/example on how keycloak saml SP
>>> configuration has to be done.
>>>
>>> I did the following things.
>>> 1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my jboss/lib
>>> directory
>>> 2. Configured the security domain as below
>>>     <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>> flag="required"/>
>>> 3. I built the keycloak saml example "redirect-with-signature" and
>>> deployed.
>>> 4. I am using the picketlink as my IDP.
>>> 5. The redirect does not redirecting to my picketlink IDP.
>>>
>>> Can some one tell how to configure keycloak SAML SP.?
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/6807aa90/attachment.html 

From parul.com at gmail.com  Thu Nov 26 05:48:28 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Thu, 26 Nov 2015 16:18:28 +0530
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAJgngAf1kpDPO7ui8ioLqF+cRbUJTvouSzWvF9W8fJ_Y9g3NBg@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
	<CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
	<CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>
	<CAJgngAf1kpDPO7ui8ioLqF+cRbUJTvouSzWvF9W8fJ_Y9g3NBg@mail.gmail.com>
Message-ID: <CAFj68vUctooKP5+qtvuHZxUL4nCgfJusOHg2LFXbObiC6P4ucg@mail.gmail.com>

Hi Stian,

Do you mean SAML Identity Provider or Service Provider? With Keycloak,
Keycloak server is the Identity Provider and you configure/tweak it through
the admin console.
[Arul] I meant Service provider and not Identity provider.

After some play with the web.xml, I am getting different error,
*java.lang.ClassNotFoundException:
org.keycloak.adapters.servlet.ServletHttpFacade. *I don't find this file in
keycloak repository too.

This file is used in SAMLFilter class. any idea whether this is defect or
where i can find this.



On Thu, Nov 26, 2015 at 3:05 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

>
>
> On 26 November 2015 at 09:28, Arulkumar Ponnusamy <parul.com at gmail.com>
> wrote:
>
>> Hi Stian,
>> Thanks for your response. Yes. I followed the same. I followed the
>> instruction of Chapter-7 Java servlet Filter Adapter. as specified I added
>> the SAMLFilter class in filter mapping of my web.xml.
>>
>>
> We have a few examples for SAML in our examples download. Did you look at
> those?
>
>
>>
>> In picketlink, we have handler and Listener which makes our application
>> as SAML provider. Picketlink also has lot of sample project which we can
>> try/tweak as per our need. However in keycloak, i see neither of them.
>>
>
> Do you mean SAML Identity Provider or Service Provider? With Keycloak,
> Keycloak server is the Identity Provider and you configure/tweak it through
> the admin console.
>
>
>>
>>
>> On Thu, Nov 26, 2015 at 1:28 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Documentation is here
>>> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>>> - did you read that?
>>>
>>> On 26 November 2015 at 08:30, Arulkumar Ponnusamy <parul.com at gmail.com>
>>> wrote:
>>>
>>>> I want to implement the SAML Service provider(SP) for my application. I
>>>> used picketlink earlier (servlet filter) to configure my application as
>>>> SAML SP. However, when I tried the same with Keycloak, it is not working as
>>>> expected. There is no proper documentation/example on how keycloak saml SP
>>>> configuration has to be done.
>>>>
>>>> I did the following things.
>>>> 1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my
>>>> jboss/lib directory
>>>> 2. Configured the security domain as below
>>>>     <login-module
>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>>> 3. I built the keycloak saml example "redirect-with-signature" and
>>>> deployed.
>>>> 4. I am using the picketlink as my IDP.
>>>> 5. The redirect does not redirecting to my picketlink IDP.
>>>>
>>>> Can some one tell how to configure keycloak SAML SP.?
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/f2b71adc/attachment.html 

From sebastian.olscher at traveltainment.de  Thu Nov 26 06:18:31 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Thu, 26 Nov 2015 11:18:31 +0000
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <CAJgngAdJpNfc57+ZdG0r=5kSjFnPo1Njhbkqm2p9rQZFskMGCQ@mail.gmail.com>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>
	<CAJgngAdJpNfc57+ZdG0r=5kSjFnPo1Njhbkqm2p9rQZFskMGCQ@mail.gmail.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252BB97F@EX-TT-AC-02.traveltainment.int>

Unfortunately this would also not solve the original issue: we are handling these accounts like all other accounts and using standard Keycloak features which all bases on the email address. Would it be a smaller effort to handle this check on software level? You can configure the uniqueness of the email address in each realm, check this on software level and delete the unique index in the database. Would that be manageable?

?Email address unique or not?? ? I have found a similar discussion and a recommendation in the OpenId-Connect-Spezification:
?Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use an email Claim Value across different End-Users at different points in time, and the claimed email address for a given End-User MAY change over time. Therefore, other Claims such as email, phone_number, and preferred_username and MUST NOT be used as unique identifiers for the End-User. ? [OpenId-Connect Core Spzification 1.0 ? 5.7 Calim
Stability and Uniqueness]
So, at this point, we have a local restriction of Keycloak which says that the email claim has to be unique. This is absolutely compliant but as the example exactly describes the email case, I think others were also dealing with this topic. Because of this, the spezification recommends to make the email address not unique. What do you think, would that be an option for a new feature?
From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Thursday, November 26, 2015 8:58 AM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Email is unique within one realm

I meant that you'd use the attribute option only for the "server accounts" where it's not the email of the user, but a contact email. For regular users you'd continue using the email field. Would that work? You can even write a custom protocol mapper that takes either and adds it to the same claim in the token.

The email field has a unique constraint in the database and that's not something we can enable/disable with a realm option. I think we'd have to add an additional field or store the email as an attribute. Could be a bit messy and quite a bit of work to do.

On 26 November 2015 at 08:29, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Unfortunately this is not easily possible because we want to use out-of-the-box features such as ?update profile email?, ?reset password email? and others, where Keycloak uses the email address of the account.

As I understood the reason why the email address was designed as unique is that it could be also used as the username. Would it be possible to implement this as a feature within the realm config? You can configure if you want to allow the usage of the email address as the username. If not, the email address has not to be unique. For us, this would make totally sense and helps us to fulfill the requirement. Would that be possible if there are no other preventing side effects?

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, November 25, 2015 8:31 PM

To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

In that case could you just set the contact email address as an attribute instead? The email field has to be unique has it can be in place of username. You could even use protocol mappers to map either email or the attribute to the same claim in the token.

On 25 November 2015 at 15:57, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
This receives importance if we are talking about users which will be used by a system and not a human person. These users may have the same responsible contact person as there is a system using this account and no real human. The contact person is identified by the email address. Our own specific information will be designed as user attributes.

For example:

Username: sys_customer1
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer1

Username: sys_customer2
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer2

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, November 25, 2015 3:04 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

That's not possible at the moment. Out of curiosity why would you have two different accounts for the same person?

On 25 November 2015 at 15:01, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Hello,

the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?

For example:

Username: I_Am_An_Admin
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(gets roles for every client within the realm)

Username: I_Am_A_Normal_User
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(get roles from only one client within the realm)

Is this unambiguity of the email address configurable?

Thanks,
Sebastian

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/900f8ef6/attachment-0001.html 

From bruno at abstractj.org  Thu Nov 26 06:26:02 2015
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 26 Nov 2015 11:26:02 +0000
Subject: [keycloak-user] Mobile SSO - web brower+ native iOS
In-Reply-To: <OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>
	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
	<OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>
Message-ID: <CAM5SUC5Q-RsPphEERearuSe-Fj-bYeGvDsc7Ca8dHV2b16Na9A@mail.gmail.com>

Months ago we had such requirement for FeedHenry. The fact, is that SAML
2.0 is not mobile friendly, due to the multiple redirects between SP, IdP
and the Web Browser.


The best you can do, like already mentioned by Stian is to make use of
OpenID or make use of Webviews. But with Webviews, you have to deal with
the annoying login prompt every time.

If you are interested about the work on it, take a look at:

https://github.com/feedhenry-templates?utf8=%E2%9C%93&query=saml

I hope it helps.

On Thu, Nov 26, 2015 at 3:48 AM <Joseph.George at finantix.com> wrote:

> Dear All
>
> we have a situation where users have applications  both html5 based web and
> also native iOS apps accessing from iPads
>
> The requirement is that users access the web based application within a
> iPad, which will be redirected to Keyclock IDP server for login.
> Once user logins, next time, if the same user just tap on the native app
> within the same device, it should not again prompt for userid/password,
> rather SSO takes care of it
>
> We need to design  so that users can toggle back and forth among mobile
> browser apps and mobile apps.
> This is ideal for agents, sales reps, who to need to switch quickly among
> programs while on the go.,
>
> Would like to know - is this something KeyCloak with SAML 2.0 supports out
> of the box please?
>
> Thanks and Regards
> Joseph
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/45c60453/attachment.html 

From sthorger at redhat.com  Thu Nov 26 07:13:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 13:13:03 +0100
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252BB97F@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>
	<CAJgngAdJpNfc57+ZdG0r=5kSjFnPo1Njhbkqm2p9rQZFskMGCQ@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB97F@EX-TT-AC-02.traveltainment.int>
Message-ID: <CAJgngAcLw-akxjjP0wpuGvEWXwhPzLDdrBf3idt0im5hwvpo=g@mail.gmail.com>

On 26 November 2015 at 12:18, Sebastian Olscher <
sebastian.olscher at traveltainment.de> wrote:

> Unfortunately this would also not solve the original issue: we are
> handling these accounts like all other accounts and using standard Keycloak
> features which all bases on the email address. Would it be a smaller effort
> to handle this check on software level? You can configure the uniqueness of
> the email address in each realm, check this on software level and delete
> the unique index in the database. Would that be manageable?
>

We can't guarantee that a email is unique without a constraint, as
otherwise there's always a window where duplicates could be added. We can't
remove the constraint either as the constraint applies to all realms, but
further we can't change the db schema based on configuration options on a
realm.

We would need to have a separate field in the db for non-unique email
addresses. That's not really a big problem I think, but it would still be a
fair bit of work to implement. We'd also need to have an option on a realm
on what attribute to use as username, options should be username/email,
username or email.

You can add a feature request, but ATM we're stretched rather thin so it
would be a while until we could implement it. Unless you are willing to
contribute it though? If you are then we should discuss how it should be
done, and also need to double check if there's any problems in adding it.


>
>
> ?Email address unique or not?? ? I have found a similar discussion and a
> recommendation in the OpenId-Connect-Spezification:
>
> ?Therefore, the only guaranteed unique identifier for a given End-User is
> the combination of the iss Claim and the sub Claim.
>
> All other Claims carry no such guarantees across different issuers in
> terms of stability over time or uniqueness across users, and Issuers are
> permitted to apply local restrictions and policies. For instance, an Issuer
> MAY re-use an email Claim Value across different End-Users at different
> points in time, and the claimed email address for a given End-User MAY
> change over time. Therefore, other Claims such as email, phone_number,
> and preferred_username and MUST NOT be used as unique identifiers for the
> End-User. ? [OpenId-Connect Core Spzification 1.0 ? 5.7 Calim
>
> Stability and Uniqueness]
>
> So, at this point, we have a local restriction of Keycloak which says that
> the email claim has to be unique. This is absolutely compliant but as the
> example exactly describes the email case, I think others were also dealing
> with this topic. Because of this, the spezification recommends to make the
> email address not unique. What do you think, would that be an option for a
> new feature?
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Thursday, November 26, 2015 8:58 AM
>
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> I meant that you'd use the attribute option only for the "server accounts"
> where it's not the email of the user, but a contact email. For regular
> users you'd continue using the email field. Would that work? You can even
> write a custom protocol mapper that takes either and adds it to the same
> claim in the token.
>
>
>
> The email field has a unique constraint in the database and that's not
> something we can enable/disable with a realm option. I think we'd have to
> add an additional field or store the email as an attribute. Could be a bit
> messy and quite a bit of work to do.
>
>
>
> On 26 November 2015 at 08:29, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> Unfortunately this is not easily possible because we want to use
> out-of-the-box features such as ?update profile email?, ?reset password
> email? and others, where Keycloak uses the email address of the account.
>
>
>
> As I understood the reason why the email address was designed as unique is
> that it could be also used as the username. Would it be possible to
> implement this as a feature within the realm config? You can configure if
> you want to allow the usage of the email address as the username. If not,
> the email address has not to be unique. For us, this would make totally
> sense and helps us to fulfill the requirement. Would that be possible if
> there are no other preventing side effects?
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 8:31 PM
>
>
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> In that case could you just set the contact email address as an attribute
> instead? The email field has to be unique has it can be in place of
> username. You could even use protocol mappers to map either email or the
> attribute to the same claim in the token.
>
>
>
> On 25 November 2015 at 15:57, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> This receives importance if we are talking about users which will be used
> by a system and not a human person. These users may have the same
> responsible contact person as there is a system using this account and no
> real human. The contact person is identified by the email address. Our own
> specific information will be designed as user attributes.
>
>
>
> For example:
>
>
>
> Username: sys_customer1
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer1
>
>
>
> Username: sys_customer2
>
> Email address: sebastian.olscher at traveltainment.de (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer2
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 3:04 PM
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>
>
> That's not possible at the moment. Out of curiosity why would you have two
> different accounts for the same person?
>
>
>
> On 25 November 2015 at 15:01, Sebastian Olscher <
> sebastian.olscher at traveltainment.de> wrote:
>
> Hello,
>
>
>
> the email address is unique within one realm. Is there a possibility to
> fulfill the requirement to have different user (different usernames) for
> different applications within one realm which were managed and used by the
> same person/entity?
>
>
> For example:
>
>
>
> Username: I_Am_An_Admin
>
> Email: user at traveltainment.de
>
> (gets roles for every client within the realm)
>
>
>
> Username: I_Am_A_Normal_User
>
> Email: user at traveltainment.de
>
> (get roles from only one client within the realm)
>
>
>
> Is this unambiguity of the email address configurable?
>
>
>
> Thanks,
>
> Sebastian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/5fcf1a2e/attachment-0001.html 

From kalc04 at gmail.com  Thu Nov 26 08:53:49 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Thu, 26 Nov 2015 19:23:49 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
Message-ID: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>

Hi,

We're in the process of assessing the impact on upgrading from Keycloak
1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
cache through the keycloak-server.json file as we used to do in 1.2.0.

We have the following entries in 1.6.1:
    "realm": {
        "provider": "infinispan"
    },

    "user": {
        "provider": "infinispan"
    },

    "userSessionPersister": {
        "provider": "infinispan"
    },
.........
    "connectionsInfinispan": {
        "default" : {
            "cacheContainer" : "java:comp/env/infinispan/Keycloak"
        }
    }

All configurations in 1.6.1 standalone-ha.xml file remains comparable (and
correct to the best of our knowledge) with the ones in 1.2.0.

With the above configs, when we start the Keycloak service the following
error(s) get logged:

18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 64) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[rt.jar:1.7.0_45]
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_45]
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_45]
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_45]
    at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
    at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[jboss-threads-2.2.0.Final.jar:2.2.0.Final]
Caused by: java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
    at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
    at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
    at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
    at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
    at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
    at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
    at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
    at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
    at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
    ... 6 more
Caused by: java.lang.RuntimeException: Failed to find provider infinispan
for realm
    at
org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
    at
org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
    at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [rt.jar:1.7.0_45]
    at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
[rt.jar:1.7.0_45]
    at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.7.0_45]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
[rt.jar:1.7.0_45]
    at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
    ... 19 more


Is the new way to enable Infinispan different to what we had earlier? If
so, can someone please point out the correct way?


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/22eb9cdd/attachment.html 

From velias at redhat.com  Thu Nov 26 09:01:41 2015
From: velias at redhat.com (Vlastimil Elias)
Date: Thu, 26 Nov 2015 15:01:41 +0100
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
Message-ID: <565710C5.9000208@redhat.com>

Hi Sebastian,

small hint out of Keycloak. Some email servers (eg gmail) allows you to
use email addresses with unresolved part after + sign, like
sebastian.olscher+something at traveltainment.de. Emails for this kind of
address are delivered to "base" email
sebastian.olscher at traveltainment.de then. This may help you create more
accounts with different emails delivered to same person.
If your email server doesn't support this "dynamic" aliasing then it
probably supports some "static" aliases defined by admin.

Vl.


On 25.11.2015 15:57, Sebastian Olscher wrote:
>
> This receives importance if we are talking about users which will be
> used by a system and not a human person. These users may have the same
> responsible contact person as there is a system using this account and
> no real human. The contact person is identified by the email address.
> Our own specific information will be designed as user attributes.
>
>  
>
> For example:
>
>  
>
> Username: sys_customer1
>
> Email address: sebastian.olscher at traveltainment.de
> <mailto:sebastian.olscher at traveltainment.de> (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer1
>
>  
>
> Username: sys_customer2
>
> Email address: sebastian.olscher at traveltainment.de
> <mailto:sebastian.olscher at traveltainment.de> (Email address of the
> contact person who is responsible for this user)
>
> User attribute: Key=customer, Value=customer2
>
>  
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, November 25, 2015 3:04 PM
> *To:* Sebastian Olscher
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Email is unique within one realm
>
>  
>
> That's not possible at the moment. Out of curiosity why would you have
> two different accounts for the same person?
>
>  
>
> On 25 November 2015 at 15:01, Sebastian Olscher
> <sebastian.olscher at traveltainment.de
> <mailto:sebastian.olscher at traveltainment.de>> wrote:
>
> Hello,
>
>  
>
> the email address is unique within one realm. Is there a possibility
> to fulfill the requirement to have different user (different
> usernames) for different applications within one realm which were
> managed and used by the same person/entity?
>
>
> For example:
>
>  
>
> Username: I_Am_An_Admin
>
> Email: user at traveltainment.de <mailto:user at traveltainment.de>
>
> (gets roles for every client within the realm)
>
>  
>
> Username: I_Am_A_Normal_User
>
> Email: user at traveltainment.de <mailto:user at traveltainment.de>
>
> (get roles from only one client within the realm)
>
>  
>
> Is this unambiguity of the email address configurable?
>
>  
>
> Thanks,
>
> Sebastian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>  
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/63f43c2f/attachment-0001.html 

From bburke at redhat.com  Thu Nov 26 09:18:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 26 Nov 2015 09:18:20 -0500
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
 configuration
In-Reply-To: <CAFj68vUctooKP5+qtvuHZxUL4nCgfJusOHg2LFXbObiC6P4ucg@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
	<CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
	<CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>
	<CAJgngAf1kpDPO7ui8ioLqF+cRbUJTvouSzWvF9W8fJ_Y9g3NBg@mail.gmail.com>
	<CAFj68vUctooKP5+qtvuHZxUL4nCgfJusOHg2LFXbObiC6P4ucg@mail.gmail.com>
Message-ID: <565714AC.9060505@redhat.com>

How are you building your war that uses the filter?  What app server are 
you deploying it?  As stated in the docs, you need this dependency and 
this should bring in all the additional dependencies this artifact has:

  <dependency>
                 <groupId>org.keycloak</groupId>
 
<artifactId>keycloak-saml-servlet-filter-adapter</artifactId>
                 <version>1.6.1.Final</version>
             </dependency>

Its a USA holiday today and tomorrow.  I'll look into it maybe tomorrow 
if I get home early, definitely monday.  There are examples, but not for 
the filter, just the adapter.  examples/saml/...

On 11/26/2015 5:48 AM, Arulkumar Ponnusamy wrote:
> Hi Stian,
>
> Do you mean SAML Identity Provider or Service Provider? With Keycloak,
> Keycloak server is the Identity Provider and you configure/tweak it
> through the admin console.
> [Arul] I meant Service provider and not Identity provider.
>
> After some play with the web.xml, I am getting different error,
> *java.lang.ClassNotFoundException:
> org.keycloak.adapters.servlet.ServletHttpFacade. *I don't find this file
> in keycloak repository too.
>
> This file is used in SAMLFilter class.**any idea whether this is defect
> or where i can find this. *
>
> *
>
>
> On Thu, Nov 26, 2015 at 3:05 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>
>
>     On 26 November 2015 at 09:28, Arulkumar Ponnusamy
>     <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>
>         Hi Stian,
>         Thanks for your response. Yes. I followed the same. I followed
>         the instruction of Chapter-7 Java servlet Filter Adapter. as
>         specified I added the SAMLFilter class in filter mapping of my
>         web.xml.
>
>
>     We have a few examples for SAML in our examples download. Did you
>     look at those?
>
>
>         In picketlink, we have handler and Listener which makes our
>         application as SAML provider. Picketlink also has lot of sample
>         project which we can try/tweak as per our need. However in
>         keycloak, i see neither of them.
>
>
>     Do you mean SAML Identity Provider or Service Provider? With
>     Keycloak, Keycloak server is the Identity Provider and you
>     configure/tweak it through the admin console.
>
>
>
>         On Thu, Nov 26, 2015 at 1:28 PM, Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
>             Documentation is here
>             http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>             - did you read that?
>
>             On 26 November 2015 at 08:30, Arulkumar Ponnusamy
>             <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>
>                 I want to implement the SAML Service provider(SP) for my
>                 application. I used picketlink earlier (servlet filter)
>                 to configure my application as SAML SP. However, when I
>                 tried the same with Keycloak, it is not working as
>                 expected. There is no proper documentation/example on
>                 how keycloak saml SP configuration has to be done.
>
>                 I did the following things.
>                 1. Copied all the jar(keycloak-saml-eap6-adapter-dist)
>                 into my jboss/lib directory
>                 2. Configured the security domain as below
>                      <login-module
>                 code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>                 flag="required"/>
>                 3. I built the keycloak saml example
>                 "redirect-with-signature" and deployed.
>                 4. I am using the picketlink as my IDP.
>                 5. The redirect does not redirecting to my picketlink IDP.
>
>                 Can some one tell how to configure keycloak SAML SP.?
>
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Thu Nov 26 09:28:16 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Nov 2015 15:28:16 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
Message-ID: <CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>

Please read the migration guide

On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Hi,
>
> We're in the process of assessing the impact on upgrading from Keycloak
> 1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
> cache through the keycloak-server.json file as we used to do in 1.2.0.
>
> We have the following entries in 1.6.1:
>     "realm": {
>         "provider": "infinispan"
>     },
>
>     "user": {
>         "provider": "infinispan"
>     },
>
>     "userSessionPersister": {
>         "provider": "infinispan"
>     },
> .........
>     "connectionsInfinispan": {
>         "default" : {
>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>         }
>     }
>
> All configurations in 1.6.1 standalone-ha.xml file remains comparable (and
> correct to the best of our knowledge) with the ones in 1.2.0.
>
> With the above configs, when we start the Keycloak service the following
> error(s) get logged:
>
> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 64) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>     at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [rt.jar:1.7.0_45]
>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> [rt.jar:1.7.0_45]
>     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_45]
>     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_45]
>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
> Caused by: java.lang.RuntimeException: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>     at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>     at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>     at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>     at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>     at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>     at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>     at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>     at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>     at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>     ... 6 more
> Caused by: java.lang.RuntimeException: Failed to find provider infinispan
> for realm
>     at
> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>     at
> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>     at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) [rt.jar:1.7.0_45]
>     at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> [rt.jar:1.7.0_45]
>     at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> [rt.jar:1.7.0_45]
>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> [rt.jar:1.7.0_45]
>     at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>     ... 19 more
>
>
> Is the new way to enable Infinispan different to what we had earlier? If
> so, can someone please point out the correct way?
>
>
> Regards,
> Lohitha.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/8612de95/attachment.html 

From sebastian.olscher at traveltainment.de  Thu Nov 26 10:05:39 2015
From: sebastian.olscher at traveltainment.de (Sebastian Olscher)
Date: Thu, 26 Nov 2015 15:05:39 +0000
Subject: [keycloak-user] Email is unique within one realm
In-Reply-To: <CAJgngAcLw-akxjjP0wpuGvEWXwhPzLDdrBf3idt0im5hwvpo=g@mail.gmail.com>
References: <5C3DDBFAC4DBF04084678703EC0AC294252BAE1B@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcHvepjS5oe51pELqKHqUyTnLRRec7+4=S7GwCbudOpBA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BAFA5@EX-TT-AC-02.traveltainment.int>
	<CAJgngAfnX7Vt60KnUMFQNsM-eh7=rDvXBMGtssPsz7_hwQCFEA@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB547@EX-TT-AC-02.traveltainment.int>
	<CAJgngAdJpNfc57+ZdG0r=5kSjFnPo1Njhbkqm2p9rQZFskMGCQ@mail.gmail.com>
	<5C3DDBFAC4DBF04084678703EC0AC294252BB97F@EX-TT-AC-02.traveltainment.int>
	<CAJgngAcLw-akxjjP0wpuGvEWXwhPzLDdrBf3idt0im5hwvpo=g@mail.gmail.com>
Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294252BBDF6@EX-TT-AC-02.traveltainment.int>

Thanks Vlastimil, this might be a good option for a transitional phase.

I have created the feature request ?KEYCLOAK-2141: The uniqueness of the email address should be configurable?. Concerning the contribution I would like to check our capacity, this might be a valid option. Therefor I propose to shift the discussion about the contribution out of this mailing list. Let?s have a deeper discussion after you have checked the feature request.

Thanks a lot,
Sebastian



From: Vlastimil Elias [mailto:velias at redhat.com]
Sent: Thursday, November 26, 2015 3:02 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Email is unique within one realm

Hi Sebastian,

small hint out of Keycloak. Some email servers (eg gmail) allows you to use email addresses with unresolved part after + sign, like sebastian.olscher+something at traveltainment.de<mailto:sebastian.olscher+something at traveltainment.de>. Emails for this kind of address are delivered to "base" email sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> then. This may help you create more accounts with different emails delivered to same person.
If your email server doesn't support this "dynamic" aliasing then it probably supports some "static" aliases defined by admin.

Vl.


From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Thursday, November 26, 2015 1:13 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Email is unique within one realm



On 26 November 2015 at 12:18, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Unfortunately this would also not solve the original issue: we are handling these accounts like all other accounts and using standard Keycloak features which all bases on the email address. Would it be a smaller effort to handle this check on software level? You can configure the uniqueness of the email address in each realm, check this on software level and delete the unique index in the database. Would that be manageable?

We can't guarantee that a email is unique without a constraint, as otherwise there's always a window where duplicates could be added. We can't remove the constraint either as the constraint applies to all realms, but further we can't change the db schema based on configuration options on a realm.

We would need to have a separate field in the db for non-unique email addresses. That's not really a big problem I think, but it would still be a fair bit of work to implement. We'd also need to have an option on a realm on what attribute to use as username, options should be username/email, username or email.

You can add a feature request, but ATM we're stretched rather thin so it would be a while until we could implement it. Unless you are willing to contribute it though? If you are then we should discuss how it should be done, and also need to double check if there's any problems in adding it.


?Email address unique or not?? ? I have found a similar discussion and a recommendation in the OpenId-Connect-Spezification:
?Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use an email Claim Value across different End-Users at different points in time, and the claimed email address for a given End-User MAY change over time. Therefore, other Claims such as email, phone_number, and preferred_username and MUST NOT be used as unique identifiers for the End-User. ? [OpenId-Connect Core Spzification 1.0 ? 5.7 Calim
Stability and Uniqueness]
So, at this point, we have a local restriction of Keycloak which says that the email claim has to be unique. This is absolutely compliant but as the example exactly describes the email case, I think others were also dealing with this topic. Because of this, the spezification recommends to make the email address not unique. What do you think, would that be an option for a new feature?
From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Thursday, November 26, 2015 8:58 AM

To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

I meant that you'd use the attribute option only for the "server accounts" where it's not the email of the user, but a contact email. For regular users you'd continue using the email field. Would that work? You can even write a custom protocol mapper that takes either and adds it to the same claim in the token.

The email field has a unique constraint in the database and that's not something we can enable/disable with a realm option. I think we'd have to add an additional field or store the email as an attribute. Could be a bit messy and quite a bit of work to do.

On 26 November 2015 at 08:29, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Unfortunately this is not easily possible because we want to use out-of-the-box features such as ?update profile email?, ?reset password email? and others, where Keycloak uses the email address of the account.

As I understood the reason why the email address was designed as unique is that it could be also used as the username. Would it be possible to implement this as a feature within the realm config? You can configure if you want to allow the usage of the email address as the username. If not, the email address has not to be unique. For us, this would make totally sense and helps us to fulfill the requirement. Would that be possible if there are no other preventing side effects?

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, November 25, 2015 8:31 PM

To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

In that case could you just set the contact email address as an attribute instead? The email field has to be unique has it can be in place of username. You could even use protocol mappers to map either email or the attribute to the same claim in the token.

On 25 November 2015 at 15:57, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
This receives importance if we are talking about users which will be used by a system and not a human person. These users may have the same responsible contact person as there is a system using this account and no real human. The contact person is identified by the email address. Our own specific information will be designed as user attributes.

For example:

Username: sys_customer1
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer1

Username: sys_customer2
Email address: sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de> (Email address of the contact person who is responsible for this user)
User attribute: Key=customer, Value=customer2

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, November 25, 2015 3:04 PM
To: Sebastian Olscher
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Email is unique within one realm

That's not possible at the moment. Out of curiosity why would you have two different accounts for the same person?

On 25 November 2015 at 15:01, Sebastian Olscher <sebastian.olscher at traveltainment.de<mailto:sebastian.olscher at traveltainment.de>> wrote:
Hello,

the email address is unique within one realm. Is there a possibility to fulfill the requirement to have different user (different usernames) for different applications within one realm which were managed and used by the same person/entity?

For example:

Username: I_Am_An_Admin
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(gets roles for every client within the realm)

Username: I_Am_A_Normal_User
Email: user at traveltainment.de<mailto:user at traveltainment.de>
(get roles from only one client within the realm)

Is this unambiguity of the email address configurable?

Thanks,
Sebastian

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151126/ff3fdbb1/attachment-0001.html 

From Gregor.Tudan at cofinpro.de  Fri Nov 27 03:53:25 2015
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Fri, 27 Nov 2015 08:53:25 +0000
Subject: [keycloak-user] Required roles for clearing login failure counts
Message-ID: <etPan.56581a05.73d1c9f3.5ee@Gregors-MacBook-Pro.local>

Hi everyone,

while I totally agree that any configuration of the bruteforce-detection should require the realm-management role, I?d like to raise the question if clearing failed attempts should be that restrictive.

This affects the following service endpoints:

DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames

We would like to enable callcenter agents to unlock specific users, but giving them realm-management permissions doesn't feel right. Would?t user-management be more appropriate permissions for these endpoints, or are there side effects to consider?

Thanks,
Gregor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/3fa25666/attachment.html 

From sthorger at redhat.com  Fri Nov 27 03:58:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 09:58:35 +0100
Subject: [keycloak-user] Required roles for clearing login failure counts
In-Reply-To: <etPan.56581a05.73d1c9f3.5ee@Gregors-MacBook-Pro.local>
References: <etPan.56581a05.73d1c9f3.5ee@Gregors-MacBook-Pro.local>
Message-ID: <CAJgngAdmboNMSG6vXQhA-z2NJ8dF8kDupkZG5VbbUXbQepgM=Q@mail.gmail.com>

I agree it should be manage-users. JIRA please

One caveat at the moment manage-users allows a user to assign admin role to
himself as there's no restrictions on what roles can be assigned to users.
This is something we're looking at improving hopefully for 1.8.

On 27 November 2015 at 09:53, Gregor Tudan <Gregor.Tudan at cofinpro.de> wrote:

> Hi everyone,
>
> while I totally agree that any configuration of the bruteforce-detection
> should require the realm-management role, I?d like to raise the question if
> clearing failed attempts should be that restrictive.
>
> This affects the following service endpoints:
>
> DELETE
> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
> DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames
>
> We would like to enable callcenter agents to unlock specific users, but
> giving them realm-management permissions doesn't feel right. Would?t
> user-management be more appropriate permissions for these endpoints, or are
> there side effects to consider?
>
> Thanks,
> Gregor
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/0a19240a/attachment.html 

From bystrik.horvath at gmail.com  Fri Nov 27 05:08:39 2015
From: bystrik.horvath at gmail.com (Bystrik Horvath)
Date: Fri, 27 Nov 2015 11:08:39 +0100
Subject: [keycloak-user] Limiting the admin REST API
Message-ID: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>

Hello everyone,

I would like to limit the functionality of the admin REST API to the
calling user/application.
The motivation is not to expose the "internals" of keycloak and put some
logic between the calling app and admin REST API.
My idea was to create a simple web application deployed at keycloak server
that belongs to the same realm as calling application and realm management
application.
Would you recommend that approach? Or is there anything more suitable
(e.g.: implement it as a keycloak valve... etc.)?

Thank you for your opinions.

Best regards,
Bystrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/dde67ae1/attachment.html 

From sthorger at redhat.com  Fri Nov 27 06:03:41 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 12:03:41 +0100
Subject: [keycloak-user] Limiting the admin REST API
In-Reply-To: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
References: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
Message-ID: <CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>

In that case I'd say you should rather not deploy the admin endpoints at
all and instead add your own custom endpoints.

On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:

> Hello everyone,
>
> I would like to limit the functionality of the admin REST API to the
> calling user/application.
> The motivation is not to expose the "internals" of keycloak and put some
> logic between the calling app and admin REST API.
> My idea was to create a simple web application deployed at keycloak server
> that belongs to the same realm as calling application and realm management
> application.
> Would you recommend that approach? Or is there anything more suitable
> (e.g.: implement it as a keycloak valve... etc.)?
>
> Thank you for your opinions.
>
> Best regards,
> Bystrik
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/e9d8a7ef/attachment.html 

From sthorger at redhat.com  Fri Nov 27 06:04:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 12:04:24 +0100
Subject: [keycloak-user] Limiting the admin REST API
In-Reply-To: <CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>
References: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
	<CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>
Message-ID: <CAJgngAe9QXNHYobBH2Ax2yhPqNUvZB1TsYG1TNnrcjEnYt4LxQ@mail.gmail.com>

Pressed send to early. We are planning to add an SPI to allow deploying
your own rest endpoints. Once we have that we can also add an option to
disable admin endpoints. Although the Keycloak admin console wouldn't work
anymore.

On 27 November 2015 at 12:03, Stian Thorgersen <sthorger at redhat.com> wrote:

> In that case I'd say you should rather not deploy the admin endpoints at
> all and instead add your own custom endpoints.
>
> On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath at gmail.com>
> wrote:
>
>> Hello everyone,
>>
>> I would like to limit the functionality of the admin REST API to the
>> calling user/application.
>> The motivation is not to expose the "internals" of keycloak and put some
>> logic between the calling app and admin REST API.
>> My idea was to create a simple web application deployed at keycloak
>> server that belongs to the same realm as calling application and realm
>> management application.
>> Would you recommend that approach? Or is there anything more suitable
>> (e.g.: implement it as a keycloak valve... etc.)?
>>
>> Thank you for your opinions.
>>
>> Best regards,
>> Bystrik
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/c8191716/attachment.html 

From sthorger at redhat.com  Fri Nov 27 06:05:02 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 12:05:02 +0100
Subject: [keycloak-user] Limiting the admin REST API
In-Reply-To: <CAJgngAe9QXNHYobBH2Ax2yhPqNUvZB1TsYG1TNnrcjEnYt4LxQ@mail.gmail.com>
References: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
	<CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>
	<CAJgngAe9QXNHYobBH2Ax2yhPqNUvZB1TsYG1TNnrcjEnYt4LxQ@mail.gmail.com>
Message-ID: <CAJgngAf5OtHt=v4tFrYV5nO3VA5eKCoc1qSt=B6qRZs4nHU_kQ@mail.gmail.com>

Another option is that you use scope to prevent this. I imagine you will
want to have a separate set of roles for your calling app in either case.
In which case you make sure that you limit the scope of the clients.

On 27 November 2015 at 12:04, Stian Thorgersen <sthorger at redhat.com> wrote:

> Pressed send to early. We are planning to add an SPI to allow deploying
> your own rest endpoints. Once we have that we can also add an option to
> disable admin endpoints. Although the Keycloak admin console wouldn't work
> anymore.
>
> On 27 November 2015 at 12:03, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> In that case I'd say you should rather not deploy the admin endpoints at
>> all and instead add your own custom endpoints.
>>
>> On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath at gmail.com>
>> wrote:
>>
>>> Hello everyone,
>>>
>>> I would like to limit the functionality of the admin REST API to the
>>> calling user/application.
>>> The motivation is not to expose the "internals" of keycloak and put some
>>> logic between the calling app and admin REST API.
>>> My idea was to create a simple web application deployed at keycloak
>>> server that belongs to the same realm as calling application and realm
>>> management application.
>>> Would you recommend that approach? Or is there anything more suitable
>>> (e.g.: implement it as a keycloak valve... etc.)?
>>>
>>> Thank you for your opinions.
>>>
>>> Best regards,
>>> Bystrik
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/fca459d6/attachment-0001.html 

From bystrik.horvath at gmail.com  Fri Nov 27 06:19:20 2015
From: bystrik.horvath at gmail.com (Bystrik Horvath)
Date: Fri, 27 Nov 2015 12:19:20 +0100
Subject: [keycloak-user] Fwd:  Limiting the admin REST API
In-Reply-To: <CADjGaaeEFYWTek5RjsSbr+HhuYUgRMNU7+wTvefEmL7sZXCYNQ@mail.gmail.com>
References: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
	<CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>
	<CAJgngAe9QXNHYobBH2Ax2yhPqNUvZB1TsYG1TNnrcjEnYt4LxQ@mail.gmail.com>
	<CAJgngAf5OtHt=v4tFrYV5nO3VA5eKCoc1qSt=B6qRZs4nHU_kQ@mail.gmail.com>
	<CADjGaaeEFYWTek5RjsSbr+HhuYUgRMNU7+wTvefEmL7sZXCYNQ@mail.gmail.com>
Message-ID: <CADjGaafoUq9K=+4yieWqZac8PYQVD3UddtY3ZrxSVZoAXUGnNA@mail.gmail.com>

forgot to reply to all ;-)
---------- Forwarded message ----------
From: Bystrik Horvath <bystrik.horvath at gmail.com>
Date: Fri, Nov 27, 2015 at 12:18 PM
Subject: Re: [keycloak-user] Limiting the admin REST API
To: stian at redhat.com


Hi Stian,

thank you for the answer. Custom endpoint would be nicer option for me as I
would like to , e.g.: let the calling application use own set of of user
attributes (e.g.: name of the university) and remap them onto custom
attributes of user representation. Is there any way how to add own endpoint
to keycloak (when the SPI is not ready for that option)?

Best regards,
Bystrik

On Fri, Nov 27, 2015 at 12:05 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Another option is that you use scope to prevent this. I imagine you will
> want to have a separate set of roles for your calling app in either case.
> In which case you make sure that you limit the scope of the clients.
>
> On 27 November 2015 at 12:04, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Pressed send to early. We are planning to add an SPI to allow deploying
>> your own rest endpoints. Once we have that we can also add an option to
>> disable admin endpoints. Although the Keycloak admin console wouldn't work
>> anymore.
>>
>> On 27 November 2015 at 12:03, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> In that case I'd say you should rather not deploy the admin endpoints at
>>> all and instead add your own custom endpoints.
>>>
>>> On 27 November 2015 at 11:08, Bystrik Horvath <bystrik.horvath at gmail.com
>>> > wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I would like to limit the functionality of the admin REST API to the
>>>> calling user/application.
>>>> The motivation is not to expose the "internals" of keycloak and put
>>>> some logic between the calling app and admin REST API.
>>>> My idea was to create a simple web application deployed at keycloak
>>>> server that belongs to the same realm as calling application and realm
>>>> management application.
>>>> Would you recommend that approach? Or is there anything more suitable
>>>> (e.g.: implement it as a keycloak valve... etc.)?
>>>>
>>>> Thank you for your opinions.
>>>>
>>>> Best regards,
>>>> Bystrik
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/4e00b1a9/attachment.html 

From sthorger at redhat.com  Fri Nov 27 06:23:31 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 12:23:31 +0100
Subject: [keycloak-user] Fwd: Limiting the admin REST API
In-Reply-To: <CADjGaafoUq9K=+4yieWqZac8PYQVD3UddtY3ZrxSVZoAXUGnNA@mail.gmail.com>
References: <CADjGaadDb+p-doVY76PPThKuySY_NNuHJqAkwiXuMjRkge6h1w@mail.gmail.com>
	<CAJgngAdGjkdHypr5=FrSRAcWc1d7BQq4EPc0bDrHn0mNsGysTg@mail.gmail.com>
	<CAJgngAe9QXNHYobBH2Ax2yhPqNUvZB1TsYG1TNnrcjEnYt4LxQ@mail.gmail.com>
	<CAJgngAf5OtHt=v4tFrYV5nO3VA5eKCoc1qSt=B6qRZs4nHU_kQ@mail.gmail.com>
	<CADjGaaeEFYWTek5RjsSbr+HhuYUgRMNU7+wTvefEmL7sZXCYNQ@mail.gmail.com>
	<CADjGaafoUq9K=+4yieWqZac8PYQVD3UddtY3ZrxSVZoAXUGnNA@mail.gmail.com>
Message-ID: <CAJgngAdmZAv1j1n4NF=iO0LqDuSMhiC44ARDxS9+PE_QQub07g@mail.gmail.com>

Without the SPI you'd have to fork the code. Adding the endpoint wouldn't
be to hard though.

On 27 November 2015 at 12:19, Bystrik Horvath <bystrik.horvath at gmail.com>
wrote:

> forgot to reply to all ;-)
> ---------- Forwarded message ----------
> From: Bystrik Horvath <bystrik.horvath at gmail.com>
> Date: Fri, Nov 27, 2015 at 12:18 PM
> Subject: Re: [keycloak-user] Limiting the admin REST API
> To: stian at redhat.com
>
>
> Hi Stian,
>
> thank you for the answer. Custom endpoint would be nicer option for me as
> I would like to , e.g.: let the calling application use own set of of user
> attributes (e.g.: name of the university) and remap them onto custom
> attributes of user representation. Is there any way how to add own endpoint
> to keycloak (when the SPI is not ready for that option)?
>
> Best regards,
> Bystrik
>
> On Fri, Nov 27, 2015 at 12:05 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Another option is that you use scope to prevent this. I imagine you will
>> want to have a separate set of roles for your calling app in either case.
>> In which case you make sure that you limit the scope of the clients.
>>
>> On 27 November 2015 at 12:04, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Pressed send to early. We are planning to add an SPI to allow deploying
>>> your own rest endpoints. Once we have that we can also add an option to
>>> disable admin endpoints. Although the Keycloak admin console wouldn't work
>>> anymore.
>>>
>>> On 27 November 2015 at 12:03, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> In that case I'd say you should rather not deploy the admin endpoints
>>>> at all and instead add your own custom endpoints.
>>>>
>>>> On 27 November 2015 at 11:08, Bystrik Horvath <
>>>> bystrik.horvath at gmail.com> wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I would like to limit the functionality of the admin REST API to the
>>>>> calling user/application.
>>>>> The motivation is not to expose the "internals" of keycloak and put
>>>>> some logic between the calling app and admin REST API.
>>>>> My idea was to create a simple web application deployed at keycloak
>>>>> server that belongs to the same realm as calling application and realm
>>>>> management application.
>>>>> Would you recommend that approach? Or is there anything more suitable
>>>>> (e.g.: implement it as a keycloak valve... etc.)?
>>>>>
>>>>> Thank you for your opinions.
>>>>>
>>>>> Best regards,
>>>>> Bystrik
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/a0bf8223/attachment.html 

From Frank.vanVeen at planonsoftware.com  Fri Nov 27 06:51:40 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Fri, 27 Nov 2015 12:51:40 +0100
Subject: [keycloak-user] Downloads are gone
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E492503380AA@NL-MAIL02.planon-fm.com>

Hi,

It seems like the website has issues. I wanted to download an older version of keycloak, but all downloads are gone.

Sincerely,

Frank van Veen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/2d13b160/attachment.html 

From bruno at abstractj.org  Fri Nov 27 06:57:35 2015
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 27 Nov 2015 09:57:35 -0200
Subject: [keycloak-user] Downloads are gone
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E492503380AA@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E492503380AA@NL-MAIL02.planon-fm.com>
Message-ID: <CAM5SUC4xNzDWycmmcTzoZ=5HPMZHJN+J5DH7tJj4sxPjL+-=mw@mail.gmail.com>

Seems like there's some problem with the archive website, but you can
find the older versions here
http://sourceforge.net/projects/keycloak/files/?source=navbar

On Fri, Nov 27, 2015 at 9:51 AM, Frank van Veen
<Frank.vanVeen at planonsoftware.com> wrote:
> Hi,
>
>
>
> It seems like the website has issues. I wanted to download an older version
> of keycloak, but all downloads are gone.
>
>
>
> Sincerely,
>
>
>
> Frank van Veen
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Nov 27 07:03:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 13:03:57 +0100
Subject: [keycloak-user] Downloads are gone
In-Reply-To: <CAM5SUC4xNzDWycmmcTzoZ=5HPMZHJN+J5DH7tJj4sxPjL+-=mw@mail.gmail.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E492503380AA@NL-MAIL02.planon-fm.com>
	<CAM5SUC4xNzDWycmmcTzoZ=5HPMZHJN+J5DH7tJj4sxPjL+-=mw@mail.gmail.com>
Message-ID: <CAJgngAfUQ9FN71Xcm37g+5QpX2j2HX1EsQsPd_YBKVxgQJje0Q@mail.gmail.com>

Looking at it now

On 27 November 2015 at 12:57, Bruno Oliveira <bruno at abstractj.org> wrote:

> Seems like there's some problem with the archive website, but you can
> find the older versions here
> http://sourceforge.net/projects/keycloak/files/?source=navbar
>
> On Fri, Nov 27, 2015 at 9:51 AM, Frank van Veen
> <Frank.vanVeen at planonsoftware.com> wrote:
> > Hi,
> >
> >
> >
> > It seems like the website has issues. I wanted to download an older
> version
> > of keycloak, but all downloads are gone.
> >
> >
> >
> > Sincerely,
> >
> >
> >
> > Frank van Veen
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/3f56f201/attachment.html 

From kalc04 at gmail.com  Fri Nov 27 07:19:07 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 27 Nov 2015 17:49:07 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
Message-ID: <CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>

Hi Stian,

As per the migration guide, I should have Infinispan up and running for
realms, users and user sessions without doing any specific changes.
keycloak-server.json was reverted back to have the following entries:
...
    "realm": {
        "provider": "infinispan"
    },

    "user": {
        "provider": "infinispan"
    },

    "userSessionPersister": {
        "provider": "infinispan"
    },
...

In the Admin Console I have both Realm Cache and User Cache enables. I see
certain Infinispan related logs getting logged as well.

However, at the same time, I see MySQL queries getting executed for all
user retrieval API invocations (even if the same user is retrieved
continuously):
...
select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
userentity0_.REALM_ID as REALM_I10_42_,
userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
from USER_ENTITY userentity0_ where
userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
userentity0_.REALM_ID='xxxxx'
...

So it seems something is wrong here. Could you point out any areas that I
could further look into?


Regards,
Lohitha.

On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Please read the migration guide
>
> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Hi,
>>
>> We're in the process of assessing the impact on upgrading from Keycloak
>> 1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
>> cache through the keycloak-server.json file as we used to do in 1.2.0.
>>
>> We have the following entries in 1.6.1:
>>     "realm": {
>>         "provider": "infinispan"
>>     },
>>
>>     "user": {
>>         "provider": "infinispan"
>>     },
>>
>>     "userSessionPersister": {
>>         "provider": "infinispan"
>>     },
>> .........
>>     "connectionsInfinispan": {
>>         "default" : {
>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>         }
>>     }
>>
>> All configurations in 1.6.1 standalone-ha.xml file remains comparable
>> (and correct to the best of our knowledge) with the ones in 1.2.0.
>>
>> With the above configs, when we start the Keycloak service the following
>> error(s) get logged:
>>
>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>> Pool -- 64) MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./auth:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./auth:
>> java.lang.RuntimeException: Failed to construct public
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>     at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>> [rt.jar:1.7.0_45]
>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>> [rt.jar:1.7.0_45]
>>     at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_45]
>>     at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_45]
>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>> Caused by: java.lang.RuntimeException: Failed to construct public
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>     at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>     at
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>     at
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>     at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>     at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>     at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>     at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>     at
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>     at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>     at
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>     at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>     at
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>     ... 6 more
>> Caused by: java.lang.RuntimeException: Failed to find provider infinispan
>> for realm
>>     at
>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>     at
>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>     at
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method) [rt.jar:1.7.0_45]
>>     at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>> [rt.jar:1.7.0_45]
>>     at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> [rt.jar:1.7.0_45]
>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>> [rt.jar:1.7.0_45]
>>     at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>     ... 19 more
>>
>>
>> Is the new way to enable Infinispan different to what we had earlier? If
>> so, can someone please point out the correct way?
>>
>>
>> Regards,
>> Lohitha.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/2dc719b5/attachment.html 

From kalc04 at gmail.com  Fri Nov 27 07:20:28 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 27 Nov 2015 17:50:28 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
Message-ID: <CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>

Apologies, keycloak-server.json entries should change to:

    "realm": {
        "provider": "jpa"
    },

    "user": {
        "provider": "jpa"
    },

    "userSessionPersister": {
        "provider": "jpa"
    },

On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
wrote:

> Hi Stian,
>
> As per the migration guide, I should have Infinispan up and running for
> realms, users and user sessions without doing any specific changes.
> keycloak-server.json was reverted back to have the following entries:
> ...
>     "realm": {
>         "provider": "infinispan"
>     },
>
>     "user": {
>         "provider": "infinispan"
>     },
>
>     "userSessionPersister": {
>         "provider": "infinispan"
>     },
> ...
>
> In the Admin Console I have both Realm Cache and User Cache enables. I see
> certain Infinispan related logs getting logged as well.
>
> However, at the same time, I see MySQL queries getting executed for all
> user retrieval API invocations (even if the same user is retrieved
> continuously):
> ...
> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
> userentity0_.REALM_ID as REALM_I10_42_,
> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
> from USER_ENTITY userentity0_ where
> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
> userentity0_.REALM_ID='xxxxx'
> ...
>
> So it seems something is wrong here. Could you point out any areas that I
> could further look into?
>
>
> Regards,
> Lohitha.
>
> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Please read the migration guide
>>
>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> We're in the process of assessing the impact on upgrading from Keycloak
>>> 1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
>>> cache through the keycloak-server.json file as we used to do in 1.2.0.
>>>
>>> We have the following entries in 1.6.1:
>>>     "realm": {
>>>         "provider": "infinispan"
>>>     },
>>>
>>>     "user": {
>>>         "provider": "infinispan"
>>>     },
>>>
>>>     "userSessionPersister": {
>>>         "provider": "infinispan"
>>>     },
>>> .........
>>>     "connectionsInfinispan": {
>>>         "default" : {
>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>         }
>>>     }
>>>
>>> All configurations in 1.6.1 standalone-ha.xml file remains comparable
>>> (and correct to the best of our knowledge) with the ones in 1.2.0.
>>>
>>> With the above configs, when we start the Keycloak service the following
>>> error(s) get logged:
>>>
>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>>> Pool -- 64) MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./auth:
>>> org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./auth:
>>> java.lang.RuntimeException: Failed to construct public
>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>> [rt.jar:1.7.0_45]
>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>> [rt.jar:1.7.0_45]
>>>     at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_45]
>>>     at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_45]
>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>     at
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>     at
>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>     at
>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>     at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>     at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>     at
>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>     at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>     at
>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>     at
>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>     at
>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>     ... 6 more
>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>> infinispan for realm
>>>     at
>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>     at
>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>     at
>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method) [rt.jar:1.7.0_45]
>>>     at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>> [rt.jar:1.7.0_45]
>>>     at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> [rt.jar:1.7.0_45]
>>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>> [rt.jar:1.7.0_45]
>>>     at
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>     ... 19 more
>>>
>>>
>>> Is the new way to enable Infinispan different to what we had earlier? If
>>> so, can someone please point out the correct way?
>>>
>>>
>>> Regards,
>>> Lohitha.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/8ab953db/attachment-0001.html 

From sthorger at redhat.com  Fri Nov 27 07:22:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 13:22:51 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
Message-ID: <CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>

Yup, so it's working now?

On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Apologies, keycloak-server.json entries should change to:
>
>     "realm": {
>         "provider": "jpa"
>     },
>
>     "user": {
>         "provider": "jpa"
>     },
>
>     "userSessionPersister": {
>         "provider": "jpa"
>     },
>
> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Hi Stian,
>>
>> As per the migration guide, I should have Infinispan up and running for
>> realms, users and user sessions without doing any specific changes.
>> keycloak-server.json was reverted back to have the following entries:
>> ...
>>     "realm": {
>>         "provider": "infinispan"
>>     },
>>
>>     "user": {
>>         "provider": "infinispan"
>>     },
>>
>>     "userSessionPersister": {
>>         "provider": "infinispan"
>>     },
>> ...
>>
>> In the Admin Console I have both Realm Cache and User Cache enables. I
>> see certain Infinispan related logs getting logged as well.
>>
>> However, at the same time, I see MySQL queries getting executed for all
>> user retrieval API invocations (even if the same user is retrieved
>> continuously):
>> ...
>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>> userentity0_.REALM_ID as REALM_I10_42_,
>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>> from USER_ENTITY userentity0_ where
>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>> userentity0_.REALM_ID='xxxxx'
>> ...
>>
>> So it seems something is wrong here. Could you point out any areas that I
>> could further look into?
>>
>>
>> Regards,
>> Lohitha.
>>
>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Please read the migration guide
>>>
>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> We're in the process of assessing the impact on upgrading from Keycloak
>>>> 1.2.0 to 1.6.1. We came across an issue when trying to enable Infinispan
>>>> cache through the keycloak-server.json file as we used to do in 1.2.0.
>>>>
>>>> We have the following entries in 1.6.1:
>>>>     "realm": {
>>>>         "provider": "infinispan"
>>>>     },
>>>>
>>>>     "user": {
>>>>         "provider": "infinispan"
>>>>     },
>>>>
>>>>     "userSessionPersister": {
>>>>         "provider": "infinispan"
>>>>     },
>>>> .........
>>>>     "connectionsInfinispan": {
>>>>         "default" : {
>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>         }
>>>>     }
>>>>
>>>> All configurations in 1.6.1 standalone-ha.xml file remains comparable
>>>> (and correct to the best of our knowledge) with the ones in 1.2.0.
>>>>
>>>> With the above configs, when we start the Keycloak service the
>>>> following error(s) get logged:
>>>>
>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>>>> Pool -- 64) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>> java.lang.RuntimeException: Failed to construct public
>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>     at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>     at
>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>> [rt.jar:1.7.0_45]
>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>> [rt.jar:1.7.0_45]
>>>>     at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_45]
>>>>     at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_45]
>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>     at
>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>     at
>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>     at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>     at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>     at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>     at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>     at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>     at
>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>     at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>     at
>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>     at
>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>     at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>     at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>     at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>     ... 6 more
>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>> infinispan for realm
>>>>     at
>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>     at
>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>     at
>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method) [rt.jar:1.7.0_45]
>>>>     at
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>> [rt.jar:1.7.0_45]
>>>>     at
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>> [rt.jar:1.7.0_45]
>>>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>> [rt.jar:1.7.0_45]
>>>>     at
>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>     ... 19 more
>>>>
>>>>
>>>> Is the new way to enable Infinispan different to what we had earlier?
>>>> If so, can someone please point out the correct way?
>>>>
>>>>
>>>> Regards,
>>>> Lohitha.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/0176e49c/attachment.html 

From sthorger at redhat.com  Fri Nov 27 07:45:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 13:45:03 +0100
Subject: [keycloak-user] Downloads are gone
In-Reply-To: <CAJgngAfUQ9FN71Xcm37g+5QpX2j2HX1EsQsPd_YBKVxgQJje0Q@mail.gmail.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E492503380AA@NL-MAIL02.planon-fm.com>
	<CAM5SUC4xNzDWycmmcTzoZ=5HPMZHJN+J5DH7tJj4sxPjL+-=mw@mail.gmail.com>
	<CAJgngAfUQ9FN71Xcm37g+5QpX2j2HX1EsQsPd_YBKVxgQJje0Q@mail.gmail.com>
Message-ID: <CAJgngAde8oUSVa040uG6PsHpCXczY8zZFg2SMfiAQQg4FPoRvw@mail.gmail.com>

Downloads are fixed

On 27 November 2015 at 13:03, Stian Thorgersen <sthorger at redhat.com> wrote:

> Looking at it now
>
> On 27 November 2015 at 12:57, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Seems like there's some problem with the archive website, but you can
>> find the older versions here
>> http://sourceforge.net/projects/keycloak/files/?source=navbar
>>
>> On Fri, Nov 27, 2015 at 9:51 AM, Frank van Veen
>> <Frank.vanVeen at planonsoftware.com> wrote:
>> > Hi,
>> >
>> >
>> >
>> > It seems like the website has issues. I wanted to download an older
>> version
>> > of keycloak, but all downloads are gone.
>> >
>> >
>> >
>> > Sincerely,
>> >
>> >
>> >
>> > Frank van Veen
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/4d35bd94/attachment.html 

From kalc04 at gmail.com  Fri Nov 27 08:04:47 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 27 Nov 2015 18:34:47 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
Message-ID: <CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>

What I mean is, if it were working, I shouldn't see mysql queries getting
executed right? So my guess is data is still fetched from the db instead of
the cache.
On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> Yup, so it's working now?
>
> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Apologies, keycloak-server.json entries should change to:
>>
>>     "realm": {
>>         "provider": "jpa"
>>     },
>>
>>     "user": {
>>         "provider": "jpa"
>>     },
>>
>>     "userSessionPersister": {
>>         "provider": "jpa"
>>     },
>>
>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> Hi Stian,
>>>
>>> As per the migration guide, I should have Infinispan up and running for
>>> realms, users and user sessions without doing any specific changes.
>>> keycloak-server.json was reverted back to have the following entries:
>>> ...
>>>     "realm": {
>>>         "provider": "infinispan"
>>>     },
>>>
>>>     "user": {
>>>         "provider": "infinispan"
>>>     },
>>>
>>>     "userSessionPersister": {
>>>         "provider": "infinispan"
>>>     },
>>> ...
>>>
>>> In the Admin Console I have both Realm Cache and User Cache enables. I
>>> see certain Infinispan related logs getting logged as well.
>>>
>>> However, at the same time, I see MySQL queries getting executed for all
>>> user retrieval API invocations (even if the same user is retrieved
>>> continuously):
>>> ...
>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>> userentity0_.REALM_ID as REALM_I10_42_,
>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>> from USER_ENTITY userentity0_ where
>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>> userentity0_.REALM_ID='xxxxx'
>>> ...
>>>
>>> So it seems something is wrong here. Could you point out any areas that
>>> I could further look into?
>>>
>>>
>>> Regards,
>>> Lohitha.
>>>
>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Please read the migration guide
>>>>
>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We're in the process of assessing the impact on upgrading from
>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>> 1.2.0.
>>>>>
>>>>> We have the following entries in 1.6.1:
>>>>>     "realm": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>>
>>>>>     "user": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>>
>>>>>     "userSessionPersister": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>> .........
>>>>>     "connectionsInfinispan": {
>>>>>         "default" : {
>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>         }
>>>>>     }
>>>>>
>>>>> All configurations in 1.6.1 standalone-ha.xml file remains comparable
>>>>> (and correct to the best of our knowledge) with the ones in 1.2.0.
>>>>>
>>>>> With the above configs, when we start the Keycloak service the
>>>>> following error(s) get logged:
>>>>>
>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>>>>> Pool -- 64) MSC000001: Failed to start service
>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>> org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>> java.lang.RuntimeException: Failed to construct public
>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>     at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>     at
>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>     at
>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>     at
>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>     at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>     at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>     at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>     at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>     at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>     at
>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>     at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>     at
>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>     at
>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>     at
>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>     at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>     at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>     ... 6 more
>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>> infinispan for realm
>>>>>     at
>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>     at
>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>     at
>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>> Method) [rt.jar:1.7.0_45]
>>>>>     at
>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at
>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>> [rt.jar:1.7.0_45]
>>>>>     at
>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>     ... 19 more
>>>>>
>>>>>
>>>>> Is the new way to enable Infinispan different to what we had earlier?
>>>>> If so, can someone please point out the correct way?
>>>>>
>>>>>
>>>>> Regards,
>>>>> Lohitha.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/b8a32526/attachment-0001.html 

From sthorger at redhat.com  Fri Nov 27 08:18:30 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 14:18:30 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
Message-ID: <CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>

Things are still fetched from MySQL. Realms, clients, users, etc.. are then
kept in the cache, but if it changes it's re-loaded from MySQL. We use an
invalidation cache, not a distributed cache.

On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> What I mean is, if it were working, I shouldn't see mysql queries getting
> executed right? So my guess is data is still fetched from the db instead of
> the cache.
> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> Yup, so it's working now?
>>
>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> Apologies, keycloak-server.json entries should change to:
>>>
>>>     "realm": {
>>>         "provider": "jpa"
>>>     },
>>>
>>>     "user": {
>>>         "provider": "jpa"
>>>     },
>>>
>>>     "userSessionPersister": {
>>>         "provider": "jpa"
>>>     },
>>>
>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> Hi Stian,
>>>>
>>>> As per the migration guide, I should have Infinispan up and running for
>>>> realms, users and user sessions without doing any specific changes.
>>>> keycloak-server.json was reverted back to have the following entries:
>>>> ...
>>>>     "realm": {
>>>>         "provider": "infinispan"
>>>>     },
>>>>
>>>>     "user": {
>>>>         "provider": "infinispan"
>>>>     },
>>>>
>>>>     "userSessionPersister": {
>>>>         "provider": "infinispan"
>>>>     },
>>>> ...
>>>>
>>>> In the Admin Console I have both Realm Cache and User Cache enables. I
>>>> see certain Infinispan related logs getting logged as well.
>>>>
>>>> However, at the same time, I see MySQL queries getting executed for all
>>>> user retrieval API invocations (even if the same user is retrieved
>>>> continuously):
>>>> ...
>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>> from USER_ENTITY userentity0_ where
>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>> userentity0_.REALM_ID='xxxxx'
>>>> ...
>>>>
>>>> So it seems something is wrong here. Could you point out any areas that
>>>> I could further look into?
>>>>
>>>>
>>>> Regards,
>>>> Lohitha.
>>>>
>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Please read the migration guide
>>>>>
>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>> 1.2.0.
>>>>>>
>>>>>> We have the following entries in 1.6.1:
>>>>>>     "realm": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>>
>>>>>>     "user": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>>
>>>>>>     "userSessionPersister": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>> .........
>>>>>>     "connectionsInfinispan": {
>>>>>>         "default" : {
>>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>>         }
>>>>>>     }
>>>>>>
>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains comparable
>>>>>> (and correct to the best of our knowledge) with the ones in 1.2.0.
>>>>>>
>>>>>> With the above configs, when we start the Keycloak service the
>>>>>> following error(s) get logged:
>>>>>>
>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService Thread
>>>>>> Pool -- 64) MSC000001: Failed to start service
>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>> org.jboss.msc.service.StartException in service
>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>     at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>     at
>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>     at
>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>     at
>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>     at
>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>     at
>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>     at
>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>     at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>     at
>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>     at
>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>     at
>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>     at
>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>     at
>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>     at
>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>     at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>     at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>     ... 6 more
>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>> infinispan for realm
>>>>>>     at
>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>     at
>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>     at
>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>>> Method) [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>> [rt.jar:1.7.0_45]
>>>>>>     at
>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>     ... 19 more
>>>>>>
>>>>>>
>>>>>> Is the new way to enable Infinispan different to what we had earlier?
>>>>>> If so, can someone please point out the correct way?
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Lohitha.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/91c1a93f/attachment.html 

From kalc04 at gmail.com  Fri Nov 27 09:23:58 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 27 Nov 2015 19:53:58 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
Message-ID: <CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>

Yes Stian, that I understand. But the problem here is even if I execute
continuous user retrieval calls (same user - no other functionality in
between), still MySQL select queries get executed for each call. So there
lies an issue isn't it?


On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Things are still fetched from MySQL. Realms, clients, users, etc.. are
> then kept in the cache, but if it changes it's re-loaded from MySQL. We use
> an invalidation cache, not a distributed cache.
>
> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> What I mean is, if it were working, I shouldn't see mysql queries getting
>> executed right? So my guess is data is still fetched from the db instead of
>> the cache.
>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>
>>> Yup, so it's working now?
>>>
>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> Apologies, keycloak-server.json entries should change to:
>>>>
>>>>     "realm": {
>>>>         "provider": "jpa"
>>>>     },
>>>>
>>>>     "user": {
>>>>         "provider": "jpa"
>>>>     },
>>>>
>>>>     "userSessionPersister": {
>>>>         "provider": "jpa"
>>>>     },
>>>>
>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Stian,
>>>>>
>>>>> As per the migration guide, I should have Infinispan up and running
>>>>> for realms, users and user sessions without doing any specific changes.
>>>>> keycloak-server.json was reverted back to have the following entries:
>>>>> ...
>>>>>     "realm": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>>
>>>>>     "user": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>>
>>>>>     "userSessionPersister": {
>>>>>         "provider": "infinispan"
>>>>>     },
>>>>> ...
>>>>>
>>>>> In the Admin Console I have both Realm Cache and User Cache enables. I
>>>>> see certain Infinispan related logs getting logged as well.
>>>>>
>>>>> However, at the same time, I see MySQL queries getting executed for
>>>>> all user retrieval API invocations (even if the same user is retrieved
>>>>> continuously):
>>>>> ...
>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>> from USER_ENTITY userentity0_ where
>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>> userentity0_.REALM_ID='xxxxx'
>>>>> ...
>>>>>
>>>>> So it seems something is wrong here. Could you point out any areas
>>>>> that I could further look into?
>>>>>
>>>>>
>>>>> Regards,
>>>>> Lohitha.
>>>>>
>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <sthorger at redhat.com
>>>>> > wrote:
>>>>>
>>>>>> Please read the migration guide
>>>>>>
>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>> 1.2.0.
>>>>>>>
>>>>>>> We have the following entries in 1.6.1:
>>>>>>>     "realm": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>>
>>>>>>>     "user": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>>
>>>>>>>     "userSessionPersister": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>> .........
>>>>>>>     "connectionsInfinispan": {
>>>>>>>         "default" : {
>>>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>>>         }
>>>>>>>     }
>>>>>>>
>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>> 1.2.0.
>>>>>>>
>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>> following error(s) get logged:
>>>>>>>
>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>     at
>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>     at
>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>     at
>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>     at
>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>     at
>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>     at
>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>     at
>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>     at
>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>     at
>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>     at
>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>     at
>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>     ... 6 more
>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>> infinispan for realm
>>>>>>>     at
>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>     at
>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>     at
>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>>>> Method) [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>     at
>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>     ... 19 more
>>>>>>>
>>>>>>>
>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Lohitha.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/08054a8a/attachment-0001.html 

From sthorger at redhat.com  Fri Nov 27 09:33:00 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 27 Nov 2015 15:33:00 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
Message-ID: <CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>

Strange - what are you doing and what are the SQL queries?

On 27 November 2015 at 15:23, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Yes Stian, that I understand. But the problem here is even if I execute
> continuous user retrieval calls (same user - no other functionality in
> between), still MySQL select queries get executed for each call. So there
> lies an issue isn't it?
>
>
> On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Things are still fetched from MySQL. Realms, clients, users, etc.. are
>> then kept in the cache, but if it changes it's re-loaded from MySQL. We use
>> an invalidation cache, not a distributed cache.
>>
>> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> What I mean is, if it were working, I shouldn't see mysql queries
>>> getting executed right? So my guess is data is still fetched from the db
>>> instead of the cache.
>>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>>
>>>> Yup, so it's working now?
>>>>
>>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> Apologies, keycloak-server.json entries should change to:
>>>>>
>>>>>     "realm": {
>>>>>         "provider": "jpa"
>>>>>     },
>>>>>
>>>>>     "user": {
>>>>>         "provider": "jpa"
>>>>>     },
>>>>>
>>>>>     "userSessionPersister": {
>>>>>         "provider": "jpa"
>>>>>     },
>>>>>
>>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <kalc04 at gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hi Stian,
>>>>>>
>>>>>> As per the migration guide, I should have Infinispan up and running
>>>>>> for realms, users and user sessions without doing any specific changes.
>>>>>> keycloak-server.json was reverted back to have the following entries:
>>>>>> ...
>>>>>>     "realm": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>>
>>>>>>     "user": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>>
>>>>>>     "userSessionPersister": {
>>>>>>         "provider": "infinispan"
>>>>>>     },
>>>>>> ...
>>>>>>
>>>>>> In the Admin Console I have both Realm Cache and User Cache enables.
>>>>>> I see certain Infinispan related logs getting logged as well.
>>>>>>
>>>>>> However, at the same time, I see MySQL queries getting executed for
>>>>>> all user retrieval API invocations (even if the same user is retrieved
>>>>>> continuously):
>>>>>> ...
>>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>>>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>>> from USER_ENTITY userentity0_ where
>>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>>> userentity0_.REALM_ID='xxxxx'
>>>>>> ...
>>>>>>
>>>>>> So it seems something is wrong here. Could you point out any areas
>>>>>> that I could further look into?
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Lohitha.
>>>>>>
>>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> Please read the migration guide
>>>>>>>
>>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>>> 1.2.0.
>>>>>>>>
>>>>>>>> We have the following entries in 1.6.1:
>>>>>>>>     "realm": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "user": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "userSessionPersister": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>> .........
>>>>>>>>     "connectionsInfinispan": {
>>>>>>>>         "default" : {
>>>>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>>>>         }
>>>>>>>>     }
>>>>>>>>
>>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>>> 1.2.0.
>>>>>>>>
>>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>>> following error(s) get logged:
>>>>>>>>
>>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>     at
>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>>     at
>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>>     at
>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>>     at
>>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>>     at
>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>>     at
>>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>>     at
>>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>>     at
>>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>>     at
>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>>     at
>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>>     ... 6 more
>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>>> infinispan for realm
>>>>>>>>     at
>>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>>     at
>>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>>     at
>>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>>     at
>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>     at
>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>>     ... 19 more
>>>>>>>>
>>>>>>>>
>>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Lohitha.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/b4beb0be/attachment.html 

From ado.boj.83 at gmail.com  Fri Nov 27 10:09:16 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Fri, 27 Nov 2015 16:09:16 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CA+1OW+hnPpajBqar1J06YkDeH2Vznziz_USpPtPsJ7zKrQwSqw@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
	<CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
	<CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>
	<CALxJa+28k2q=MomcUbDFOBhYFQjxhtDFFtoCSpVdDCYcFtZAew@mail.gmail.com>
	<CA+1OW+hnPpajBqar1J06YkDeH2Vznziz_USpPtPsJ7zKrQwSqw@mail.gmail.com>
Message-ID: <CALxJa+1Ogk=uiu6afD-PEdCPkxtRvPooLJNEuvBSkzEBagNk1A@mail.gmail.com>

Hi all,

I go through Marko's instruction and as I already wrote him result is now
successful.

Now I am in state, that under /opt/ I have 2 subdirectories
- wildfly-9.0.1.Final
and
-keycloak (unziped from keycloak-demo-1.3.1.Final.zip)

In wildfly-9.0.1.Final/domain/configuration/domain-modify.xml we have our
modified domain.xml which runs with our modified "ha" profile and our
groups and servers
In keycloack/domain/configuration/domain.xml is set configuration for
keycloak in "ha" profile
Now I can switching between wildfly and keycloak.
But in future I would like to incorporate keycloak inside our
domain-modify.xml.

Last time you wrote me, that keycloak-overlay have to run with

   - keycloak-wf9-adapter-dist.zip. Should I used keycloak-overlay with
   adapter for merge my wildfly with keycloak-overlay or should I merge
   domain-modify.xml and domain.xml?
   -


On Mon, Nov 9, 2015 at 10:07 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> If you use keycloak-overlay, or keycloak-server dist then if you want to
> follow the above instructions to the letter, you also have to download and
> unpack keycloak-wf9-adapter-dist.zip.
>
> The point of this exercise it to get things up and running with as few
> steps as possible to reduce the number of things that can go wrong since
> you've been having a great deal of problems with it, and it seems like your
> problems are the result of your particular way of wanting to set it up.
>
> The point here is to show you that Keycloak server can be set up in domain
> mode, and it works. Apparently it's been impossible for us to determine the
> exact issue with your current set up, based on the information you have
> provided, apart from the fact that Keycloak doesn't seem to be initialised
> for you which is inconsistent with the configuration you have provided.
>
> If you think there is something wrong with Keycloak then the only way for
> us to do anything about it at this point is for you to create exact
> instructions to reproduce the problem.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/57eb3aa6/attachment-0001.html 

From kalc04 at gmail.com  Fri Nov 27 10:12:10 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 27 Nov 2015 20:42:10 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
Message-ID: <CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>

I'm invoking the following API call:
https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
(same realm and user ID over and over again). The two HA server(s) are idle
apart from serving those calls. And I'm seeing the following SQL getting
logged in my MySQL log for each and every call:

select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
userentity0_.REALM_ID as REALM_I10_42_,
userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
from USER_ENTITY userentity0_ where
userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
userentity0_.REALM_ID='xxxxx'



On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Strange - what are you doing and what are the SQL queries?
>
> On 27 November 2015 at 15:23, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Yes Stian, that I understand. But the problem here is even if I execute
>> continuous user retrieval calls (same user - no other functionality in
>> between), still MySQL select queries get executed for each call. So there
>> lies an issue isn't it?
>>
>>
>> On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Things are still fetched from MySQL. Realms, clients, users, etc.. are
>>> then kept in the cache, but if it changes it's re-loaded from MySQL. We use
>>> an invalidation cache, not a distributed cache.
>>>
>>> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> What I mean is, if it were working, I shouldn't see mysql queries
>>>> getting executed right? So my guess is data is still fetched from the db
>>>> instead of the cache.
>>>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Yup, so it's working now?
>>>>>
>>>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Apologies, keycloak-server.json entries should change to:
>>>>>>
>>>>>>     "realm": {
>>>>>>         "provider": "jpa"
>>>>>>     },
>>>>>>
>>>>>>     "user": {
>>>>>>         "provider": "jpa"
>>>>>>     },
>>>>>>
>>>>>>     "userSessionPersister": {
>>>>>>         "provider": "jpa"
>>>>>>     },
>>>>>>
>>>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <
>>>>>> kalc04 at gmail.com> wrote:
>>>>>>
>>>>>>> Hi Stian,
>>>>>>>
>>>>>>> As per the migration guide, I should have Infinispan up and running
>>>>>>> for realms, users and user sessions without doing any specific changes.
>>>>>>> keycloak-server.json was reverted back to have the following entries:
>>>>>>> ...
>>>>>>>     "realm": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>>
>>>>>>>     "user": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>>
>>>>>>>     "userSessionPersister": {
>>>>>>>         "provider": "infinispan"
>>>>>>>     },
>>>>>>> ...
>>>>>>>
>>>>>>> In the Admin Console I have both Realm Cache and User Cache enables.
>>>>>>> I see certain Infinispan related logs getting logged as well.
>>>>>>>
>>>>>>> However, at the same time, I see MySQL queries getting executed for
>>>>>>> all user retrieval API invocations (even if the same user is retrieved
>>>>>>> continuously):
>>>>>>> ...
>>>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>>>>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>>>> from USER_ENTITY userentity0_ where
>>>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>>>> userentity0_.REALM_ID='xxxxx'
>>>>>>> ...
>>>>>>>
>>>>>>> So it seems something is wrong here. Could you point out any areas
>>>>>>> that I could further look into?
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Lohitha.
>>>>>>>
>>>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> Please read the migration guide
>>>>>>>>
>>>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <kalc04 at gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>>>> 1.2.0.
>>>>>>>>>
>>>>>>>>> We have the following entries in 1.6.1:
>>>>>>>>>     "realm": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "user": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>> .........
>>>>>>>>>     "connectionsInfinispan": {
>>>>>>>>>         "default" : {
>>>>>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>>>>>         }
>>>>>>>>>     }
>>>>>>>>>
>>>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>>>> 1.2.0.
>>>>>>>>>
>>>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>>>> following error(s) get logged:
>>>>>>>>>
>>>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>     at
>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>>>     at
>>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>>>     at
>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>>>     at
>>>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>>>     at
>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>>>     at
>>>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>>>     at
>>>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>>>     at
>>>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>>>     at
>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>>>     at
>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>>>     ... 6 more
>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>>>> infinispan for realm
>>>>>>>>>     at
>>>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>>>     at
>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>>>     at
>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>>>     at
>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>     at
>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>>>     ... 19 more
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Lohitha.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/b6322df0/attachment.html 

From adrianmatei at gmail.com  Fri Nov 27 11:19:21 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Fri, 27 Nov 2015 17:19:21 +0100
Subject: [keycloak-user] Sign In button URL
Message-ID: <CAG=THF0Gt7=Eu9BqJL8Ouk-uLaiQU12n1Xo2HGsnwU3GQ6Lgrw@mail.gmail.com>

hi guys,

can still help a poor guy Friday in the afternoon?

What is the url I need to have the sign in button pointing to, in my Spring
web app, that will ask me to login via keycloak and redirect me back
exactly to the page I made the request from?

Thanks,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/4929697e/attachment-0001.html 

From mstrukel at redhat.com  Fri Nov 27 11:48:13 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 27 Nov 2015 17:48:13 +0100
Subject: [keycloak-user] Can not logout from demo broker
In-Reply-To: <CALxJa+1Ogk=uiu6afD-PEdCPkxtRvPooLJNEuvBSkzEBagNk1A@mail.gmail.com>
References: <865106505.776723.1446459238266.JavaMail.yahoo@mail.yahoo.com>
	<56376C33.4010305@redhat.com>
	<CALxJa+0-D+qma+GbXTFmdau88Sd38R_j=k32tT=NbbeUmQ9OUA@mail.gmail.com>
	<CA+1OW+g5uD7s6omSg+FNyvLUQ+ieqz4ouzbkm3rDE1p8sPi0qg@mail.gmail.com>
	<CALxJa+2cF6ckz-q7szJP9ypYqjqb9CqRWU4Bv-b3OKv-zMQiyg@mail.gmail.com>
	<CA+1OW+j4-9T1mwRaNnwoeSAQJ6KJkatpHzRYTkuBeGy+wHwkdw@mail.gmail.com>
	<CALxJa+2oj4jrOaVe07w4AjOCQBUa5quGyfw_2Wy2M+qy2ZJpuw@mail.gmail.com>
	<CA+1OW+jVs=e_qn_-_-Sc2W4qmVS83K6u4fiYVW73Bbu5UYCGGQ@mail.gmail.com>
	<CALxJa+1aw9UoEBjmGqXWtY+quvFz6-atzp744PNiS70N37eYMw@mail.gmail.com>
	<CA+1OW+hWZYS=2YPbdyp6jU3Rxg3Wy_k3AzZWvx8YN4DLVgnx9Q@mail.gmail.com>
	<CALxJa+0781O6uxObVFJG6OARzfr9sxupb=e1ZZ6-gxgVwMHfZg@mail.gmail.com>
	<CA+1OW+gcMtQLWODJa6+9jyrqVCTPZ1uVEVbhJezrx7idtDuGfQ@mail.gmail.com>
	<CALxJa+0j2=u=BmNAaE9m0mmcKcAUrXTBcwLXRsxRHiLR0sJZSA@mail.gmail.com>
	<CA+1OW+i86s60MTRmbYE93PjyHURN3fe8L13dzO4wrb3RwWp6Kw@mail.gmail.com>
	<CAJgngAeHO011EJK2VucOw3KP2CR=cMC3HSfXF2wewhD4C0OPpg@mail.gmail.com>
	<CA+1OW+h3SHPmWAD0Oy-E2-iJFgL9J5e+bcoZGXGd7DBQ9GGcSQ@mail.gmail.com>
	<CALxJa+28k2q=MomcUbDFOBhYFQjxhtDFFtoCSpVdDCYcFtZAew@mail.gmail.com>
	<CA+1OW+hnPpajBqar1J06YkDeH2Vznziz_USpPtPsJ7zKrQwSqw@mail.gmail.com>
	<CALxJa+1Ogk=uiu6afD-PEdCPkxtRvPooLJNEuvBSkzEBagNk1A@mail.gmail.com>
Message-ID: <CA+1OW+iaVDim__JH1zBfWFs-aLvJa_-w1qoEZ321hn_8jXEF7A@mail.gmail.com>

On Fri, Nov 27, 2015 at 4:09 PM, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Hi all,
>
> I go through Marko's instruction and as I already wrote him result is now
> successful.
>
> Now I am in state, that under /opt/ I have 2 subdirectories
> - wildfly-9.0.1.Final
> and
> -keycloak (unziped from keycloak-demo-1.3.1.Final.zip)
>
> In wildfly-9.0.1.Final/domain/configuration/domain-modify.xml we have our
> modified domain.xml which runs with our modified "ha" profile and our
> groups and servers
> In keycloack/domain/configuration/domain.xml is set configuration for
> keycloak in "ha" profile
> Now I can switching between wildfly and keycloak.
> But in future I would like to incorporate keycloak inside our
> domain-modify.xml.
>
> Last time you wrote me, that keycloak-overlay have to run with
>
>    - keycloak-wf9-adapter-dist.zip. Should I used keycloak-overlay with
>    adapter for merge my wildfly with keycloak-overlay or should I merge
>    domain-modify.xml and domain.xml?
>
>
Keycloak-overlay provides you with server bits. For server you have two
alternatives - download the server distribution which comes packaged with
latest Wildfly (9.0.2.Final the moment) , or use your existing Wildfly
9.0.2.Final and install keycloak server overlay into it. That's how you get
a server.

If you want to deploy your applications to that same wildfly instance, and
protect them with Keycloak then you need to install
keycloak-wf9-adapter-dist, and adjust configuration to activate wildfly
adapter subsystem.

Keycloak-demo dist already contains both server, and adapter bits, so you
don't need server-overlay, nor adapter download.

The answer to your question is no it doesn't need keycloak-w9-adapter-dist,
yes use overlay with wildfly-9.0.2, yes use adapter download with your
wildfly-9.0.2 running the applications you want to protect, and it doesn't
matter what the domain.xml file is called as long as the profile you're
using has the server subsystems configured, and (if you also want to use it
to run your applications) the adapter subsystem configured.


>    -
>
>
> On Mon, Nov 9, 2015 at 10:07 AM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> If you use keycloak-overlay, or keycloak-server dist then if you want to
>> follow the above instructions to the letter, you also have to download and
>> unpack keycloak-wf9-adapter-dist.zip.
>>
>> The point of this exercise it to get things up and running with as few
>> steps as possible to reduce the number of things that can go wrong since
>> you've been having a great deal of problems with it, and it seems like your
>> problems are the result of your particular way of wanting to set it up.
>>
>> The point here is to show you that Keycloak server can be set up in
>> domain mode, and it works. Apparently it's been impossible for us to
>> determine the exact issue with your current set up, based on the
>> information you have provided, apart from the fact that Keycloak doesn't
>> seem to be initialised for you which is inconsistent with the configuration
>> you have provided.
>>
>> If you think there is something wrong with Keycloak then the only way for
>> us to do anything about it at this point is for you to create exact
>> instructions to reproduce the problem.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/2ee2c67e/attachment.html 

From bburke at redhat.com  Fri Nov 27 13:02:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 27 Nov 2015 13:02:32 -0500
Subject: [keycloak-user] Sign In button URL
In-Reply-To: <CAG=THF0Gt7=Eu9BqJL8Ouk-uLaiQU12n1Xo2HGsnwU3GQ6Lgrw@mail.gmail.com>
References: <CAG=THF0Gt7=Eu9BqJL8Ouk-uLaiQU12n1Xo2HGsnwU3GQ6Lgrw@mail.gmail.com>
Message-ID: <56589AB8.5030708@redhat.com>

How is your Spring web app handling OpenID Connect or SAML 
requests/respones?  We do have a Spring security adapter.

Initial OAuth2 request:

/realms/{realm-name}/protocol/openid-connect/auth

Code to Token request:
/realms/{realm-name}/protocol/openid-connect/token


On 11/27/2015 11:19 AM, Adrian Matei wrote:
> hi guys,
>
> can still help a poor guy Friday in the afternoon?
>
> What is the url I need to have the sign in button pointing to, in my
> Spring web app, that will ask me to login via keycloak and redirect me
> back exactly to the page I made the request from?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jahenao at itroisolutions.com  Fri Nov 27 17:49:04 2015
From: jahenao at itroisolutions.com (Jairo Alonso Henao Rojas)
Date: Fri, 27 Nov 2015 22:49:04 +0000
Subject: [keycloak-user] How to validate required for custom fields
In-Reply-To: <564C4FD2.2020203@redhat.com>
References: <BY1PR0401MB122487E85FF2F03E0E8ABF5ED0120@BY1PR0401MB1224.namprd04.prod.outlook.com>
	<564C4FD2.2020203@redhat.com>
Message-ID: <BY2PR04MB1099C9EAE0EF7CD231DD618D0030@BY2PR04MB109.namprd04.prod.outlook.com>

Thanks,

I was following the user guide but my problem was another, in the section 33.5.2 - 'Packaging the action', says the JAR file must contain a file called 'org.keycloak.authentication.ForActionFactory'.

The correct file name is 'org.keycloak.authentication.FormActionFactory', this is a mistake of the guide.

Now this works for me.


Jairo Henao Rojas
IT ROI Solutions

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, November 18, 2015 5:16 AM
To: Jairo Alonso Henao Rojas <jahenao at itroisolutions.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to validate required for custom fields

You can create custom validator for registration form via the Authentication Flows SPI : http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3448 .

Adding those custom validations works just for registration form, but not for account management or update-profile pages. In the future, we plan to improve so that you can attach custom validation on all 3 places and you won't need to code your own validator for supporting such common thing like marking some custom field to be mandatory.

Marek

On 13/11/15 00:04, Jairo Alonso Henao Rojas wrote:
Hello,

I added several custom fields in the registration form, how I can do for them to be required?

See attached fields in register form.

Thanks


Jairo Henao Rojas





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/684a5673/attachment.html 

From DSzeto at investlab.com  Fri Nov 27 21:54:02 2015
From: DSzeto at investlab.com (Doug Szeto)
Date: Sat, 28 Nov 2015 02:54:02 +0000
Subject: [keycloak-user] Theme Resources Urls
Message-ID: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>


Hi,
I have created a custom theme as specific in your docs here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
It functions in the browser, in that these configs tell you where the theme customization resources are stored locally, but the end result is the resources are served from the url format pattern of:

http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css

Is there a way to customize the theme url format to scrub the version number off the css/image/js resources? This will help out in monitoring and upgrades.

Thanks,
--Doug

From srossillo at smartling.com  Sun Nov 29 19:22:23 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Sun, 29 Nov 2015 19:22:23 -0500
Subject: [keycloak-user] Mobile SSO - web brower+ native iOS
In-Reply-To: <CAM5SUC5Q-RsPphEERearuSe-Fj-bYeGvDsc7Ca8dHV2b16Na9A@mail.gmail.com>
References: <OF1EE3180D.485B10E9-ON48257F01.0024D952-48257F01.00255CCF@finantix.com>
	<CAJgngAfD28OP+v3tcOxJei7PC_O6vfYRFZB0_RYnWRC=fK=aFQ@mail.gmail.com>
	<OFC9AD92E0.7D368674-ON48257F01.004A5D6F-48257F01.004B792E@finantix.com>
	<CAJgngAf_Z_RnWL8OG5KbWS3UT8q1nt72XG5asBmkC8Nrp=ru3w@mail.gmail.com>
	<OF143C5334.F0D03FCB-ON48257F05.007B72DB-48257F05.007D05F3@LocalDomain>
	<OFA60A0AC0.E96C6AD7-ON48257F09.00141100-47257F09.001FE871@finantix.com>
	<CAM5SUC5Q-RsPphEERearuSe-Fj-bYeGvDsc7Ca8dHV2b16Na9A@mail.gmail.com>
Message-ID: <FABB650A-8A0B-46A3-BF66-1836FDEBD3B3@smartling.com>

If you?re able to use OpenID Connect, this should be easy.

Create a client in Keycloak for your native iOS App. Use offline tokens. Register your redirect scheme with Keycloak as myapp://foo or whatever makes sense.  If the user is logged into the mobile app, on first redirect to the native client, user shouldn?t see the login screen since they?re already logged in. Your App will get an offline token. This way, if the user enters the iOS app directly again - even days later - they?ll already be logged in via the offline token.

I don?t think you need any changes in Keycloak to support this flow.

Best,
Scott


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Nov 26, 2015, at 6:26 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> Months ago we had such requirement for FeedHenry. The fact, is that SAML 2.0 is not mobile friendly, due to the multiple redirects between SP, IdP and the Web Browser.
> 
> 
> The best you can do, like already mentioned by Stian is to make use of OpenID or make use of Webviews. But with Webviews, you have to deal with the annoying login prompt every time.
> 
> If you are interested about the work on it, take a look at: 
> 
> https://github.com/feedhenry-templates?utf8=%E2%9C%93&query=saml <https://github.com/feedhenry-templates?utf8=%E2%9C%93&query=saml>
> 
> I hope it helps.
> 
> On Thu, Nov 26, 2015 at 3:48 AM <Joseph.George at finantix.com <mailto:Joseph.George at finantix.com>> wrote:
> Dear All
> 
> we have a situation where users have applications  both html5 based web and
> also native iOS apps accessing from iPads
> 
> The requirement is that users access the web based application within a
> iPad, which will be redirected to Keyclock IDP server for login.
> Once user logins, next time, if the same user just tap on the native app
> within the same device, it should not again prompt for userid/password,
> rather SSO takes care of it
> 
> We need to design  so that users can toggle back and forth among mobile
> browser apps and mobile apps.
> This is ideal for agents, sales reps, who to need to switch quickly among
> programs while on the go.,
> 
> Would like to know - is this something KeyCloak with SAML 2.0 supports out
> of the box please?
> 
> Thanks and Regards
> Joseph
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151129/30cb63c1/attachment.html 

From parul.com at gmail.com  Sun Nov 29 22:02:36 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 08:32:36 +0530
Subject: [keycloak-user] Keycloak service provider Metadata support for SAML
	support
Message-ID: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>

Hi All,
Does keycloak service provider support with metadata ? I don't find any
reference document on this for keycloak. There is no adapter which talk
about metadata. Even I looked at the examples, and there are three examples
which talk about POST, REDIRECT and encryption.

Any reference document on Keycloak SAML Service provider Metadata?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/282a7bdd/attachment.html 

From parul.com at gmail.com  Sun Nov 29 22:05:11 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 08:35:11 +0530
Subject: [keycloak-user] Fwd: any reference document on Keycloak SAML SP
	configuration
In-Reply-To: <CAFj68vUctooKP5+qtvuHZxUL4nCgfJusOHg2LFXbObiC6P4ucg@mail.gmail.com>
References: <CAFj68vV8i6p737FVhXTp9DO=Ou2dm_baMKNb2yaaPDfFDb1_8w@mail.gmail.com>
	<CAFj68vVoLHLTJVW_aaT-E8YFVdtq0EvJQSENe1muZvmQCJ2Osg@mail.gmail.com>
	<CAJgngAccGUbrHSNkPKn_7ByYLzfvNDqyLRg95ZRGx5NDzMxVUA@mail.gmail.com>
	<CAFj68vXMCgmsZt-joCTVcFWumNLVu-QQ12UgawPAigYrQOBT7g@mail.gmail.com>
	<CAJgngAf1kpDPO7ui8ioLqF+cRbUJTvouSzWvF9W8fJ_Y9g3NBg@mail.gmail.com>
	<CAFj68vUctooKP5+qtvuHZxUL4nCgfJusOHg2LFXbObiC6P4ucg@mail.gmail.com>
Message-ID: <CAFj68vXr4VCC=wELZwKMo3SSemm7jU1Jw-WnX_m9aQ8aCBAzUA@mail.gmail.com>

Thanks Bill. It worked.. I am able to build and deploy Keycloak service
provider after corrected dependency in pom.xml.

On Thu, Nov 26, 2015 at 4:18 PM, Arulkumar Ponnusamy <parul.com at gmail.com>
wrote:

> Hi Stian,
>
> Do you mean SAML Identity Provider or Service Provider? With Keycloak,
> Keycloak server is the Identity Provider and you configure/tweak it through
> the admin console.
> [Arul] I meant Service provider and not Identity provider.
>
> After some play with the web.xml, I am getting different error, *java.lang.ClassNotFoundException:
> org.keycloak.adapters.servlet.ServletHttpFacade. *I don't find this file
> in keycloak repository too.
>
> This file is used in SAMLFilter class. any idea whether this is defect or
> where i can find this.
>
>
>
> On Thu, Nov 26, 2015 at 3:05 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>>
>>
>> On 26 November 2015 at 09:28, Arulkumar Ponnusamy <parul.com at gmail.com>
>> wrote:
>>
>>> Hi Stian,
>>> Thanks for your response. Yes. I followed the same. I followed the
>>> instruction of Chapter-7 Java servlet Filter Adapter. as specified I added
>>> the SAMLFilter class in filter mapping of my web.xml.
>>>
>>>
>> We have a few examples for SAML in our examples download. Did you look at
>> those?
>>
>>
>>>
>>> In picketlink, we have handler and Listener which makes our application
>>> as SAML provider. Picketlink also has lot of sample project which we can
>>> try/tweak as per our need. However in keycloak, i see neither of them.
>>>
>>
>> Do you mean SAML Identity Provider or Service Provider? With Keycloak,
>> Keycloak server is the Identity Provider and you configure/tweak it through
>> the admin console.
>>
>>
>>>
>>>
>>> On Thu, Nov 26, 2015 at 1:28 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Documentation is here
>>>> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>>>> - did you read that?
>>>>
>>>> On 26 November 2015 at 08:30, Arulkumar Ponnusamy <parul.com at gmail.com>
>>>> wrote:
>>>>
>>>>> I want to implement the SAML Service provider(SP) for my application.
>>>>> I used picketlink earlier (servlet filter) to configure my application as
>>>>> SAML SP. However, when I tried the same with Keycloak, it is not working as
>>>>> expected. There is no proper documentation/example on how keycloak saml SP
>>>>> configuration has to be done.
>>>>>
>>>>> I did the following things.
>>>>> 1. Copied all the jar(keycloak-saml-eap6-adapter-dist) into my
>>>>> jboss/lib directory
>>>>> 2. Configured the security domain as below
>>>>>     <login-module
>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>>>> 3. I built the keycloak saml example "redirect-with-signature" and
>>>>> deployed.
>>>>> 4. I am using the picketlink as my IDP.
>>>>> 5. The redirect does not redirecting to my picketlink IDP.
>>>>>
>>>>> Can some one tell how to configure keycloak SAML SP.?
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/1d7c1c58/attachment.html 

From parul.com at gmail.com  Sun Nov 29 23:02:28 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 09:32:28 +0530
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support for
	SAML support
In-Reply-To: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
Message-ID: <CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>

Hi All,
Does keycloak service provider support with metadata ? I don't find any
reference document on this for keycloak. There is no adapter which talk
about metadata. Even I looked at the examples, and there are three examples
which talk about POST, REDIRECT and encryption.

Any reference document on Keycloak SAML Service provider Metadata?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/81c5c11f/attachment-0001.html 

From kalc04 at gmail.com  Mon Nov 30 01:01:32 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 11:31:32 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
Message-ID: <CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>

Just tested the same flow extensively with Keycloak 1.2.0 as well, and it
seems the behavior is the same. Lots of MySQL select queries getting
executed with each call. Seems there's a number of unnecessary cache
invalidations going on which causes Keycloak to fetch data from the DB over
and over.

Could you please confirm if this is the expected behavior? As far as I can
see there's considerable performance degradation due to unnecessary cache
invalidations.


On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
wrote:

> I'm invoking the following API call: https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
> (same realm and user ID over and over again). The two HA server(s) are idle
> apart from serving those calls. And I'm seeing the following SQL getting
> logged in my MySQL log for each and every call:
>
> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
> userentity0_.REALM_ID as REALM_I10_42_,
> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
> from USER_ENTITY userentity0_ where
> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
> userentity0_.REALM_ID='xxxxx'
>
>
>
> On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Strange - what are you doing and what are the SQL queries?
>>
>> On 27 November 2015 at 15:23, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> Yes Stian, that I understand. But the problem here is even if I execute
>>> continuous user retrieval calls (same user - no other functionality in
>>> between), still MySQL select queries get executed for each call. So there
>>> lies an issue isn't it?
>>>
>>>
>>> On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Things are still fetched from MySQL. Realms, clients, users, etc.. are
>>>> then kept in the cache, but if it changes it's re-loaded from MySQL. We use
>>>> an invalidation cache, not a distributed cache.
>>>>
>>>> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> What I mean is, if it were working, I shouldn't see mysql queries
>>>>> getting executed right? So my guess is data is still fetched from the db
>>>>> instead of the cache.
>>>>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Yup, so it's working now?
>>>>>>
>>>>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Apologies, keycloak-server.json entries should change to:
>>>>>>>
>>>>>>>     "realm": {
>>>>>>>         "provider": "jpa"
>>>>>>>     },
>>>>>>>
>>>>>>>     "user": {
>>>>>>>         "provider": "jpa"
>>>>>>>     },
>>>>>>>
>>>>>>>     "userSessionPersister": {
>>>>>>>         "provider": "jpa"
>>>>>>>     },
>>>>>>>
>>>>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <
>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Stian,
>>>>>>>>
>>>>>>>> As per the migration guide, I should have Infinispan up and running
>>>>>>>> for realms, users and user sessions without doing any specific changes.
>>>>>>>> keycloak-server.json was reverted back to have the following entries:
>>>>>>>> ...
>>>>>>>>     "realm": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "user": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "userSessionPersister": {
>>>>>>>>         "provider": "infinispan"
>>>>>>>>     },
>>>>>>>> ...
>>>>>>>>
>>>>>>>> In the Admin Console I have both Realm Cache and User Cache
>>>>>>>> enables. I see certain Infinispan related logs getting logged as well.
>>>>>>>>
>>>>>>>> However, at the same time, I see MySQL queries getting executed for
>>>>>>>> all user retrieval API invocations (even if the same user is retrieved
>>>>>>>> continuously):
>>>>>>>> ...
>>>>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP
>>>>>>>> as CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>>>>> from USER_ENTITY userentity0_ where
>>>>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>>>>> userentity0_.REALM_ID='xxxxx'
>>>>>>>> ...
>>>>>>>>
>>>>>>>> So it seems something is wrong here. Could you point out any areas
>>>>>>>> that I could further look into?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Lohitha.
>>>>>>>>
>>>>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Please read the migration guide
>>>>>>>>>
>>>>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <
>>>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>>>>> 1.2.0.
>>>>>>>>>>
>>>>>>>>>> We have the following entries in 1.6.1:
>>>>>>>>>>     "realm": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>>
>>>>>>>>>>     "user": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>>
>>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>> .........
>>>>>>>>>>     "connectionsInfinispan": {
>>>>>>>>>>         "default" : {
>>>>>>>>>>             "cacheContainer" : "java:comp/env/infinispan/Keycloak"
>>>>>>>>>>         }
>>>>>>>>>>     }
>>>>>>>>>>
>>>>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>>>>> 1.2.0.
>>>>>>>>>>
>>>>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>>>>> following error(s) get logged:
>>>>>>>>>>
>>>>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>     at
>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>>>>     at
>>>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct public
>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>>>>     at
>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>>>>     at
>>>>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>>>>     at
>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>>>>     at
>>>>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>>>>     at
>>>>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>>>>     at
>>>>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>>>>     at
>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>>>>     at
>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>>>>     ... 6 more
>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>>>>> infinispan for realm
>>>>>>>>>>     at
>>>>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>>>>     at
>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>>>>     at
>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>>>>     at
>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>     at
>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>>>>     ... 19 more
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Lohitha.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/9c28d98b/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 30 02:35:23 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 08:35:23 +0100
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
Message-ID: <CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>

You can't customize the url format. Not sure how it would help during
upgrades? I'd say the opposite as you end up with cached versions for the
old release not being updated.

On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com> wrote:

>
> Hi,
> I have created a custom theme as specific in your docs here:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
> It functions in the browser, in that these configs tell you where the
> theme customization resources are stored locally, but the end result is the
> resources are served from the url format pattern of:
>
>
> http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css
>
> Is there a way to customize the theme url format to scrub the version
> number off the css/image/js resources? This will help out in monitoring and
> upgrades.
>
> Thanks,
> --Doug
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/c4874213/attachment.html 

From sthorger at redhat.com  Mon Nov 30 02:37:29 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 08:37:29 +0100
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
Message-ID: <CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>

Are you asking if Keycloak can create clients from entity descriptors, then
yes. Create client and import the file.

On 30 November 2015 at 05:02, Arulkumar Ponnusamy <parul.com at gmail.com>
wrote:

> Hi All,
> Does keycloak service provider support with metadata ? I don't find any
> reference document on this for keycloak. There is no adapter which talk
> about metadata. Even I looked at the examples, and there are three examples
> which talk about POST, REDIRECT and encryption.
>
> Any reference document on Keycloak SAML Service provider Metadata?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/cbbdca09/attachment.html 

From sthorger at redhat.com  Mon Nov 30 02:38:25 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 08:38:25 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
Message-ID: <CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>

It is not expected behavior. Users should only be invalidated if changes
are made.

On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Just tested the same flow extensively with Keycloak 1.2.0 as well, and it
> seems the behavior is the same. Lots of MySQL select queries getting
> executed with each call. Seems there's a number of unnecessary cache
> invalidations going on which causes Keycloak to fetch data from the DB over
> and over.
>
> Could you please confirm if this is the expected behavior? As far as I can
> see there's considerable performance degradation due to unnecessary cache
> invalidations.
>
>
> On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> I'm invoking the following API call: https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>> (same realm and user ID over and over again). The two HA server(s) are idle
>> apart from serving those calls. And I'm seeing the following SQL getting
>> logged in my MySQL log for each and every call:
>>
>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>> userentity0_.REALM_ID as REALM_I10_42_,
>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>> from USER_ENTITY userentity0_ where
>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>> userentity0_.REALM_ID='xxxxx'
>>
>>
>>
>> On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Strange - what are you doing and what are the SQL queries?
>>>
>>> On 27 November 2015 at 15:23, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> Yes Stian, that I understand. But the problem here is even if I execute
>>>> continuous user retrieval calls (same user - no other functionality in
>>>> between), still MySQL select queries get executed for each call. So there
>>>> lies an issue isn't it?
>>>>
>>>>
>>>> On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Things are still fetched from MySQL. Realms, clients, users, etc.. are
>>>>> then kept in the cache, but if it changes it's re-loaded from MySQL. We use
>>>>> an invalidation cache, not a distributed cache.
>>>>>
>>>>> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> What I mean is, if it were working, I shouldn't see mysql queries
>>>>>> getting executed right? So my guess is data is still fetched from the db
>>>>>> instead of the cache.
>>>>>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Yup, so it's working now?
>>>>>>>
>>>>>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Apologies, keycloak-server.json entries should change to:
>>>>>>>>
>>>>>>>>     "realm": {
>>>>>>>>         "provider": "jpa"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "user": {
>>>>>>>>         "provider": "jpa"
>>>>>>>>     },
>>>>>>>>
>>>>>>>>     "userSessionPersister": {
>>>>>>>>         "provider": "jpa"
>>>>>>>>     },
>>>>>>>>
>>>>>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <
>>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Stian,
>>>>>>>>>
>>>>>>>>> As per the migration guide, I should have Infinispan up and
>>>>>>>>> running for realms, users and user sessions without doing any specific
>>>>>>>>> changes. keycloak-server.json was reverted back to have the following
>>>>>>>>> entries:
>>>>>>>>> ...
>>>>>>>>>     "realm": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "user": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>     },
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>> In the Admin Console I have both Realm Cache and User Cache
>>>>>>>>> enables. I see certain Infinispan related logs getting logged as well.
>>>>>>>>>
>>>>>>>>> However, at the same time, I see MySQL queries getting executed
>>>>>>>>> for all user retrieval API invocations (even if the same user is retrieved
>>>>>>>>> continuously):
>>>>>>>>> ...
>>>>>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP
>>>>>>>>> as CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>>>>>> from USER_ENTITY userentity0_ where
>>>>>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>>>>>> userentity0_.REALM_ID='xxxxx'
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>>> So it seems something is wrong here. Could you point out any areas
>>>>>>>>> that I could further look into?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Lohitha.
>>>>>>>>>
>>>>>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Please read the migration guide
>>>>>>>>>>
>>>>>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <
>>>>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>>>>>> 1.2.0.
>>>>>>>>>>>
>>>>>>>>>>> We have the following entries in 1.6.1:
>>>>>>>>>>>     "realm": {
>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>     },
>>>>>>>>>>>
>>>>>>>>>>>     "user": {
>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>     },
>>>>>>>>>>>
>>>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>     },
>>>>>>>>>>> .........
>>>>>>>>>>>     "connectionsInfinispan": {
>>>>>>>>>>>         "default" : {
>>>>>>>>>>>             "cacheContainer" :
>>>>>>>>>>> "java:comp/env/infinispan/Keycloak"
>>>>>>>>>>>         }
>>>>>>>>>>>     }
>>>>>>>>>>>
>>>>>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>>>>>> 1.2.0.
>>>>>>>>>>>
>>>>>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>>>>>> following error(s) get logged:
>>>>>>>>>>>
>>>>>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>>     at
>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>>>>>     at
>>>>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct
>>>>>>>>>>> public
>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>>>>>     at
>>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>>>>>     at
>>>>>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>>>>>     at
>>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>>>>>     at
>>>>>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>>>>>     at
>>>>>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>>>>>     at
>>>>>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>>>>>     at
>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>>>>>     at
>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>>>>>     ... 6 more
>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>>>>>> infinispan for realm
>>>>>>>>>>>     at
>>>>>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>>>>>     at
>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>>>>>     at
>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>>>>>     at
>>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>     at
>>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>>>>>     ... 19 more
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Lohitha.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/61f07ea9/attachment-0001.html 

From parul.com at gmail.com  Mon Nov 30 03:47:13 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 14:17:13 +0530
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
Message-ID: <CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>

Hi Stian,
Yes clients from entity descriptors. i don't understand import the file
part. Where to import the file? I have both IDP(picketlink) and
SP(keycloak) under my web-INF file. but, i don't see any SAML communication
between SP and IDP happening.

I am new to SAML and for beginner,picketlink has so many example for both
IDP and SP which is awesome and gives clear picture of whats need to be
done. But, Those example are missing for keycloak SAML Service provide.
only three example are for keycloak and that too some how not detailed.



On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Are you asking if Keycloak can create clients from entity descriptors,
> then yes. Create client and import the file.
>
> On 30 November 2015 at 05:02, Arulkumar Ponnusamy <parul.com at gmail.com>
> wrote:
>
>> Hi All,
>> Does keycloak service provider support with metadata ? I don't find any
>> reference document on this for keycloak. There is no adapter which talk
>> about metadata. Even I looked at the examples, and there are three examples
>> which talk about POST, REDIRECT and encryption.
>>
>> Any reference document on Keycloak SAML Service provider Metadata?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/69f45254/attachment.html 

From Frank.vanVeen at planonsoftware.com  Mon Nov 30 03:52:59 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Mon, 30 Nov 2015 09:52:59 +0100
Subject: [keycloak-user] User Federaion: sending emails
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E49250443AC1@NL-MAIL02.planon-fm.com>

Hi,

Currently I'm working on importing users with a user federation implementation. The way we want to import a user is by copying user metadata into keycloak followed by sending a email with a password reset link to the freshly imported user. Is the achievable with keycloak 1.6.1?

Best regards,

Frank van Veen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/4f86487d/attachment.html 

From adrianmatei at gmail.com  Mon Nov 30 04:07:48 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Mon, 30 Nov 2015 10:07:48 +0100
Subject: [keycloak-user] Sign In button URL (Bill Burke)
Message-ID: <CAG=THF32yB0zW8SC-H3gWJKhtmdFoBAj+kK+ErYRaxupAZyQQQ@mail.gmail.com>

Hi Bill,

Thank you for the reply. Yes I am using the Spring security adapter (xml
configuration). I have received a private reply from Pavel Maslov regarding
the sign in url:

{{keycloakBaseUrl}}/realms/{{realmName}}/protocol/openid-connect/auth?client_id={{client_id}}&response_type=code&redirect_uri={{your-web-app}}

which works great.

Another problem that I am having now is that when I am logging in from a
"not"-protected resource (permitAll in securityContext), and want to be
redirected back to the same resource, it logs me in indeed, but the spring
security tags in my jsps don't recognize that, until I am accessing a
secured resource defined in security context.... Any thoughts there?

Thanks,
Adrian


Message: 2
Date: Fri, 27 Nov 2015 13:02:32 -0500
From: Bill Burke <bburke at redhat.com>
Subject: Re: [keycloak-user] Sign In button URL
To: keycloak-user at lists.jboss.org
Message-ID: <56589AB8.5030708 at redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

How is your Spring web app handling OpenID Connect or SAML
requests/respones?  We do have a Spring security adapter.

Initial OAuth2 request:

/realms/{realm-name}/protocol/openid-connect/auth

Code to Token request:
/realms/{realm-name}/protocol/openid-connect/token


On 11/27/2015 11:19 AM, Adrian Matei wrote:
> hi guys,
>
> can still help a poor guy Friday in the afternoon?
>
> What is the url I need to have the sign in button pointing to, in my
> Spring web app, that will ask me to login via keycloak and redirect me
> back exactly to the page I made the request from?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/dec776ad/attachment.html 

From sthorger at redhat.com  Mon Nov 30 04:09:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 10:09:19 +0100
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
	<CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
Message-ID: <CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>

Bill - is there a way to get the entity descriptor for an application using
the Keycloak SP adapter? To then import into PicketLink.

On 30 November 2015 at 09:47, Arulkumar Ponnusamy <parul.com at gmail.com>
wrote:

> Hi Stian,
> Yes clients from entity descriptors. i don't understand import the file
> part. Where to import the file? I have both IDP(picketlink) and
> SP(keycloak) under my web-INF file. but, i don't see any SAML communication
> between SP and IDP happening.
>
> I am new to SAML and for beginner,picketlink has so many example for both
> IDP and SP which is awesome and gives clear picture of whats need to be
> done. But, Those example are missing for keycloak SAML Service provide.
> only three example are for keycloak and that too some how not detailed.
>
>
>
> On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Are you asking if Keycloak can create clients from entity descriptors,
>> then yes. Create client and import the file.
>>
>> On 30 November 2015 at 05:02, Arulkumar Ponnusamy <parul.com at gmail.com>
>> wrote:
>>
>>> Hi All,
>>> Does keycloak service provider support with metadata ? I don't find any
>>> reference document on this for keycloak. There is no adapter which talk
>>> about metadata. Even I looked at the examples, and there are three examples
>>> which talk about POST, REDIRECT and encryption.
>>>
>>> Any reference document on Keycloak SAML Service provider Metadata?
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/a0e5decc/attachment.html 

From kalc04 at gmail.com  Mon Nov 30 08:29:10 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 18:59:10 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
Message-ID: <CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>

Glad if you could look into the above and check if there are app level
issues related to invalidations, thanks.

One way to get around this through config changes is to make the relevant
cache modes 'ASYNC' and set up suitable values for 'queue-size' and
'queue-flush-interval' depending on your needs. Then the invalidations
won't happen with each and every call.

Obviously there would be problems if caches aren't invalidated in time with
the above set up, it's up to the devs to come up with a suitable set of
configs to cater to their needs.


Regards,
Lohitha.



On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> It is not expected behavior. Users should only be invalidated if changes
> are made.
>
> On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Just tested the same flow extensively with Keycloak 1.2.0 as well, and it
>> seems the behavior is the same. Lots of MySQL select queries getting
>> executed with each call. Seems there's a number of unnecessary cache
>> invalidations going on which causes Keycloak to fetch data from the DB over
>> and over.
>>
>> Could you please confirm if this is the expected behavior? As far as I
>> can see there's considerable performance degradation due to unnecessary
>> cache invalidations.
>>
>>
>> On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> I'm invoking the following API call: https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>>> (same realm and user ID over and over again). The two HA server(s) are idle
>>> apart from serving those calls. And I'm seeing the following SQL getting
>>> logged in my MySQL log for each and every call:
>>>
>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP as
>>> CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>> userentity0_.REALM_ID as REALM_I10_42_,
>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>> from USER_ENTITY userentity0_ where
>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>> userentity0_.REALM_ID='xxxxx'
>>>
>>>
>>>
>>> On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Strange - what are you doing and what are the SQL queries?
>>>>
>>>> On 27 November 2015 at 15:23, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> Yes Stian, that I understand. But the problem here is even if I
>>>>> execute continuous user retrieval calls (same user - no other functionality
>>>>> in between), still MySQL select queries get executed for each call. So
>>>>> there lies an issue isn't it?
>>>>>
>>>>>
>>>>> On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen <sthorger at redhat.com
>>>>> > wrote:
>>>>>
>>>>>> Things are still fetched from MySQL. Realms, clients, users, etc..
>>>>>> are then kept in the cache, but if it changes it's re-loaded from MySQL. We
>>>>>> use an invalidation cache, not a distributed cache.
>>>>>>
>>>>>> On 27 November 2015 at 14:04, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> What I mean is, if it were working, I shouldn't see mysql queries
>>>>>>> getting executed right? So my guess is data is still fetched from the db
>>>>>>> instead of the cache.
>>>>>>> On Nov 27, 2015 5:52 PM, "Stian Thorgersen" <sthorger at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Yup, so it's working now?
>>>>>>>>
>>>>>>>> On 27 November 2015 at 13:20, Lohitha Chiranjeewa <kalc04 at gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Apologies, keycloak-server.json entries should change to:
>>>>>>>>>
>>>>>>>>>     "realm": {
>>>>>>>>>         "provider": "jpa"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "user": {
>>>>>>>>>         "provider": "jpa"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>         "provider": "jpa"
>>>>>>>>>     },
>>>>>>>>>
>>>>>>>>> On Fri, Nov 27, 2015 at 5:49 PM, Lohitha Chiranjeewa <
>>>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Stian,
>>>>>>>>>>
>>>>>>>>>> As per the migration guide, I should have Infinispan up and
>>>>>>>>>> running for realms, users and user sessions without doing any specific
>>>>>>>>>> changes. keycloak-server.json was reverted back to have the following
>>>>>>>>>> entries:
>>>>>>>>>> ...
>>>>>>>>>>     "realm": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>>
>>>>>>>>>>     "user": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>>
>>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>     },
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>> In the Admin Console I have both Realm Cache and User Cache
>>>>>>>>>> enables. I see certain Infinispan related logs getting logged as well.
>>>>>>>>>>
>>>>>>>>>> However, at the same time, I see MySQL queries getting executed
>>>>>>>>>> for all user retrieval API invocations (even if the same user is retrieved
>>>>>>>>>> continuously):
>>>>>>>>>> ...
>>>>>>>>>> select userentity0_.ID as ID1_42_, userentity0_.CREATED_TIMESTAMP
>>>>>>>>>> as CREATED_2_42_, userentity0_.EMAIL as EMAIL3_42_,
>>>>>>>>>> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_, userentity0_.EMAIL_VERIFIED
>>>>>>>>>> as EMAIL_VE5_42_, userentity0_.ENABLED as ENABLED6_42_,
>>>>>>>>>> userentity0_.federation_link as federati7_42_, userentity0_.FIRST_NAME as
>>>>>>>>>> FIRST_NA8_42_, userentity0_.LAST_NAME as LAST_NAM9_42_,
>>>>>>>>>> userentity0_.REALM_ID as REALM_I10_42_,
>>>>>>>>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>>>>>>>>> userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as USERNAM13_42_
>>>>>>>>>> from USER_ENTITY userentity0_ where
>>>>>>>>>> userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>>>>>>>>> userentity0_.REALM_ID='xxxxx'
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>> So it seems something is wrong here. Could you point out any
>>>>>>>>>> areas that I could further look into?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Lohitha.
>>>>>>>>>>
>>>>>>>>>> On Thu, Nov 26, 2015 at 7:58 PM, Stian Thorgersen <
>>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Please read the migration guide
>>>>>>>>>>>
>>>>>>>>>>> On 26 November 2015 at 14:53, Lohitha Chiranjeewa <
>>>>>>>>>>> kalc04 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> We're in the process of assessing the impact on upgrading from
>>>>>>>>>>>> Keycloak 1.2.0 to 1.6.1. We came across an issue when trying to enable
>>>>>>>>>>>> Infinispan cache through the keycloak-server.json file as we used to do in
>>>>>>>>>>>> 1.2.0.
>>>>>>>>>>>>
>>>>>>>>>>>> We have the following entries in 1.6.1:
>>>>>>>>>>>>     "realm": {
>>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>>     },
>>>>>>>>>>>>
>>>>>>>>>>>>     "user": {
>>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>>     },
>>>>>>>>>>>>
>>>>>>>>>>>>     "userSessionPersister": {
>>>>>>>>>>>>         "provider": "infinispan"
>>>>>>>>>>>>     },
>>>>>>>>>>>> .........
>>>>>>>>>>>>     "connectionsInfinispan": {
>>>>>>>>>>>>         "default" : {
>>>>>>>>>>>>             "cacheContainer" :
>>>>>>>>>>>> "java:comp/env/infinispan/Keycloak"
>>>>>>>>>>>>         }
>>>>>>>>>>>>     }
>>>>>>>>>>>>
>>>>>>>>>>>> All configurations in 1.6.1 standalone-ha.xml file remains
>>>>>>>>>>>> comparable (and correct to the best of our knowledge) with the ones in
>>>>>>>>>>>> 1.2.0.
>>>>>>>>>>>>
>>>>>>>>>>>> With the above configs, when we start the Keycloak service the
>>>>>>>>>>>> following error(s) get logged:
>>>>>>>>>>>>
>>>>>>>>>>>> 18:03:31,610 ERROR [org.jboss.msc.service.fail] (ServerService
>>>>>>>>>>>> Thread Pool -- 64) MSC000001: Failed to start service
>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>>>> org.jboss.msc.service.StartException in service
>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth:
>>>>>>>>>>>> java.lang.RuntimeException: Failed to construct public
>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>>>>>>>>>>>     at
>>>>>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>>>>>>>>>> [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to construct
>>>>>>>>>>>> public
>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>>>>>>>>>     at
>>>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>>>>>>>>>>     at
>>>>>>>>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>>>>>>>>>     at
>>>>>>>>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>>>>>>>>>>>     at
>>>>>>>>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>>>>>>>>>>>     at
>>>>>>>>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>>>>>>>>>>>     ... 6 more
>>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider
>>>>>>>>>>>> infinispan for realm
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>>>>>>>>>>>     at
>>>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>>>>>>>>>> [rt.jar:1.7.0_45]
>>>>>>>>>>>>     at
>>>>>>>>>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>>>>>>>>>>>     ... 19 more
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Is the new way to enable Infinispan different to what we had
>>>>>>>>>>>> earlier? If so, can someone please point out the correct way?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Lohitha.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/014f55af/attachment-0001.html 

From kalc04 at gmail.com  Mon Nov 30 08:41:03 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 19:11:03 +0530
Subject: [keycloak-user] Infinispan caching issues because of unserializable
	classes
Message-ID: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>

When Infinispan caching is enabled in ASYNC mode, exceptions get logged at
startup due to serialization issues. Basically the following classes have
to implement the Serialiazable interface:

org.keycloak.models.OTPPolicy
org.keycloak.models.
RequiredActionProviderModel

There could be other classes as well.

Is this already fixed in 1.7.0 code or shall I put a JIRA?


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/e7161b30/attachment.html 

From bburke at redhat.com  Mon Nov 30 08:45:12 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 08:45:12 -0500
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
Message-ID: <565C52E8.2010308@redhat.com>

We don't replicate at all.  Why would this be an issue?

On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
> When Infinispan caching is enabled in ASYNC mode, exceptions get logged
> at startup due to serialization issues. Basically the following classes
> have to implement the Serialiazable interface:
>
> org.keycloak.models.OTPPolicy
> org.keycloak.models.
> RequiredActionProviderModel
>
> There could be other classes as well.
>
> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>
>
> Regards,
> Lohitha.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 30 08:46:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 08:46:20 -0500
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
Message-ID: <565C532C.1020201@redhat.com>

BTW, besides being more scalable, we invalidate rather than replicate to 
avoid transmitting sensitive security data over the network.

On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
> Glad if you could look into the above and check if there are app level
> issues related to invalidations, thanks.
>
> One way to get around this through config changes is to make the
> relevant cache modes 'ASYNC' and set up suitable values for 'queue-size'
> and 'queue-flush-interval' depending on your needs. Then the
> invalidations won't happen with each and every call.
>
> Obviously there would be problems if caches aren't invalidated in time
> with the above set up, it's up to the devs to come up with a suitable
> set of configs to cater to their needs.
>
>
> Regards,
> Lohitha.
>
>
>
> On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>     It is not expected behavior. Users should only be invalidated if
>     changes are made.
>
>     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>> wrote:
>
>         Just tested the same flow extensively with Keycloak 1.2.0 as
>         well, and it seems the behavior is the same. Lots of MySQL
>         select queries getting executed with each call. Seems there's a
>         number of unnecessary cache invalidations going on which causes
>         Keycloak to fetch data from the DB over and over.
>
>         Could you please confirm if this is the expected behavior? As
>         far as I can see there's considerable performance degradation
>         due to unnecessary cache invalidations.
>
>
>         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
>         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>> wrote:
>
>             I'm invoking the following API call:
>             https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>             (same realm and user ID over and over again). The two HA
>             server(s) are idle apart from serving those calls. And I'm
>             seeing the following SQL getting logged in my MySQL log for
>             each and every call:
>
>             select userentity0_.ID as ID1_42_,
>             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
>             userentity0_.EMAIL as EMAIL3_42_,
>             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
>             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
>             userentity0_.ENABLED as ENABLED6_42_,
>             userentity0_.federation_link as federati7_42_,
>             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>             userentity0_.LAST_NAME as LAST_NAM9_42_,
>             userentity0_.REALM_ID as REALM_I10_42_,
>             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>             userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as
>             USERNAM13_42_ from USER_ENTITY userentity0_ where
>             userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>             userentity0_.REALM_ID='xxxxx'
>
>
>
>             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
>             <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
>                 Strange - what are you doing and what are the SQL queries?
>
>                 On 27 November 2015 at 15:23, Lohitha Chiranjeewa
>                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com>> wrote:
>
>                     Yes Stian, that I understand. But the problem here
>                     is even if I execute continuous user retrieval calls
>                     (same user - no other functionality in between),
>                     still MySQL select queries get executed for each
>                     call. So there lies an issue isn't it?
>
>
>                     On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen
>                     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>                     wrote:
>
>                         Things are still fetched from MySQL. Realms,
>                         clients, users, etc.. are then kept in the
>                         cache, but if it changes it's re-loaded from
>                         MySQL. We use an invalidation cache, not a
>                         distributed cache.
>
>                         On 27 November 2015 at 14:04, Lohitha
>                         Chiranjeewa <kalc04 at gmail.com
>                         <mailto:kalc04 at gmail.com>> wrote:
>
>                             What I mean is, if it were working, I
>                             shouldn't see mysql queries getting executed
>                             right? So my guess is data is still fetched
>                             from the db instead of the cache.
>
>                             On Nov 27, 2015 5:52 PM, "Stian Thorgersen"
>                             <sthorger at redhat.com
>                             <mailto:sthorger at redhat.com>> wrote:
>
>                                 Yup, so it's working now?
>
>                                 On 27 November 2015 at 13:20, Lohitha
>                                 Chiranjeewa <kalc04 at gmail.com
>                                 <mailto:kalc04 at gmail.com>> wrote:
>
>                                     Apologies, keycloak-server.json
>                                     entries should change to:
>
>                                          "realm": {
>                                              "provider": "jpa"
>                                          },
>
>                                          "user": {
>                                              "provider": "jpa"
>                                          },
>
>                                          "userSessionPersister": {
>                                              "provider": "jpa"
>                                          },
>
>                                     On Fri, Nov 27, 2015 at 5:49 PM,
>                                     Lohitha Chiranjeewa
>                                     <kalc04 at gmail.com
>                                     <mailto:kalc04 at gmail.com>> wrote:
>
>                                         Hi Stian,
>
>                                         As per the migration guide, I
>                                         should have Infinispan up and
>                                         running for realms, users and
>                                         user sessions without doing any
>                                         specific changes.
>                                         keycloak-server.json was
>                                         reverted back to have the
>                                         following entries:
>                                         ...
>                                              "realm": {
>                                                  "provider": "infinispan"
>                                              },
>
>                                              "user": {
>                                                  "provider": "infinispan"
>                                              },
>
>                                              "userSessionPersister": {
>                                                  "provider": "infinispan"
>                                              },
>                                         ...
>
>                                         In the Admin Console I have both
>                                         Realm Cache and User Cache
>                                         enables. I see certain
>                                         Infinispan related logs getting
>                                         logged as well.
>
>                                         However, at the same time, I see
>                                         MySQL queries getting executed
>                                         for all user retrieval API
>                                         invocations (even if the same
>                                         user is retrieved continuously):
>                                         ...
>                                         select userentity0_.ID as
>                                         ID1_42_,
>                                         userentity0_.CREATED_TIMESTAMP
>                                         as CREATED_2_42_,
>                                         userentity0_.EMAIL as
>                                         EMAIL3_42_,
>                                         userentity0_.EMAIL_CONSTRAINT as
>                                         EMAIL_CO4_42_,
>                                         userentity0_.EMAIL_VERIFIED as
>                                         EMAIL_VE5_42_,
>                                         userentity0_.ENABLED as
>                                         ENABLED6_42_,
>                                         userentity0_.federation_link as
>                                         federati7_42_,
>                                         userentity0_.FIRST_NAME as
>                                         FIRST_NA8_42_,
>                                         userentity0_.LAST_NAME as
>                                         LAST_NAM9_42_,
>                                         userentity0_.REALM_ID as
>                                         REALM_I10_42_,
>                                         userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>                                         as SERVICE11_42_,
>                                         userentity0_.TOTP as TOTP12_42_,
>                                         userentity0_.USERNAME as
>                                         USERNAM13_42_ from USER_ENTITY
>                                         userentity0_ where
>                                         userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>                                         and userentity0_.REALM_ID='xxxxx'
>                                         ...
>
>                                         So it seems something is wrong
>                                         here. Could you point out any
>                                         areas that I could further look
>                                         into?
>
>
>                                         Regards,
>                                         Lohitha.
>
>                                         On Thu, Nov 26, 2015 at 7:58 PM,
>                                         Stian Thorgersen
>                                         <sthorger at redhat.com
>                                         <mailto:sthorger at redhat.com>> wrote:
>
>                                             Please read the migration guide
>
>                                             On 26 November 2015 at
>                                             14:53, Lohitha Chiranjeewa
>                                             <kalc04 at gmail.com
>                                             <mailto:kalc04 at gmail.com>>
>                                             wrote:
>
>                                                 Hi,
>
>                                                 We're in the process of
>                                                 assessing the impact on
>                                                 upgrading from Keycloak
>                                                 1.2.0 to 1.6.1. We came
>                                                 across an issue when
>                                                 trying to enable
>                                                 Infinispan cache through
>                                                 the keycloak-server.json
>                                                 file as we used to do in
>                                                 1.2.0.
>
>                                                 We have the following
>                                                 entries in 1.6.1:
>                                                      "realm": {
>                                                          "provider":
>                                                 "infinispan"
>                                                      },
>
>                                                      "user": {
>                                                          "provider":
>                                                 "infinispan"
>                                                      },
>
>
>                                                 "userSessionPersister": {
>                                                          "provider":
>                                                 "infinispan"
>                                                      },
>                                                 .........
>
>                                                 "connectionsInfinispan": {
>                                                          "default" : {
>
>                                                 "cacheContainer" :
>                                                 "java:comp/env/infinispan/Keycloak"
>                                                          }
>                                                      }
>
>                                                 All configurations in
>                                                 1.6.1 standalone-ha.xml
>                                                 file remains comparable
>                                                 (and correct to the best
>                                                 of our knowledge) with
>                                                 the ones in 1.2.0.
>
>                                                 With the above configs,
>                                                 when we start the
>                                                 Keycloak service the
>                                                 following error(s) get
>                                                 logged:
>
>                                                 18:03:31,610 ERROR
>                                                 [org.jboss.msc.service.fail]
>                                                 (ServerService Thread
>                                                 Pool -- 64) MSC000001:
>                                                 Failed to start service
>                                                 jboss.undertow.deployment.default-server.default-host./auth:
>                                                 org.jboss.msc.service.StartException
>                                                 in service
>                                                 jboss.undertow.deployment.default-server.default-host./auth:
>                                                 java.lang.RuntimeException:
>                                                 Failed to construct
>                                                 public
>                                                 org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>                                                      at
>                                                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>                                                      at
>                                                 java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 java.util.concurrent.FutureTask.run(FutureTask.java:262)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 java.lang.Thread.run(Thread.java:744)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 org.jboss.threads.JBossThread.run(JBossThread.java:320)
>                                                 [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>                                                 Caused by:
>                                                 java.lang.RuntimeException:
>                                                 Failed to construct
>                                                 public
>                                                 org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>                                                      at
>                                                 org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>                                                      at
>                                                 org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>                                                      at
>                                                 org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>                                                      at
>                                                 org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>                                                      at
>                                                 org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>                                                      at
>                                                 org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>                                                      at
>                                                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>                                                      at
>                                                 org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>                                                      at
>                                                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>                                                      at
>                                                 io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>                                                      at
>                                                 io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>                                                      at
>                                                 io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>                                                      at
>                                                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>                                                      at
>                                                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>                                                      ... 6 more
>                                                 Caused by:
>                                                 java.lang.RuntimeException:
>                                                 Failed to find provider
>                                                 infinispan for realm
>                                                      at
>                                                 org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>                                                      at
>                                                 org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>                                                      at
>                                                 org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>                                                      at
>                                                 sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>                                                 Method) [rt.jar:1.7.0_45]
>                                                      at
>                                                 sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>                                                 [rt.jar:1.7.0_45]
>                                                      at
>                                                 org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>                                                      ... 19 more
>
>
>                                                 Is the new way to enable
>                                                 Infinispan different to
>                                                 what we had earlier? If
>                                                 so, can someone please
>                                                 point out the correct way?
>
>
>                                                 Regards,
>                                                 Lohitha.
>
>
>
>                                                 _______________________________________________
>                                                 keycloak-user mailing list
>                                                 keycloak-user at lists.jboss.org
>                                                 <mailto:keycloak-user at lists.jboss.org>
>                                                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 30 08:47:16 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 08:47:16 -0500
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <565C52E8.2010308@redhat.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com>
Message-ID: <565C5364.8090505@redhat.com>

Or is this related to UserSession cache?

On 11/30/2015 8:45 AM, Bill Burke wrote:
> We don't replicate at all.  Why would this be an issue?
>
> On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>> When Infinispan caching is enabled in ASYNC mode, exceptions get logged
>> at startup due to serialization issues. Basically the following classes
>> have to implement the Serialiazable interface:
>>
>> org.keycloak.models.OTPPolicy
>> org.keycloak.models.
>> RequiredActionProviderModel
>>
>> There could be other classes as well.
>>
>> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>
>>
>> Regards,
>> Lohitha.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Mon Nov 30 08:50:36 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 19:20:36 +0530
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <565C5364.8090505@redhat.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
Message-ID: <CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>

Issue came up with Realm and User caches. Not User Sessions.

On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com> wrote:

> Or is this related to UserSession cache?
>
> On 11/30/2015 8:45 AM, Bill Burke wrote:
> > We don't replicate at all.  Why would this be an issue?
> >
> > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
> >> When Infinispan caching is enabled in ASYNC mode, exceptions get logged
> >> at startup due to serialization issues. Basically the following classes
> >> have to implement the Serialiazable interface:
> >>
> >> org.keycloak.models.OTPPolicy
> >> org.keycloak.models.
> >> RequiredActionProviderModel
> >>
> >> There could be other classes as well.
> >>
> >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
> >>
> >>
> >> Regards,
> >> Lohitha.
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/2ca571e1/attachment.html 

From bburke at redhat.com  Mon Nov 30 09:00:35 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 09:00:35 -0500
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
Message-ID: <565C5683.5030805@redhat.com>

Did you change caching configuration?

On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
> Issue came up with Realm and User caches. Not User Sessions.
>
> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Or is this related to UserSession cache?
>
>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>      > We don't replicate at all.  Why would this be an issue?
>      >
>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>      >> When Infinispan caching is enabled in ASYNC mode, exceptions get
>     logged
>      >> at startup due to serialization issues. Basically the following
>     classes
>      >> have to implement the Serialiazable interface:
>      >>
>      >> org.keycloak.models.OTPPolicy
>      >> org.keycloak.models.
>      >> RequiredActionProviderModel
>      >>
>      >> There could be other classes as well.
>      >>
>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>      >>
>      >>
>      >> Regards,
>      >> Lohitha.
>      >>
>      >>
>      >> _______________________________________________
>      >> keycloak-user mailing list
>      >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >>
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Mon Nov 30 09:07:28 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 19:37:28 +0530
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <565C5683.5030805@redhat.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
Message-ID: <CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>

Yes, the 'mode' of 'realms' and 'users' caches were changed to 'ASYNC'.
This causes the app to store the invalidations temporarily w/o sending to
other nodes and flush them all only when a threshold value is arrived. I
think this storage method causes the Serialization issue.

On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:

> Did you change caching configuration?
>
> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>
>> Issue came up with Realm and User caches. Not User Sessions.
>>
>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Or is this related to UserSession cache?
>>
>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>      > We don't replicate at all.  Why would this be an issue?
>>      >
>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions get
>>     logged
>>      >> at startup due to serialization issues. Basically the following
>>     classes
>>      >> have to implement the Serialiazable interface:
>>      >>
>>      >> org.keycloak.models.OTPPolicy
>>      >> org.keycloak.models.
>>      >> RequiredActionProviderModel
>>      >>
>>      >> There could be other classes as well.
>>      >>
>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>      >>
>>      >>
>>      >> Regards,
>>      >> Lohitha.
>>      >>
>>      >>
>>      >> _______________________________________________
>>      >> keycloak-user mailing list
>>      >> keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>
>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >>
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/0c0398e3/attachment.html 

From kalc04 at gmail.com  Mon Nov 30 09:13:21 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 19:43:21 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <565C532C.1020201@redhat.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAfQ9a0O2a__3NxBKb0hhvb_6egAb7MK51yOnO6sXxx4Kw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
Message-ID: <CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>

Bill, the problem here is that our load tests cannot go beyond a paltry
15-20 concurrent threads with the default set up (invalidation caches with
SYNC mode - two HA AWS M3-Medium servers). Hence we're trying to find ways
to improve on the performance and the avg response time under a load.

On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke <bburke at redhat.com> wrote:

> BTW, besides being more scalable, we invalidate rather than replicate to
> avoid transmitting sensitive security data over the network.
>
> On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
> > Glad if you could look into the above and check if there are app level
> > issues related to invalidations, thanks.
> >
> > One way to get around this through config changes is to make the
> > relevant cache modes 'ASYNC' and set up suitable values for 'queue-size'
> > and 'queue-flush-interval' depending on your needs. Then the
> > invalidations won't happen with each and every call.
> >
> > Obviously there would be problems if caches aren't invalidated in time
> > with the above set up, it's up to the devs to come up with a suitable
> > set of configs to cater to their needs.
> >
> >
> > Regards,
> > Lohitha.
> >
> >
> >
> > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <sthorger at redhat.com
> > <mailto:sthorger at redhat.com>> wrote:
> >
> >     It is not expected behavior. Users should only be invalidated if
> >     changes are made.
> >
> >     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com
> >     <mailto:kalc04 at gmail.com>> wrote:
> >
> >         Just tested the same flow extensively with Keycloak 1.2.0 as
> >         well, and it seems the behavior is the same. Lots of MySQL
> >         select queries getting executed with each call. Seems there's a
> >         number of unnecessary cache invalidations going on which causes
> >         Keycloak to fetch data from the DB over and over.
> >
> >         Could you please confirm if this is the expected behavior? As
> >         far as I can see there's considerable performance degradation
> >         due to unnecessary cache invalidations.
> >
> >
> >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
> >         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>> wrote:
> >
> >             I'm invoking the following API call:
> >             https://
> {host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
> >             (same realm and user ID over and over again). The two HA
> >             server(s) are idle apart from serving those calls. And I'm
> >             seeing the following SQL getting logged in my MySQL log for
> >             each and every call:
> >
> >             select userentity0_.ID as ID1_42_,
> >             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
> >             userentity0_.EMAIL as EMAIL3_42_,
> >             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
> >             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
> >             userentity0_.ENABLED as ENABLED6_42_,
> >             userentity0_.federation_link as federati7_42_,
> >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
> >             userentity0_.LAST_NAME as LAST_NAM9_42_,
> >             userentity0_.REALM_ID as REALM_I10_42_,
> >             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
> >             userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as
> >             USERNAM13_42_ from USER_ENTITY userentity0_ where
> >             userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
> >             userentity0_.REALM_ID='xxxxx'
> >
> >
> >
> >             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
> >             <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
> >
> >                 Strange - what are you doing and what are the SQL
> queries?
> >
> >                 On 27 November 2015 at 15:23, Lohitha Chiranjeewa
> >                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com>> wrote:
> >
> >                     Yes Stian, that I understand. But the problem here
> >                     is even if I execute continuous user retrieval calls
> >                     (same user - no other functionality in between),
> >                     still MySQL select queries get executed for each
> >                     call. So there lies an issue isn't it?
> >
> >
> >                     On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen
> >                     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
> >                     wrote:
> >
> >                         Things are still fetched from MySQL. Realms,
> >                         clients, users, etc.. are then kept in the
> >                         cache, but if it changes it's re-loaded from
> >                         MySQL. We use an invalidation cache, not a
> >                         distributed cache.
> >
> >                         On 27 November 2015 at 14:04, Lohitha
> >                         Chiranjeewa <kalc04 at gmail.com
> >                         <mailto:kalc04 at gmail.com>> wrote:
> >
> >                             What I mean is, if it were working, I
> >                             shouldn't see mysql queries getting executed
> >                             right? So my guess is data is still fetched
> >                             from the db instead of the cache.
> >
> >                             On Nov 27, 2015 5:52 PM, "Stian Thorgersen"
> >                             <sthorger at redhat.com
> >                             <mailto:sthorger at redhat.com>> wrote:
> >
> >                                 Yup, so it's working now?
> >
> >                                 On 27 November 2015 at 13:20, Lohitha
> >                                 Chiranjeewa <kalc04 at gmail.com
> >                                 <mailto:kalc04 at gmail.com>> wrote:
> >
> >                                     Apologies, keycloak-server.json
> >                                     entries should change to:
> >
> >                                          "realm": {
> >                                              "provider": "jpa"
> >                                          },
> >
> >                                          "user": {
> >                                              "provider": "jpa"
> >                                          },
> >
> >                                          "userSessionPersister": {
> >                                              "provider": "jpa"
> >                                          },
> >
> >                                     On Fri, Nov 27, 2015 at 5:49 PM,
> >                                     Lohitha Chiranjeewa
> >                                     <kalc04 at gmail.com
> >                                     <mailto:kalc04 at gmail.com>> wrote:
> >
> >                                         Hi Stian,
> >
> >                                         As per the migration guide, I
> >                                         should have Infinispan up and
> >                                         running for realms, users and
> >                                         user sessions without doing any
> >                                         specific changes.
> >                                         keycloak-server.json was
> >                                         reverted back to have the
> >                                         following entries:
> >                                         ...
> >                                              "realm": {
> >                                                  "provider": "infinispan"
> >                                              },
> >
> >                                              "user": {
> >                                                  "provider": "infinispan"
> >                                              },
> >
> >                                              "userSessionPersister": {
> >                                                  "provider": "infinispan"
> >                                              },
> >                                         ...
> >
> >                                         In the Admin Console I have both
> >                                         Realm Cache and User Cache
> >                                         enables. I see certain
> >                                         Infinispan related logs getting
> >                                         logged as well.
> >
> >                                         However, at the same time, I see
> >                                         MySQL queries getting executed
> >                                         for all user retrieval API
> >                                         invocations (even if the same
> >                                         user is retrieved continuously):
> >                                         ...
> >                                         select userentity0_.ID as
> >                                         ID1_42_,
> >                                         userentity0_.CREATED_TIMESTAMP
> >                                         as CREATED_2_42_,
> >                                         userentity0_.EMAIL as
> >                                         EMAIL3_42_,
> >                                         userentity0_.EMAIL_CONSTRAINT as
> >                                         EMAIL_CO4_42_,
> >                                         userentity0_.EMAIL_VERIFIED as
> >                                         EMAIL_VE5_42_,
> >                                         userentity0_.ENABLED as
> >                                         ENABLED6_42_,
> >                                         userentity0_.federation_link as
> >                                         federati7_42_,
> >                                         userentity0_.FIRST_NAME as
> >                                         FIRST_NA8_42_,
> >                                         userentity0_.LAST_NAME as
> >                                         LAST_NAM9_42_,
> >                                         userentity0_.REALM_ID as
> >                                         REALM_I10_42_,
> >
>  userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
> >                                         as SERVICE11_42_,
> >                                         userentity0_.TOTP as TOTP12_42_,
> >                                         userentity0_.USERNAME as
> >                                         USERNAM13_42_ from USER_ENTITY
> >                                         userentity0_ where
> >
>  userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
> >                                         and userentity0_.REALM_ID='xxxxx'
> >                                         ...
> >
> >                                         So it seems something is wrong
> >                                         here. Could you point out any
> >                                         areas that I could further look
> >                                         into?
> >
> >
> >                                         Regards,
> >                                         Lohitha.
> >
> >                                         On Thu, Nov 26, 2015 at 7:58 PM,
> >                                         Stian Thorgersen
> >                                         <sthorger at redhat.com
> >                                         <mailto:sthorger at redhat.com>>
> wrote:
> >
> >                                             Please read the migration
> guide
> >
> >                                             On 26 November 2015 at
> >                                             14:53, Lohitha Chiranjeewa
> >                                             <kalc04 at gmail.com
> >                                             <mailto:kalc04 at gmail.com>>
> >                                             wrote:
> >
> >                                                 Hi,
> >
> >                                                 We're in the process of
> >                                                 assessing the impact on
> >                                                 upgrading from Keycloak
> >                                                 1.2.0 to 1.6.1. We came
> >                                                 across an issue when
> >                                                 trying to enable
> >                                                 Infinispan cache through
> >                                                 the keycloak-server.json
> >                                                 file as we used to do in
> >                                                 1.2.0.
> >
> >                                                 We have the following
> >                                                 entries in 1.6.1:
> >                                                      "realm": {
> >                                                          "provider":
> >                                                 "infinispan"
> >                                                      },
> >
> >                                                      "user": {
> >                                                          "provider":
> >                                                 "infinispan"
> >                                                      },
> >
> >
> >                                                 "userSessionPersister": {
> >                                                          "provider":
> >                                                 "infinispan"
> >                                                      },
> >                                                 .........
> >
> >                                                 "connectionsInfinispan":
> {
> >                                                          "default" : {
> >
> >                                                 "cacheContainer" :
> >
>  "java:comp/env/infinispan/Keycloak"
> >                                                          }
> >                                                      }
> >
> >                                                 All configurations in
> >                                                 1.6.1 standalone-ha.xml
> >                                                 file remains comparable
> >                                                 (and correct to the best
> >                                                 of our knowledge) with
> >                                                 the ones in 1.2.0.
> >
> >                                                 With the above configs,
> >                                                 when we start the
> >                                                 Keycloak service the
> >                                                 following error(s) get
> >                                                 logged:
> >
> >                                                 18:03:31,610 ERROR
> >
>  [org.jboss.msc.service.fail]
> >                                                 (ServerService Thread
> >                                                 Pool -- 64) MSC000001:
> >                                                 Failed to start service
> >
>  jboss.undertow.deployment.default-server.default-host./auth:
> >
>  org.jboss.msc.service.StartException
> >                                                 in service
> >
>  jboss.undertow.deployment.default-server.default-host./auth:
> >
>  java.lang.RuntimeException:
> >                                                 Failed to construct
> >                                                 public
> >
>  org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >                                                      at
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> >                                                      at
> >
>  java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  java.util.concurrent.FutureTask.run(FutureTask.java:262)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  java.lang.Thread.run(Thread.java:744)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  org.jboss.threads.JBossThread.run(JBossThread.java:320)
> >
>  [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
> >                                                 Caused by:
> >
>  java.lang.RuntimeException:
> >                                                 Failed to construct
> >                                                 public
> >
>  org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >                                                      at
> >
>  org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
> >                                                      at
> >
>  org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
> >                                                      at
> >
>  org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
> >                                                      at
> >
>  org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
> >                                                      at
> >
>  org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> >                                                      at
> >
>  org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> >                                                      at
> >
>  io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> >                                                      at
> >
>  org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> >                                                      at
> >
>  io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> >                                                      at
> >
>  io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
> >                                                      at
> >
>  io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
> >                                                      at
> >
>  io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
> >                                                      at
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> >                                                      at
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> >                                                      ... 6 more
> >                                                 Caused by:
> >
>  java.lang.RuntimeException:
> >                                                 Failed to find provider
> >                                                 infinispan for realm
> >                                                      at
> >
>  org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
> >                                                      at
> >
>  org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
> >                                                      at
> >
>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
> >                                                      at
> >
>  sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> >                                                 Method) [rt.jar:1.7.0_45]
> >                                                      at
> >
>  sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> >                                                 [rt.jar:1.7.0_45]
> >                                                      at
> >
>  org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> >                                                      ... 19 more
> >
> >
> >                                                 Is the new way to enable
> >                                                 Infinispan different to
> >                                                 what we had earlier? If
> >                                                 so, can someone please
> >                                                 point out the correct
> way?
> >
> >
> >                                                 Regards,
> >                                                 Lohitha.
> >
> >
> >
> >
>  _______________________________________________
> >                                                 keycloak-user mailing
> list
> >
> keycloak-user at lists.jboss.org
> >                                                 <mailto:
> keycloak-user at lists.jboss.org>
> >
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/4c7ce3d2/attachment-0001.html 

From bburke at redhat.com  Mon Nov 30 09:19:11 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 09:19:11 -0500
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
Message-ID: <565C5ADF.5060800@redhat.com>

Can you describe your load tests please?  What kind of authentication 
are you doing?  The only thing that would cause invalidations is HOTP.

On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
> Bill, the problem here is that our load tests cannot go beyond a paltry
> 15-20 concurrent threads with the default set up (invalidation caches
> with SYNC mode - two HA AWS M3-Medium servers). Hence we're trying to
> find ways to improve on the performance and the avg response time under
> a load.
>
> On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     BTW, besides being more scalable, we invalidate rather than replicate to
>     avoid transmitting sensitive security data over the network.
>
>     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
>     > Glad if you could look into the above and check if there are app level
>     > issues related to invalidations, thanks.
>     >
>     > One way to get around this through config changes is to make the
>     > relevant cache modes 'ASYNC' and set up suitable values for 'queue-size'
>     > and 'queue-flush-interval' depending on your needs. Then the
>     > invalidations won't happen with each and every call.
>     >
>     > Obviously there would be problems if caches aren't invalidated in time
>     > with the above set up, it's up to the devs to come up with a suitable
>     > set of configs to cater to their needs.
>     >
>     >
>     > Regards,
>     > Lohitha.
>     >
>     >
>     >
>     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     > <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
>     >
>     >     It is not expected behavior. Users should only be invalidated if
>     >     changes are made.
>     >
>     >     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>> wrote:
>     >
>     >         Just tested the same flow extensively with Keycloak 1.2.0 as
>     >         well, and it seems the behavior is the same. Lots of MySQL
>     >         select queries getting executed with each call. Seems there's a
>     >         number of unnecessary cache invalidations going on which causes
>     >         Keycloak to fetch data from the DB over and over.
>     >
>     >         Could you please confirm if this is the expected behavior? As
>     >         far as I can see there's considerable performance degradation
>     >         due to unnecessary cache invalidations.
>     >
>     >
>     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
>     >         <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>> wrote:
>     >
>     >             I'm invoking the following API call:
>     >             https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>     >             (same realm and user ID over and over again). The two HA
>     >             server(s) are idle apart from serving those calls. And I'm
>     >             seeing the following SQL getting logged in my MySQL log for
>     >             each and every call:
>     >
>     >             select userentity0_.ID as ID1_42_,
>     >             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
>     >             userentity0_.EMAIL as EMAIL3_42_,
>     >             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
>     >             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
>     >             userentity0_.ENABLED as ENABLED6_42_,
>     >             userentity0_.federation_link as federati7_42_,
>     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
>     >             userentity0_.REALM_ID as REALM_I10_42_,
>     >             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>     >             userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as
>     >             USERNAM13_42_ from USER_ENTITY userentity0_ where
>     >             userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>     >             userentity0_.REALM_ID='xxxxx'
>     >
>     >
>     >
>     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
>     >             <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
>     >
>     >                 Strange - what are you doing and what are the SQL queries?
>     >
>     >                 On 27 November 2015 at 15:23, Lohitha Chiranjeewa
>     >                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>> wrote:
>     >
>     >                     Yes Stian, that I understand. But the problem here
>     >                     is even if I execute continuous user retrieval calls
>     >                     (same user - no other functionality in between),
>     >                     still MySQL select queries get executed for each
>     >                     call. So there lies an issue isn't it?
>     >
>     >
>     >                     On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen
>      >                     <sthorger at redhat.com
>     <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>     <mailto:sthorger at redhat.com>>>
>     >                     wrote:
>     >
>     >                         Things are still fetched from MySQL. Realms,
>     >                         clients, users, etc.. are then kept in the
>     >                         cache, but if it changes it's re-loaded from
>     >                         MySQL. We use an invalidation cache, not a
>     >                         distributed cache.
>     >
>     >                         On 27 November 2015 at 14:04, Lohitha
>     >                         Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     >                         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>> wrote:
>     >
>     >                             What I mean is, if it were working, I
>     >                             shouldn't see mysql queries getting executed
>     >                             right? So my guess is data is still fetched
>     >                             from the db instead of the cache.
>     >
>     >                             On Nov 27, 2015 5:52 PM, "Stian Thorgersen"
>     >                             <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     >                             <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
>     >
>     >                                 Yup, so it's working now?
>     >
>     >                                 On 27 November 2015 at 13:20, Lohitha
>     >                                 Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     >                                 <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>> wrote:
>     >
>     >                                     Apologies, keycloak-server.json
>     >                                     entries should change to:
>     >
>     >                                          "realm": {
>     >                                              "provider": "jpa"
>     >                                          },
>     >
>     >                                          "user": {
>     >                                              "provider": "jpa"
>     >                                          },
>     >
>     >                                          "userSessionPersister": {
>     >                                              "provider": "jpa"
>     >                                          },
>     >
>     >                                     On Fri, Nov 27, 2015 at 5:49 PM,
>     >                                     Lohitha Chiranjeewa
>     >                                     <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>      >                                     <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>> wrote:
>      >
>      >                                         Hi Stian,
>      >
>      >                                         As per the migration guide, I
>      >                                         should have Infinispan up and
>      >                                         running for realms, users and
>      >                                         user sessions without
>     doing any
>      >                                         specific changes.
>      >                                         keycloak-server.json was
>      >                                         reverted back to have the
>      >                                         following entries:
>      >                                         ...
>      >                                              "realm": {
>      >                                                  "provider":
>     "infinispan"
>      >                                              },
>      >
>      >                                              "user": {
>      >                                                  "provider":
>     "infinispan"
>      >                                              },
>      >
>      >
>     "userSessionPersister": {
>      >                                                  "provider":
>     "infinispan"
>      >                                              },
>      >                                         ...
>      >
>      >                                         In the Admin Console I
>     have both
>      >                                         Realm Cache and User Cache
>      >                                         enables. I see certain
>      >                                         Infinispan related logs
>     getting
>      >                                         logged as well.
>      >
>      >                                         However, at the same
>     time, I see
>      >                                         MySQL queries getting
>     executed
>      >                                         for all user retrieval API
>      >                                         invocations (even if the same
>      >                                         user is retrieved
>     continuously):
>      >                                         ...
>      >                                         select userentity0_.ID as
>      >                                         ID1_42_,
>      >
>       userentity0_.CREATED_TIMESTAMP
>      >                                         as CREATED_2_42_,
>      >                                         userentity0_.EMAIL as
>      >                                         EMAIL3_42_,
>      >
>       userentity0_.EMAIL_CONSTRAINT as
>      >                                         EMAIL_CO4_42_,
>      >
>       userentity0_.EMAIL_VERIFIED as
>      >                                         EMAIL_VE5_42_,
>      >                                         userentity0_.ENABLED as
>      >                                         ENABLED6_42_,
>      >
>       userentity0_.federation_link as
>      >                                         federati7_42_,
>      >                                         userentity0_.FIRST_NAME as
>      >                                         FIRST_NA8_42_,
>      >                                         userentity0_.LAST_NAME as
>      >                                         LAST_NAM9_42_,
>      >                                         userentity0_.REALM_ID as
>      >                                         REALM_I10_42_,
>      >
>       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>      >                                         as SERVICE11_42_,
>      >                                         userentity0_.TOTP as
>     TOTP12_42_,
>      >                                         userentity0_.USERNAME as
>      >                                         USERNAM13_42_ from
>     USER_ENTITY
>      >                                         userentity0_ where
>      >
>       userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>      >                                         and
>     userentity0_.REALM_ID='xxxxx'
>      >                                         ...
>      >
>      >                                         So it seems something is
>     wrong
>      >                                         here. Could you point out any
>      >                                         areas that I could
>     further look
>      >                                         into?
>      >
>      >
>      >                                         Regards,
>      >                                         Lohitha.
>      >
>      >                                         On Thu, Nov 26, 2015 at
>     7:58 PM,
>      >                                         Stian Thorgersen
>      >                                         <sthorger at redhat.com
>     <mailto:sthorger at redhat.com>
>     >                                         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
>     >
>     >                                             Please read the migration guide
>     >
>     >                                             On 26 November 2015 at
>     >                                             14:53, Lohitha Chiranjeewa
>     >                                             <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>      >
>       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>      >                                             wrote:
>      >
>      >                                                 Hi,
>      >
>      >                                                 We're in the
>     process of
>      >                                                 assessing the
>     impact on
>      >                                                 upgrading from
>     Keycloak
>      >                                                 1.2.0 to 1.6.1.
>     We came
>      >                                                 across an issue when
>      >                                                 trying to enable
>      >                                                 Infinispan cache
>     through
>      >                                                 the
>     keycloak-server.json
>      >                                                 file as we used
>     to do in
>      >                                                 1.2.0.
>      >
>      >                                                 We have the following
>      >                                                 entries in 1.6.1:
>      >                                                      "realm": {
>      >                                                          "provider":
>      >                                                 "infinispan"
>      >                                                      },
>      >
>      >                                                      "user": {
>      >                                                          "provider":
>      >                                                 "infinispan"
>      >                                                      },
>      >
>      >
>      >
>       "userSessionPersister": {
>      >                                                          "provider":
>      >                                                 "infinispan"
>      >                                                      },
>      >                                                 .........
>      >
>      >
>       "connectionsInfinispan": {
>      >
>     "default" : {
>      >
>      >                                                 "cacheContainer" :
>      >
>       "java:comp/env/infinispan/Keycloak"
>      >                                                          }
>      >                                                      }
>      >
>      >                                                 All configurations in
>      >                                                 1.6.1
>     standalone-ha.xml
>      >                                                 file remains
>     comparable
>      >                                                 (and correct to
>     the best
>      >                                                 of our knowledge)
>     with
>      >                                                 the ones in 1.2.0.
>      >
>      >                                                 With the above
>     configs,
>      >                                                 when we start the
>      >                                                 Keycloak service the
>      >                                                 following
>     error(s) get
>      >                                                 logged:
>      >
>      >                                                 18:03:31,610 ERROR
>      >
>       [org.jboss.msc.service.fail]
>      >                                                 (ServerService Thread
>      >                                                 Pool -- 64)
>     MSC000001:
>      >                                                 Failed to start
>     service
>      >
>       jboss.undertow.deployment.default-server.default-host./auth:
>      >
>       org.jboss.msc.service.StartException
>      >                                                 in service
>      >
>       jboss.undertow.deployment.default-server.default-host./auth:
>      >
>       java.lang.RuntimeException:
>      >                                                 Failed to construct
>      >                                                 public
>      >
>       org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>      >                                                      at
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>      >                                                      at
>      >
>       java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       java.util.concurrent.FutureTask.run(FutureTask.java:262)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       java.lang.Thread.run(Thread.java:744)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       org.jboss.threads.JBossThread.run(JBossThread.java:320)
>      >
>       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>      >                                                 Caused by:
>      >
>       java.lang.RuntimeException:
>      >                                                 Failed to construct
>      >                                                 public
>      >
>       org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>      >                                                      at
>      >
>       org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>      >                                                      at
>      >
>       org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>      >                                                      at
>      >
>       org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>      >                                                      at
>      >
>       org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>      >                                                      at
>      >
>       org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>      >                                                      at
>      >
>       org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>      >                                                      at
>      >
>       io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>      >                                                      at
>      >
>       org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>      >                                                      at
>      >
>       io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>      >                                                      at
>      >
>       io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>      >                                                      at
>      >
>       io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>      >                                                      at
>      >
>       io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>      >                                                      at
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>      >                                                      at
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>      >                                                      ... 6 more
>      >                                                 Caused by:
>      >
>       java.lang.RuntimeException:
>      >                                                 Failed to find
>     provider
>      >                                                 infinispan for realm
>      >                                                      at
>      >
>       org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>      >                                                      at
>      >
>       org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>      >                                                      at
>      >
>       org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>      >                                                      at
>      >
>       sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>      >                                                 Method)
>     [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>      >                                                 [rt.jar:1.7.0_45]
>      >                                                      at
>      >
>       org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>      >                                                      ... 19 more
>      >
>      >
>      >                                                 Is the new way to
>     enable
>      >                                                 Infinispan
>     different to
>      >                                                 what we had
>     earlier? If
>      >                                                 so, can someone
>     please
>      >                                                 point out the
>     correct way?
>      >
>      >
>      >                                                 Regards,
>      >                                                 Lohitha.
>      >
>      >
>      >
>      >
>       _______________________________________________
>      >                                                 keycloak-user
>     mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      >
>       <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     >keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Mon Nov 30 09:26:16 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 15:26:16 +0100
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
	<CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
Message-ID: <CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>

I wouldn't not recommend setting async as you may get unpredictable behavior

On 30 November 2015 at 15:07, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> Yes, the 'mode' of 'realms' and 'users' caches were changed to 'ASYNC'.
> This causes the app to store the invalidations temporarily w/o sending to
> other nodes and flush them all only when a threshold value is arrived. I
> think this storage method causes the Serialization issue.
>
> On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> Did you change caching configuration?
>>
>> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>>
>>> Issue came up with Realm and User caches. Not User Sessions.
>>>
>>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     Or is this related to UserSession cache?
>>>
>>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>>      > We don't replicate at all.  Why would this be an issue?
>>>      >
>>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions get
>>>     logged
>>>      >> at startup due to serialization issues. Basically the following
>>>     classes
>>>      >> have to implement the Serialiazable interface:
>>>      >>
>>>      >> org.keycloak.models.OTPPolicy
>>>      >> org.keycloak.models.
>>>      >> RequiredActionProviderModel
>>>      >>
>>>      >> There could be other classes as well.
>>>      >>
>>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>>      >>
>>>      >>
>>>      >> Regards,
>>>      >> Lohitha.
>>>      >>
>>>      >>
>>>      >> _______________________________________________
>>>      >> keycloak-user mailing list
>>>      >> keycloak-user at lists.jboss.org <mailto:
>>> keycloak-user at lists.jboss.org>
>>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      >>
>>>      >
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/eec52d53/attachment-0001.html 

From sthorger at redhat.com  Mon Nov 30 09:33:58 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 30 Nov 2015 15:33:58 +0100
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <565C5ADF.5060800@redhat.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAPj1eSxYVfxRKn_aNEzKoaV7UTQ=2u6AgqpZrOoZB6C3_xJ8Sw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
	<565C5ADF.5060800@redhat.com>
Message-ID: <CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>

If you can try building master and enable trace logging for
"org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory".
It will print log statements when entries are removed/invalidated in the
cache.

On 30 November 2015 at 15:19, Bill Burke <bburke at redhat.com> wrote:

> Can you describe your load tests please?  What kind of authentication
> are you doing?  The only thing that would cause invalidations is HOTP.
>
> On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
> > Bill, the problem here is that our load tests cannot go beyond a paltry
> > 15-20 concurrent threads with the default set up (invalidation caches
> > with SYNC mode - two HA AWS M3-Medium servers). Hence we're trying to
> > find ways to improve on the performance and the avg response time under
> > a load.
> >
> > On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> >     BTW, besides being more scalable, we invalidate rather than
> replicate to
> >     avoid transmitting sensitive security data over the network.
> >
> >     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
> >     > Glad if you could look into the above and check if there are app
> level
> >     > issues related to invalidations, thanks.
> >     >
> >     > One way to get around this through config changes is to make the
> >     > relevant cache modes 'ASYNC' and set up suitable values for
> 'queue-size'
> >     > and 'queue-flush-interval' depending on your needs. Then the
> >     > invalidations won't happen with each and every call.
> >     >
> >     > Obviously there would be problems if caches aren't invalidated in
> time
> >     > with the above set up, it's up to the devs to come up with a
> suitable
> >     > set of configs to cater to their needs.
> >     >
> >     >
> >     > Regards,
> >     > Lohitha.
> >     >
> >     >
> >     >
> >     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <
> sthorger at redhat.com <mailto:sthorger at redhat.com>
> >     > <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
> >     >
> >     >     It is not expected behavior. Users should only be invalidated
> if
> >     >     changes are made.
> >     >
> >     >     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <
> kalc04 at gmail.com <mailto:kalc04 at gmail.com>
> >     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>> wrote:
> >     >
> >     >         Just tested the same flow extensively with Keycloak 1.2.0
> as
> >     >         well, and it seems the behavior is the same. Lots of MySQL
> >     >         select queries getting executed with each call. Seems
> there's a
> >     >         number of unnecessary cache invalidations going on which
> causes
> >     >         Keycloak to fetch data from the DB over and over.
> >     >
> >     >         Could you please confirm if this is the expected behavior?
> As
> >     >         far as I can see there's considerable performance
> degradation
> >     >         due to unnecessary cache invalidations.
> >     >
> >     >
> >     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
> >     >         <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:
> kalc04 at gmail.com
> >     <mailto:kalc04 at gmail.com>>> wrote:
> >     >
> >     >             I'm invoking the following API call:
> >     >             https://
> {host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
> >     >             (same realm and user ID over and over again). The two
> HA
> >     >             server(s) are idle apart from serving those calls. And
> I'm
> >     >             seeing the following SQL getting logged in my MySQL
> log for
> >     >             each and every call:
> >     >
> >     >             select userentity0_.ID as ID1_42_,
> >     >             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
> >     >             userentity0_.EMAIL as EMAIL3_42_,
> >     >             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
> >     >             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
> >     >             userentity0_.ENABLED as ENABLED6_42_,
> >     >             userentity0_.federation_link as federati7_42_,
> >     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
> >     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
> >     >             userentity0_.REALM_ID as REALM_I10_42_,
> >     >             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as
> SERVICE11_42_,
> >     >             userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME
> as
> >     >             USERNAM13_42_ from USER_ENTITY userentity0_ where
> >     >             userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
> and
> >     >             userentity0_.REALM_ID='xxxxx'
> >     >
> >     >
> >     >
> >     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
> >     >             <sthorger at redhat.com <mailto:sthorger at redhat.com>
> >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
> >     >
> >     >                 Strange - what are you doing and what are the SQL
> queries?
> >     >
> >     >                 On 27 November 2015 at 15:23, Lohitha Chiranjeewa
> >     >                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
> <mailto:kalc04 at gmail.com
> >     <mailto:kalc04 at gmail.com>>> wrote:
> >     >
> >     >                     Yes Stian, that I understand. But the problem
> here
> >     >                     is even if I execute continuous user retrieval
> calls
> >     >                     (same user - no other functionality in
> between),
> >     >                     still MySQL select queries get executed for
> each
> >     >                     call. So there lies an issue isn't it?
> >     >
> >     >
> >     >                     On Fri, Nov 27, 2015 at 6:48 PM, Stian
> Thorgersen
> >      >                     <sthorger at redhat.com
> >     <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
> >     <mailto:sthorger at redhat.com>>>
> >     >                     wrote:
> >     >
> >     >                         Things are still fetched from MySQL.
> Realms,
> >     >                         clients, users, etc.. are then kept in the
> >     >                         cache, but if it changes it's re-loaded
> from
> >     >                         MySQL. We use an invalidation cache, not a
> >     >                         distributed cache.
> >     >
> >     >                         On 27 November 2015 at 14:04, Lohitha
> >     >                         Chiranjeewa <kalc04 at gmail.com <mailto:
> kalc04 at gmail.com>
> >     >                         <mailto:kalc04 at gmail.com <mailto:
> kalc04 at gmail.com>>> wrote:
> >     >
> >     >                             What I mean is, if it were working, I
> >     >                             shouldn't see mysql queries getting
> executed
> >     >                             right? So my guess is data is still
> fetched
> >     >                             from the db instead of the cache.
> >     >
> >     >                             On Nov 27, 2015 5:52 PM, "Stian
> Thorgersen"
> >     >                             <sthorger at redhat.com <mailto:
> sthorger at redhat.com>
> >     >                             <mailto:sthorger at redhat.com <mailto:
> sthorger at redhat.com>>> wrote:
> >     >
> >     >                                 Yup, so it's working now?
> >     >
> >     >                                 On 27 November 2015 at 13:20,
> Lohitha
> >     >                                 Chiranjeewa <kalc04 at gmail.com
> <mailto:kalc04 at gmail.com>
> >     >                                 <mailto:kalc04 at gmail.com <mailto:
> kalc04 at gmail.com>>> wrote:
> >     >
> >     >                                     Apologies, keycloak-server.json
> >     >                                     entries should change to:
> >     >
> >     >                                          "realm": {
> >     >                                              "provider": "jpa"
> >     >                                          },
> >     >
> >     >                                          "user": {
> >     >                                              "provider": "jpa"
> >     >                                          },
> >     >
> >     >                                          "userSessionPersister": {
> >     >                                              "provider": "jpa"
> >     >                                          },
> >     >
> >     >                                     On Fri, Nov 27, 2015 at 5:49
> PM,
> >     >                                     Lohitha Chiranjeewa
> >     >                                     <kalc04 at gmail.com <mailto:
> kalc04 at gmail.com>
> >      >                                     <mailto:kalc04 at gmail.com
> >     <mailto:kalc04 at gmail.com>>> wrote:
> >      >
> >      >                                         Hi Stian,
> >      >
> >      >                                         As per the migration
> guide, I
> >      >                                         should have Infinispan up
> and
> >      >                                         running for realms, users
> and
> >      >                                         user sessions without
> >     doing any
> >      >                                         specific changes.
> >      >                                         keycloak-server.json was
> >      >                                         reverted back to have the
> >      >                                         following entries:
> >      >                                         ...
> >      >                                              "realm": {
> >      >                                                  "provider":
> >     "infinispan"
> >      >                                              },
> >      >
> >      >                                              "user": {
> >      >                                                  "provider":
> >     "infinispan"
> >      >                                              },
> >      >
> >      >
> >     "userSessionPersister": {
> >      >                                                  "provider":
> >     "infinispan"
> >      >                                              },
> >      >                                         ...
> >      >
> >      >                                         In the Admin Console I
> >     have both
> >      >                                         Realm Cache and User Cache
> >      >                                         enables. I see certain
> >      >                                         Infinispan related logs
> >     getting
> >      >                                         logged as well.
> >      >
> >      >                                         However, at the same
> >     time, I see
> >      >                                         MySQL queries getting
> >     executed
> >      >                                         for all user retrieval API
> >      >                                         invocations (even if the
> same
> >      >                                         user is retrieved
> >     continuously):
> >      >                                         ...
> >      >                                         select userentity0_.ID as
> >      >                                         ID1_42_,
> >      >
> >       userentity0_.CREATED_TIMESTAMP
> >      >                                         as CREATED_2_42_,
> >      >                                         userentity0_.EMAIL as
> >      >                                         EMAIL3_42_,
> >      >
> >       userentity0_.EMAIL_CONSTRAINT as
> >      >                                         EMAIL_CO4_42_,
> >      >
> >       userentity0_.EMAIL_VERIFIED as
> >      >                                         EMAIL_VE5_42_,
> >      >                                         userentity0_.ENABLED as
> >      >                                         ENABLED6_42_,
> >      >
> >       userentity0_.federation_link as
> >      >                                         federati7_42_,
> >      >                                         userentity0_.FIRST_NAME as
> >      >                                         FIRST_NA8_42_,
> >      >                                         userentity0_.LAST_NAME as
> >      >                                         LAST_NAM9_42_,
> >      >                                         userentity0_.REALM_ID as
> >      >                                         REALM_I10_42_,
> >      >
> >       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
> >      >                                         as SERVICE11_42_,
> >      >                                         userentity0_.TOTP as
> >     TOTP12_42_,
> >      >                                         userentity0_.USERNAME as
> >      >                                         USERNAM13_42_ from
> >     USER_ENTITY
> >      >                                         userentity0_ where
> >      >
> >       userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
> >      >                                         and
> >     userentity0_.REALM_ID='xxxxx'
> >      >                                         ...
> >      >
> >      >                                         So it seems something is
> >     wrong
> >      >                                         here. Could you point out
> any
> >      >                                         areas that I could
> >     further look
> >      >                                         into?
> >      >
> >      >
> >      >                                         Regards,
> >      >                                         Lohitha.
> >      >
> >      >                                         On Thu, Nov 26, 2015 at
> >     7:58 PM,
> >      >                                         Stian Thorgersen
> >      >                                         <sthorger at redhat.com
> >     <mailto:sthorger at redhat.com>
> >     >                                         <mailto:
> sthorger at redhat.com <mailto:sthorger at redhat.com>>> wrote:
> >     >
> >     >                                             Please read the
> migration guide
> >     >
> >     >                                             On 26 November 2015 at
> >     >                                             14:53, Lohitha
> Chiranjeewa
> >     >                                             <kalc04 at gmail.com
> <mailto:kalc04 at gmail.com>
> >      >
> >       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
> >      >                                             wrote:
> >      >
> >      >                                                 Hi,
> >      >
> >      >                                                 We're in the
> >     process of
> >      >                                                 assessing the
> >     impact on
> >      >                                                 upgrading from
> >     Keycloak
> >      >                                                 1.2.0 to 1.6.1.
> >     We came
> >      >                                                 across an issue
> when
> >      >                                                 trying to enable
> >      >                                                 Infinispan cache
> >     through
> >      >                                                 the
> >     keycloak-server.json
> >      >                                                 file as we used
> >     to do in
> >      >                                                 1.2.0.
> >      >
> >      >                                                 We have the
> following
> >      >                                                 entries in 1.6.1:
> >      >                                                      "realm": {
> >      >
> "provider":
> >      >                                                 "infinispan"
> >      >                                                      },
> >      >
> >      >                                                      "user": {
> >      >
> "provider":
> >      >                                                 "infinispan"
> >      >                                                      },
> >      >
> >      >
> >      >
> >       "userSessionPersister": {
> >      >
> "provider":
> >      >                                                 "infinispan"
> >      >                                                      },
> >      >                                                 .........
> >      >
> >      >
> >       "connectionsInfinispan": {
> >      >
> >     "default" : {
> >      >
> >      >                                                 "cacheContainer" :
> >      >
> >       "java:comp/env/infinispan/Keycloak"
> >      >                                                          }
> >      >                                                      }
> >      >
> >      >                                                 All
> configurations in
> >      >                                                 1.6.1
> >     standalone-ha.xml
> >      >                                                 file remains
> >     comparable
> >      >                                                 (and correct to
> >     the best
> >      >                                                 of our knowledge)
> >     with
> >      >                                                 the ones in 1.2.0.
> >      >
> >      >                                                 With the above
> >     configs,
> >      >                                                 when we start the
> >      >                                                 Keycloak service
> the
> >      >                                                 following
> >     error(s) get
> >      >                                                 logged:
> >      >
> >      >                                                 18:03:31,610 ERROR
> >      >
> >       [org.jboss.msc.service.fail]
> >      >                                                 (ServerService
> Thread
> >      >                                                 Pool -- 64)
> >     MSC000001:
> >      >                                                 Failed to start
> >     service
> >      >
> >       jboss.undertow.deployment.default-server.default-host./auth:
> >      >
> >       org.jboss.msc.service.StartException
> >      >                                                 in service
> >      >
> >       jboss.undertow.deployment.default-server.default-host./auth:
> >      >
> >       java.lang.RuntimeException:
> >      >                                                 Failed to
> construct
> >      >                                                 public
> >      >
> >
>  org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >      >                                                      at
> >      >
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> >      >                                                      at
> >      >
> >
>  java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >       java.util.concurrent.FutureTask.run(FutureTask.java:262)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >
>  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >
>  java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >       java.lang.Thread.run(Thread.java:744)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >       org.jboss.threads.JBossThread.run(JBossThread.java:320)
> >      >
> >       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
> >      >                                                 Caused by:
> >      >
> >       java.lang.RuntimeException:
> >      >                                                 Failed to
> construct
> >      >                                                 public
> >      >
> >
>  org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> >      >                                                      at
> >      >
> >
>  io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> >      >                                                      at
> >      >
> >
>  org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> >      >                                                      at
> >      >
> >
>  io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> >      >                                                      at
> >      >
> >
>  io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
> >      >                                                      at
> >      >
> >
>  io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
> >      >                                                      at
> >      >
> >
>  io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
> >      >                                                      at
> >      >
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> >      >                                                      at
> >      >
> >
>  org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> >      >                                                      ... 6 more
> >      >                                                 Caused by:
> >      >
> >       java.lang.RuntimeException:
> >      >                                                 Failed to find
> >     provider
> >      >                                                 infinispan for
> realm
> >      >                                                      at
> >      >
> >
>  org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
> >      >                                                      at
> >      >
> >
>  org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
> >      >                                                      at
> >      >
> >
>  org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
> >      >                                                      at
> >      >
> >       sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> >      >                                                 Method)
> >     [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >
>  sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >
>  sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >       java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> >      >                                                 [rt.jar:1.7.0_45]
> >      >                                                      at
> >      >
> >
>  org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> >      >                                                      ... 19 more
> >      >
> >      >
> >      >                                                 Is the new way to
> >     enable
> >      >                                                 Infinispan
> >     different to
> >      >                                                 what we had
> >     earlier? If
> >      >                                                 so, can someone
> >     please
> >      >                                                 point out the
> >     correct way?
> >      >
> >      >
> >      >                                                 Regards,
> >      >                                                 Lohitha.
> >      >
> >      >
> >      >
> >      >
> >       _______________________________________________
> >      >                                                 keycloak-user
> >     mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      >
> >       <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > keycloak-user mailing list
> >     >keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
> >
> >     >https://lists.jboss.org/mailman/listinfo/keycloak-user
> >     >
> >
> >     --
> >     Bill Burke
> >     JBoss, a division of Red Hat
> >     http://bill.burkecentral.com
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/ad883c5f/attachment-0001.html 

From bburke at redhat.com  Mon Nov 30 09:47:15 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 09:47:15 -0500
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
	<565C5ADF.5060800@redhat.com>
	<CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>
Message-ID: <565C6173.4000001@redhat.com>

I just did a loop test on GET 
https://{host}/auth/admin/realms/xxxxx/users/xxxx.  The same userid over 
and over as you described.  I see zero invalidations.  Are you sure you 
aren't doing any updates?

On 11/30/2015 9:33 AM, Stian Thorgersen wrote:
> If you can try building master and enable trace logging for
> "org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory".
> It will print log statements when entries are removed/invalidated in the
> cache.
>
> On 30 November 2015 at 15:19, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Can you describe your load tests please?  What kind of authentication
>     are you doing?  The only thing that would cause invalidations is HOTP.
>
>     On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
>     > Bill, the problem here is that our load tests cannot go beyond a paltry
>     > 15-20 concurrent threads with the default set up (invalidation caches
>     > with SYNC mode - two HA AWS M3-Medium servers). Hence we're trying to
>     > find ways to improve on the performance and the avg response time under
>     > a load.
>     >
>     > On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>
>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>     >
>     >     BTW, besides being more scalable, we invalidate rather than replicate to
>     >     avoid transmitting sensitive security data over the network.
>     >
>     >     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
>     >     > Glad if you could look into the above and check if there are app level
>     >     > issues related to invalidations, thanks.
>     >     >
>     >     > One way to get around this through config changes is to make the
>     >     > relevant cache modes 'ASYNC' and set up suitable values for 'queue-size'
>     >     > and 'queue-flush-interval' depending on your needs. Then the
>     >     > invalidations won't happen with each and every call.
>     >     >
>     >     > Obviously there would be problems if caches aren't invalidated in time
>     >     > with the above set up, it's up to the devs to come up with a suitable
>     >     > set of configs to cater to their needs.
>     >     >
>     >     >
>     >     > Regards,
>     >     > Lohitha.
>     >     >
>     >     >
>     >     >
>     >     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >     > <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>     >     >
>     >     >     It is not expected behavior. Users should only be invalidated if
>     >     >     changes are made.
>     >     >
>     >     >     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>
>     >     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>>> wrote:
>     >     >
>     >     >         Just tested the same flow extensively with Keycloak 1.2.0 as
>     >     >         well, and it seems the behavior is the same. Lots of MySQL
>     >     >         select queries getting executed with each call. Seems there's a
>     >     >         number of unnecessary cache invalidations going on which causes
>     >     >         Keycloak to fetch data from the DB over and over.
>     >     >
>     >     >         Could you please confirm if this is the expected behavior? As
>     >     >         far as I can see there's considerable performance degradation
>     >     >         due to unnecessary cache invalidations.
>     >     >
>     >     >
>     >     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
>      >     >         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>     >     >
>     >     >             I'm invoking the following API call:
>     >     >             https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>     >     >             (same realm and user ID over and over again). The two HA
>     >     >             server(s) are idle apart from serving those calls. And I'm
>     >     >             seeing the following SQL getting logged in my MySQL log for
>     >     >             each and every call:
>     >     >
>     >     >             select userentity0_.ID as ID1_42_,
>     >     >             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
>     >     >             userentity0_.EMAIL as EMAIL3_42_,
>     >     >             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
>     >     >             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
>     >     >             userentity0_.ENABLED as ENABLED6_42_,
>     >     >             userentity0_.federation_link as federati7_42_,
>     >     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>     >     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
>     >     >             userentity0_.REALM_ID as REALM_I10_42_,
>     >     >             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>     >     >             userentity0_.TOTP as TOTP12_42_, userentity0_.USERNAME as
>     >     >             USERNAM13_42_ from USER_ENTITY userentity0_ where
>     >     >             userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>     >     >             userentity0_.REALM_ID='xxxxx'
>     >     >
>     >     >
>     >     >
>     >     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
>     >     >             <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>     >     >
>     >     >                 Strange - what are you doing and what are the SQL queries?
>     >     >
>     >     >                 On 27 November 2015 at 15:23, Lohitha Chiranjeewa
>      >     >                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>     >     >
>     >     >                     Yes Stian, that I understand. But the problem here
>     >     >                     is even if I execute continuous user retrieval calls
>     >     >                     (same user - no other functionality in between),
>     >     >                     still MySQL select queries get executed for each
>     >     >                     call. So there lies an issue isn't it?
>     >     >
>     >     >
>     >     >                     On Fri, Nov 27, 2015 at 6:48 PM, Stian Thorgersen
>     >      >                     <sthorger at redhat.com <mailto:sthorger at redhat.com>
>      >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>     >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>
>     >     >                     wrote:
>     >     >
>     >     >                         Things are still fetched from MySQL. Realms,
>     >     >                         clients, users, etc.. are then kept in the
>     >     >                         cache, but if it changes it's re-loaded from
>     >     >                         MySQL. We use an invalidation cache, not a
>     >     >                         distributed cache.
>     >     >
>     >     >                         On 27 November 2015 at 14:04, Lohitha
>     >     >                         Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>
>     >     >                         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>>> wrote:
>     >     >
>     >     >                             What I mean is, if it were working, I
>     >     >                             shouldn't see mysql queries getting executed
>     >     >                             right? So my guess is data is still fetched
>     >     >                             from the db instead of the cache.
>     >     >
>     >     >                             On Nov 27, 2015 5:52 PM, "Stian Thorgersen"
>     >     >                             <sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >     >                             <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>     >     >
>     >     >                                 Yup, so it's working now?
>     >     >
>     >     >                                 On 27 November 2015 at 13:20, Lohitha
>     >     >                                 Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>
>     >     >                                 <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>>> wrote:
>     >     >
>     >     >                                     Apologies, keycloak-server.json
>     >     >                                     entries should change to:
>     >     >
>     >     >                                          "realm": {
>     >     >                                              "provider": "jpa"
>     >     >                                          },
>     >     >
>     >     >                                          "user": {
>     >     >                                              "provider": "jpa"
>     >     >                                          },
>     >     >
>     >     >                                          "userSessionPersister": {
>     >     >                                              "provider": "jpa"
>     >     >                                          },
>     >     >
>     >     >                                     On Fri, Nov 27, 2015 at 5:49 PM,
>     >     >                                     Lohitha Chiranjeewa
>     >     >                                     <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>
>      >      >
>       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>      >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>      >      >
>      >      >                                         Hi Stian,
>      >      >
>      >      >                                         As per the
>     migration guide, I
>      >      >                                         should have
>     Infinispan up and
>      >      >                                         running for
>     realms, users and
>      >      >                                         user sessions without
>      >     doing any
>      >      >                                         specific changes.
>      >      >
>       keycloak-server.json was
>      >      >                                         reverted back to
>     have the
>      >      >                                         following entries:
>      >      >                                         ...
>      >      >                                              "realm": {
>      >      >                                                  "provider":
>      >     "infinispan"
>      >      >                                              },
>      >      >
>      >      >                                              "user": {
>      >      >                                                  "provider":
>      >     "infinispan"
>      >      >                                              },
>      >      >
>      >      >
>      >     "userSessionPersister": {
>      >      >                                                  "provider":
>      >     "infinispan"
>      >      >                                              },
>      >      >                                         ...
>      >      >
>      >      >                                         In the Admin Console I
>      >     have both
>      >      >                                         Realm Cache and
>     User Cache
>      >      >                                         enables. I see certain
>      >      >                                         Infinispan related
>     logs
>      >     getting
>      >      >                                         logged as well.
>      >      >
>      >      >                                         However, at the same
>      >     time, I see
>      >      >                                         MySQL queries getting
>      >     executed
>      >      >                                         for all user
>     retrieval API
>      >      >                                         invocations (even
>     if the same
>      >      >                                         user is retrieved
>      >     continuously):
>      >      >                                         ...
>      >      >                                         select
>     userentity0_.ID as
>      >      >                                         ID1_42_,
>      >      >
>      >       userentity0_.CREATED_TIMESTAMP
>      >      >                                         as CREATED_2_42_,
>      >      >                                         userentity0_.EMAIL as
>      >      >                                         EMAIL3_42_,
>      >      >
>      >       userentity0_.EMAIL_CONSTRAINT as
>      >      >                                         EMAIL_CO4_42_,
>      >      >
>      >       userentity0_.EMAIL_VERIFIED as
>      >      >                                         EMAIL_VE5_42_,
>      >      >
>       userentity0_.ENABLED as
>      >      >                                         ENABLED6_42_,
>      >      >
>      >       userentity0_.federation_link as
>      >      >                                         federati7_42_,
>      >      >
>       userentity0_.FIRST_NAME as
>      >      >                                         FIRST_NA8_42_,
>      >      >
>       userentity0_.LAST_NAME as
>      >      >                                         LAST_NAM9_42_,
>      >      >
>       userentity0_.REALM_ID as
>      >      >                                         REALM_I10_42_,
>      >      >
>      >       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>      >      >                                         as SERVICE11_42_,
>      >      >                                         userentity0_.TOTP as
>      >     TOTP12_42_,
>      >      >
>       userentity0_.USERNAME as
>      >      >                                         USERNAM13_42_ from
>      >     USER_ENTITY
>      >      >                                         userentity0_ where
>      >      >
>      >       userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>      >      >                                         and
>      >     userentity0_.REALM_ID='xxxxx'
>      >      >                                         ...
>      >      >
>      >      >                                         So it seems
>     something is
>      >     wrong
>      >      >                                         here. Could you
>     point out any
>      >      >                                         areas that I could
>      >     further look
>      >      >                                         into?
>      >      >
>      >      >
>      >      >                                         Regards,
>      >      >                                         Lohitha.
>      >      >
>      >      >                                         On Thu, Nov 26,
>     2015 at
>      >     7:58 PM,
>      >      >                                         Stian Thorgersen
>      >      >
>       <sthorger at redhat.com <mailto:sthorger at redhat.com>
>      >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >     >                                         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>     >     >
>     >     >                                             Please read the migration guide
>     >     >
>     >     >                                             On 26 November 2015 at
>     >     >                                             14:53, Lohitha Chiranjeewa
>     >     >                                             <kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>     <mailto:kalc04 at gmail.com>>
>     >      >
>      >       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>
>      >      >                                             wrote:
>      >      >
>      >      >                                                 Hi,
>      >      >
>      >      >                                                 We're in the
>      >     process of
>      >      >                                                 assessing the
>      >     impact on
>      >      >                                                 upgrading from
>      >     Keycloak
>      >      >                                                 1.2.0 to
>     1.6.1.
>      >     We came
>      >      >                                                 across an
>     issue when
>      >      >                                                 trying to
>     enable
>      >      >                                                 Infinispan
>     cache
>      >     through
>      >      >                                                 the
>      >     keycloak-server.json
>      >      >                                                 file as we
>     used
>      >     to do in
>      >      >                                                 1.2.0.
>      >      >
>      >      >                                                 We have
>     the following
>      >      >                                                 entries in
>     1.6.1:
>      >      >
>     "realm": {
>      >      >
>     "provider":
>      >      >                                                 "infinispan"
>      >      >                                                      },
>      >      >
>      >      >                                                      "user": {
>      >      >
>     "provider":
>      >      >                                                 "infinispan"
>      >      >                                                      },
>      >      >
>      >      >
>      >      >
>      >       "userSessionPersister": {
>      >      >
>     "provider":
>      >      >                                                 "infinispan"
>      >      >                                                      },
>      >      >                                                 .........
>      >      >
>      >      >
>      >       "connectionsInfinispan": {
>      >      >
>      >     "default" : {
>      >      >
>      >      >
>       "cacheContainer" :
>      >      >
>      >       "java:comp/env/infinispan/Keycloak"
>      >      >                                                          }
>      >      >                                                      }
>      >      >
>      >      >                                                 All
>     configurations in
>      >      >                                                 1.6.1
>      >     standalone-ha.xml
>      >      >                                                 file remains
>      >     comparable
>      >      >                                                 (and
>     correct to
>      >     the best
>      >      >                                                 of our
>     knowledge)
>      >     with
>      >      >                                                 the ones
>     in 1.2.0.
>      >      >
>      >      >                                                 With the above
>      >     configs,
>      >      >                                                 when we
>     start the
>      >      >                                                 Keycloak
>     service the
>      >      >                                                 following
>      >     error(s) get
>      >      >                                                 logged:
>      >      >
>      >      >
>       18:03:31,610 ERROR
>      >      >
>      >       [org.jboss.msc.service.fail]
>      >      >
>       (ServerService Thread
>      >      >                                                 Pool -- 64)
>      >     MSC000001:
>      >      >                                                 Failed to
>     start
>      >     service
>      >      >
>      >       jboss.undertow.deployment.default-server.default-host./auth:
>      >      >
>      >       org.jboss.msc.service.StartException
>      >      >                                                 in service
>      >      >
>      >       jboss.undertow.deployment.default-server.default-host./auth:
>      >      >
>      >       java.lang.RuntimeException:
>      >      >                                                 Failed to
>     construct
>      >      >                                                 public
>      >      >
>      >
>       org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>      >      >                                                      at
>      >      >
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>      >      >                                                      at
>      >      >
>      >
>       java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >       java.util.concurrent.FutureTask.run(FutureTask.java:262)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >
>       java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >
>       java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >       java.lang.Thread.run(Thread.java:744)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >       org.jboss.threads.JBossThread.run(JBossThread.java:320)
>      >      >
>      >       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>      >      >                                                 Caused by:
>      >      >
>      >       java.lang.RuntimeException:
>      >      >                                                 Failed to
>     construct
>      >      >                                                 public
>      >      >
>      >
>       org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>      >      >                                                      at
>      >      >
>      >
>       io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>      >      >                                                      at
>      >      >
>      >
>       org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>      >      >                                                      at
>      >      >
>      >
>       io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>      >      >                                                      at
>      >      >
>      >
>       io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>      >      >                                                      at
>      >      >
>      >
>       io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>      >      >                                                      at
>      >      >
>      >
>       io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>      >      >                                                      at
>      >      >
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>      >      >                                                      at
>      >      >
>      >
>       org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>      >      >                                                      ... 6
>     more
>      >      >                                                 Caused by:
>      >      >
>      >       java.lang.RuntimeException:
>      >      >                                                 Failed to find
>      >     provider
>      >      >                                                 infinispan
>     for realm
>      >      >                                                      at
>      >      >
>      >
>       org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>      >      >                                                      at
>      >      >
>      >
>       org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>      >      >                                                      at
>      >      >
>      >
>       org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>      >      >                                                      at
>      >      >
>      >       sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>      >      >                                                 Method)
>      >     [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >
>       sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >
>       sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >       java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>      >      >
>       [rt.jar:1.7.0_45]
>      >      >                                                      at
>      >      >
>      >
>       org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>      >      >                                                      ...
>     19 more
>      >      >
>      >      >
>      >      >                                                 Is the new
>     way to
>      >     enable
>      >      >                                                 Infinispan
>      >     different to
>      >      >                                                 what we had
>      >     earlier? If
>      >      >                                                 so, can
>     someone
>      >     please
>      >      >                                                 point out the
>      >     correct way?
>      >      >
>      >      >
>      >      >                                                 Regards,
>      >      >                                                 Lohitha.
>      >      >
>      >      >
>      >      >
>      >      >
>      >       _______________________________________________
>      >      >                                                 keycloak-user
>      >     mailing list
>      >      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >      >
>      >       <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >     <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>>
>     >      >https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > keycloak-user mailing list
>      >     >keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>     >     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >     >
>     >
>     >     --
>     >     Bill Burke
>     >     JBoss, a division of Red Hat
>     >http://bill.burkecentral.com
>     >     _______________________________________________
>     >     keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Mon Nov 30 09:49:42 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 20:19:42 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <565C6173.4000001@redhat.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAPj1eSxf92NYK8hdrnuvSdAJV0AsWG3Mfx6PihtTioWnM25K5g@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
	<565C5ADF.5060800@redhat.com>
	<CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>
	<565C6173.4000001@redhat.com>
Message-ID: <CAPj1eSzeNDjqet0ODfhBTN8_tNXfZsGUKf+NnhSkqDP3-huEAw@mail.gmail.com>

Bill,

This particular load test consists of four API calls, starts with
authentication:

1) Invoke {host}/auth/realms/xxxx/protocol/openid-connect/token with "
username={username}&password={password}&grant_type=password" as the body -
we get the Access Token from this and use it for subsequent API calls
2) Get user by User ID
3) Get Realm Roles of above user
4) Get Client Roles of a single given client for above user

We run this test suite with concurrent threads (same superuser for
authentication, but steps 2,3,4 for different users). But with our 2 highly
available M3-Medium server setup, it is impossible to go beyond 10-15
threads w/o the processor hitting 100% usage.

During the tests, we see millions (figuratively) of invalidation logs like
this:
[2015-11-30 14:32:08.0823], DEBUG,
org.infinispan.interceptors.InvalidationInterceptor Timer-2 - Cache
[dev-idm-a1] replicating
InvalidateCommand{keys=[40113545-5069-47c4-bf1c-8f58a303caf6]}


Regards,
Lohitha.

On Mon, Nov 30, 2015 at 8:17 PM, Bill Burke <bburke at redhat.com> wrote:

> I just did a loop test on GET https://{host}/auth/admin/realms/xxxxx/users/xxxx.
> The same userid over and over as you described.  I see zero invalidations.
> Are you sure you aren't doing any updates?
>
> On 11/30/2015 9:33 AM, Stian Thorgersen wrote:
>
>> If you can try building master and enable trace logging for
>> "org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory".
>> It will print log statements when entries are removed/invalidated in the
>> cache.
>>
>> On 30 November 2015 at 15:19, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Can you describe your load tests please?  What kind of authentication
>>     are you doing?  The only thing that would cause invalidations is HOTP.
>>
>>     On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
>>     > Bill, the problem here is that our load tests cannot go beyond a
>> paltry
>>     > 15-20 concurrent threads with the default set up (invalidation
>> caches
>>     > with SYNC mode - two HA AWS M3-Medium servers). Hence we're trying
>> to
>>     > find ways to improve on the performance and the avg response time
>> under
>>     > a load.
>>     >
>>     > On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>
>>     > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>     >
>>     >     BTW, besides being more scalable, we invalidate rather than
>> replicate to
>>     >     avoid transmitting sensitive security data over the network.
>>     >
>>     >     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
>>     >     > Glad if you could look into the above and check if there are
>> app level
>>     >     > issues related to invalidations, thanks.
>>     >     >
>>     >     > One way to get around this through config changes is to make
>> the
>>     >     > relevant cache modes 'ASYNC' and set up suitable values for
>> 'queue-size'
>>     >     > and 'queue-flush-interval' depending on your needs. Then the
>>     >     > invalidations won't happen with each and every call.
>>     >     >
>>     >     > Obviously there would be problems if caches aren't
>> invalidated in time
>>     >     > with the above set up, it's up to the devs to come up with a
>> suitable
>>     >     > set of configs to cater to their needs.
>>     >     >
>>     >     >
>>     >     > Regards,
>>     >     > Lohitha.
>>     >     >
>>     >     >
>>     >     >
>>     >     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen <
>> sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>     >     > <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>>     >     >
>>     >     >     It is not expected behavior. Users should only be
>> invalidated if
>>     >     >     changes are made.
>>     >     >
>>     >     >     On 30 November 2015 at 07:01, Lohitha Chiranjeewa <
>> kalc04 at gmail.com <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>
>>     >     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>>> wrote:
>>     >     >
>>     >     >         Just tested the same flow extensively with Keycloak
>> 1.2.0 as
>>     >     >         well, and it seems the behavior is the same. Lots of
>> MySQL
>>     >     >         select queries getting executed with each call. Seems
>> there's a
>>     >     >         number of unnecessary cache invalidations going on
>> which causes
>>     >     >         Keycloak to fetch data from the DB over and over.
>>     >     >
>>     >     >         Could you please confirm if this is the expected
>> behavior? As
>>     >     >         far as I can see there's considerable performance
>> degradation
>>     >     >         due to unnecessary cache invalidations.
>>     >     >
>>     >     >
>>     >     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha Chiranjeewa
>>      >     >         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>>     >     >
>>     >     >             I'm invoking the following API call:
>>     >     >             https://
>> {host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>>     >     >             (same realm and user ID over and over again). The
>> two HA
>>     >     >             server(s) are idle apart from serving those
>> calls. And I'm
>>     >     >             seeing the following SQL getting logged in my
>> MySQL log for
>>     >     >             each and every call:
>>     >     >
>>     >     >             select userentity0_.ID as ID1_42_,
>>     >     >             userentity0_.CREATED_TIMESTAMP as CREATED_2_42_,
>>     >     >             userentity0_.EMAIL as EMAIL3_42_,
>>     >     >             userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_42_,
>>     >     >             userentity0_.EMAIL_VERIFIED as EMAIL_VE5_42_,
>>     >     >             userentity0_.ENABLED as ENABLED6_42_,
>>     >     >             userentity0_.federation_link as federati7_42_,
>>     >     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>>     >     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
>>     >     >             userentity0_.REALM_ID as REALM_I10_42_,
>>     >     >             userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as
>> SERVICE11_42_,
>>     >     >             userentity0_.TOTP as TOTP12_42_,
>> userentity0_.USERNAME as
>>     >     >             USERNAM13_42_ from USER_ENTITY userentity0_ where
>>     >     >
>>  userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>     >     >             userentity0_.REALM_ID='xxxxx'
>>     >     >
>>     >     >
>>     >     >
>>     >     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian Thorgersen
>>     >     >             <sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>     >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>>     >     >
>>     >     >                 Strange - what are you doing and what are the
>> SQL queries?
>>     >     >
>>     >     >                 On 27 November 2015 at 15:23, Lohitha
>> Chiranjeewa
>>      >     >                 <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>     >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>>     >     >
>>     >     >                     Yes Stian, that I understand. But the
>> problem here
>>     >     >                     is even if I execute continuous user
>> retrieval calls
>>     >     >                     (same user - no other functionality in
>> between),
>>     >     >                     still MySQL select queries get executed
>> for each
>>     >     >                     call. So there lies an issue isn't it?
>>     >     >
>>     >     >
>>     >     >                     On Fri, Nov 27, 2015 at 6:48 PM, Stian
>> Thorgersen
>>     >      >                     <sthorger at redhat.com <mailto:
>> sthorger at redhat.com>
>>      >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>
>>     >     >                     wrote:
>>     >     >
>>     >     >                         Things are still fetched from MySQL.
>> Realms,
>>     >     >                         clients, users, etc.. are then kept
>> in the
>>     >     >                         cache, but if it changes it's
>> re-loaded from
>>     >     >                         MySQL. We use an invalidation cache,
>> not a
>>     >     >                         distributed cache.
>>     >     >
>>     >     >                         On 27 November 2015 at 14:04, Lohitha
>>     >     >                         Chiranjeewa <kalc04 at gmail.com
>> <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>
>>     >     >                         <mailto:kalc04 at gmail.com <mailto:
>> kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>>> wrote:
>>     >     >
>>     >     >                             What I mean is, if it were
>> working, I
>>     >     >                             shouldn't see mysql queries
>> getting executed
>>     >     >                             right? So my guess is data is
>> still fetched
>>     >     >                             from the db instead of the cache.
>>     >     >
>>     >     >                             On Nov 27, 2015 5:52 PM, "Stian
>> Thorgersen"
>>     >     >                             <sthorger at redhat.com <mailto:
>> sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>     >     >                             <mailto:sthorger at redhat.com
>> <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>>     >     >
>>     >     >                                 Yup, so it's working now?
>>     >     >
>>     >     >                                 On 27 November 2015 at 13:20,
>> Lohitha
>>     >     >                                 Chiranjeewa <kalc04 at gmail.com
>> <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>
>>     >     >                                 <mailto:kalc04 at gmail.com
>> <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>>> wrote:
>>     >     >
>>     >     >                                     Apologies,
>> keycloak-server.json
>>     >     >                                     entries should change to:
>>     >     >
>>     >     >                                          "realm": {
>>     >     >                                              "provider": "jpa"
>>     >     >                                          },
>>     >     >
>>     >     >                                          "user": {
>>     >     >                                              "provider": "jpa"
>>     >     >                                          },
>>     >     >
>>     >     >
>> "userSessionPersister": {
>>     >     >                                              "provider": "jpa"
>>     >     >                                          },
>>     >     >
>>     >     >                                     On Fri, Nov 27, 2015 at
>> 5:49 PM,
>>     >     >                                     Lohitha Chiranjeewa
>>     >     >                                     <kalc04 at gmail.com
>> <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>
>>      >      >
>>       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>
>>      >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>> wrote:
>>      >      >
>>      >      >                                         Hi Stian,
>>      >      >
>>      >      >                                         As per the
>>     migration guide, I
>>      >      >                                         should have
>>     Infinispan up and
>>      >      >                                         running for
>>     realms, users and
>>      >      >                                         user sessions
>> without
>>      >     doing any
>>      >      >                                         specific changes.
>>      >      >
>>       keycloak-server.json was
>>      >      >                                         reverted back to
>>     have the
>>      >      >                                         following entries:
>>      >      >                                         ...
>>      >      >                                              "realm": {
>>      >      >                                                  "provider":
>>      >     "infinispan"
>>      >      >                                              },
>>      >      >
>>      >      >                                              "user": {
>>      >      >                                                  "provider":
>>      >     "infinispan"
>>      >      >                                              },
>>      >      >
>>      >      >
>>      >     "userSessionPersister": {
>>      >      >                                                  "provider":
>>      >     "infinispan"
>>      >      >                                              },
>>      >      >                                         ...
>>      >      >
>>      >      >                                         In the Admin
>> Console I
>>      >     have both
>>      >      >                                         Realm Cache and
>>     User Cache
>>      >      >                                         enables. I see
>> certain
>>      >      >                                         Infinispan related
>>     logs
>>      >     getting
>>      >      >                                         logged as well.
>>      >      >
>>      >      >                                         However, at the same
>>      >     time, I see
>>      >      >                                         MySQL queries
>> getting
>>      >     executed
>>      >      >                                         for all user
>>     retrieval API
>>      >      >                                         invocations (even
>>     if the same
>>      >      >                                         user is retrieved
>>      >     continuously):
>>      >      >                                         ...
>>      >      >                                         select
>>     userentity0_.ID as
>>      >      >                                         ID1_42_,
>>      >      >
>>      >       userentity0_.CREATED_TIMESTAMP
>>      >      >                                         as CREATED_2_42_,
>>      >      >                                         userentity0_.EMAIL
>> as
>>      >      >                                         EMAIL3_42_,
>>      >      >
>>      >       userentity0_.EMAIL_CONSTRAINT as
>>      >      >                                         EMAIL_CO4_42_,
>>      >      >
>>      >       userentity0_.EMAIL_VERIFIED as
>>      >      >                                         EMAIL_VE5_42_,
>>      >      >
>>       userentity0_.ENABLED as
>>      >      >                                         ENABLED6_42_,
>>      >      >
>>      >       userentity0_.federation_link as
>>      >      >                                         federati7_42_,
>>      >      >
>>       userentity0_.FIRST_NAME as
>>      >      >                                         FIRST_NA8_42_,
>>      >      >
>>       userentity0_.LAST_NAME as
>>      >      >                                         LAST_NAM9_42_,
>>      >      >
>>       userentity0_.REALM_ID as
>>      >      >                                         REALM_I10_42_,
>>      >      >
>>      >       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>>      >      >                                         as SERVICE11_42_,
>>      >      >                                         userentity0_.TOTP as
>>      >     TOTP12_42_,
>>      >      >
>>       userentity0_.USERNAME as
>>      >      >                                         USERNAM13_42_ from
>>      >     USER_ENTITY
>>      >      >                                         userentity0_ where
>>      >      >
>>      >       userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>>      >      >                                         and
>>      >     userentity0_.REALM_ID='xxxxx'
>>      >      >                                         ...
>>      >      >
>>      >      >                                         So it seems
>>     something is
>>      >     wrong
>>      >      >                                         here. Could you
>>     point out any
>>      >      >                                         areas that I could
>>      >     further look
>>      >      >                                         into?
>>      >      >
>>      >      >
>>      >      >                                         Regards,
>>      >      >                                         Lohitha.
>>      >      >
>>      >      >                                         On Thu, Nov 26,
>>     2015 at
>>      >     7:58 PM,
>>      >      >                                         Stian Thorgersen
>>      >      >
>>       <sthorger at redhat.com <mailto:sthorger at redhat.com>
>>      >     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>     >     >                                         <mailto:
>> sthorger at redhat.com <mailto:sthorger at redhat.com>
>>     <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>> wrote:
>>     >     >
>>     >     >                                             Please read the
>> migration guide
>>     >     >
>>     >     >                                             On 26 November
>> 2015 at
>>     >     >                                             14:53, Lohitha
>> Chiranjeewa
>>     >     >                                             <kalc04 at gmail.com
>> <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>     <mailto:kalc04 at gmail.com>>
>>     >      >
>>      >       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>
>>     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>
>>      >      >                                             wrote:
>>      >      >
>>      >      >                                                 Hi,
>>      >      >
>>      >      >                                                 We're in the
>>      >     process of
>>      >      >                                                 assessing
>> the
>>      >     impact on
>>      >      >                                                 upgrading
>> from
>>      >     Keycloak
>>      >      >                                                 1.2.0 to
>>     1.6.1.
>>      >     We came
>>      >      >                                                 across an
>>     issue when
>>      >      >                                                 trying to
>>     enable
>>      >      >                                                 Infinispan
>>     cache
>>      >     through
>>      >      >                                                 the
>>      >     keycloak-server.json
>>      >      >                                                 file as we
>>     used
>>      >     to do in
>>      >      >                                                 1.2.0.
>>      >      >
>>      >      >                                                 We have
>>     the following
>>      >      >                                                 entries in
>>     1.6.1:
>>      >      >
>>     "realm": {
>>      >      >
>>     "provider":
>>      >      >                                                 "infinispan"
>>      >      >                                                      },
>>      >      >
>>      >      >
>> "user": {
>>      >      >
>>     "provider":
>>      >      >                                                 "infinispan"
>>      >      >                                                      },
>>      >      >
>>      >      >
>>      >      >
>>      >       "userSessionPersister": {
>>      >      >
>>     "provider":
>>      >      >                                                 "infinispan"
>>      >      >                                                      },
>>      >      >                                                 .........
>>      >      >
>>      >      >
>>      >       "connectionsInfinispan": {
>>      >      >
>>      >     "default" : {
>>      >      >
>>      >      >
>>       "cacheContainer" :
>>      >      >
>>      >       "java:comp/env/infinispan/Keycloak"
>>      >      >                                                          }
>>      >      >                                                      }
>>      >      >
>>      >      >                                                 All
>>     configurations in
>>      >      >                                                 1.6.1
>>      >     standalone-ha.xml
>>      >      >                                                 file remains
>>      >     comparable
>>      >      >                                                 (and
>>     correct to
>>      >     the best
>>      >      >                                                 of our
>>     knowledge)
>>      >     with
>>      >      >                                                 the ones
>>     in 1.2.0.
>>      >      >
>>      >      >                                                 With the
>> above
>>      >     configs,
>>      >      >                                                 when we
>>     start the
>>      >      >                                                 Keycloak
>>     service the
>>      >      >                                                 following
>>      >     error(s) get
>>      >      >                                                 logged:
>>      >      >
>>      >      >
>>       18:03:31,610 ERROR
>>      >      >
>>      >       [org.jboss.msc.service.fail]
>>      >      >
>>       (ServerService Thread
>>      >      >                                                 Pool -- 64)
>>      >     MSC000001:
>>      >      >                                                 Failed to
>>     start
>>      >     service
>>      >      >
>>      >       jboss.undertow.deployment.default-server.default-host./auth:
>>      >      >
>>      >       org.jboss.msc.service.StartException
>>      >      >                                                 in service
>>      >      >
>>      >       jboss.undertow.deployment.default-server.default-host./auth:
>>      >      >
>>      >       java.lang.RuntimeException:
>>      >      >                                                 Failed to
>>     construct
>>      >      >                                                 public
>>      >      >
>>      >
>>
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >       java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >       java.lang.Thread.run(Thread.java:744)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >       org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>      >      >
>>      >       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>      >      >                                                 Caused by:
>>      >      >
>>      >       java.lang.RuntimeException:
>>      >      >                                                 Failed to
>>     construct
>>      >      >                                                 public
>>      >      >
>>      >
>>
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>      >      >                                                      ... 6
>>     more
>>      >      >                                                 Caused by:
>>      >      >
>>      >       java.lang.RuntimeException:
>>      >      >                                                 Failed to
>> find
>>      >     provider
>>      >      >                                                 infinispan
>>     for realm
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>      >      >                                                      at
>>      >      >
>>      >       sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>      >      >                                                 Method)
>>      >     [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>  java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>      >      >
>>       [rt.jar:1.7.0_45]
>>      >      >                                                      at
>>      >      >
>>      >
>>
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>      >      >                                                      ...
>>     19 more
>>      >      >
>>      >      >
>>      >      >                                                 Is the new
>>     way to
>>      >     enable
>>      >      >                                                 Infinispan
>>      >     different to
>>      >      >                                                 what we had
>>      >     earlier? If
>>      >      >                                                 so, can
>>     someone
>>      >     please
>>      >      >                                                 point out
>> the
>>      >     correct way?
>>      >      >
>>      >      >
>>      >      >                                                 Regards,
>>      >      >                                                 Lohitha.
>>      >      >
>>      >      >
>>      >      >
>>      >      >
>>      >       _______________________________________________
>>      >      >
>>  keycloak-user
>>      >     mailing list
>>      >      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >      >
>>      >       <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     >     <mailto:keycloak-user at lists.jboss.org <mailto:
>> keycloak-user at lists.jboss.org>>>
>>     >      >https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     >
>>     >     > _______________________________________________
>>     >     > keycloak-user mailing list
>>      >     >keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>     >     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     >     >
>>     >
>>     >     --
>>     >     Bill Burke
>>     >     JBoss, a division of Red Hat
>>     >http://bill.burkecentral.com
>>     >     _______________________________________________
>>     >     keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/c007aa7b/attachment-0001.html 

From DSzeto at investlab.com  Mon Nov 30 09:56:58 2015
From: DSzeto at investlab.com (Doug Szeto)
Date: Mon, 30 Nov 2015 14:56:58 +0000
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>,
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
Message-ID: <BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>

What do you mean by 'You can't customize the url format'?

Is there a design decision reason why it is more secure to have your keycloak version exposed in the middle of your theme resource urls?

Or would it be easier if you had a pull request?

--Doug


________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Monday, November 30, 2015 15:35
To: Doug Szeto
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Theme Resources Urls

You can't customize the url format. Not sure how it would help during upgrades? I'd say the opposite as you end up with cached versions for the old release not being updated.

On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com<mailto:DSzeto at investlab.com>> wrote:

Hi,
I have created a custom theme as specific in your docs here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
It functions in the browser, in that these configs tell you where the theme customization resources are stored locally, but the end result is the resources are served from the url format pattern of:

http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css

Is there a way to customize the theme url format to scrub the version number off the css/image/js resources? This will help out in monitoring and upgrades.

Thanks,
--Doug
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/b0ba89f8/attachment.html 

From parul.com at gmail.com  Mon Nov 30 10:03:34 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 20:33:34 +0530
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
	<CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
	<CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>
Message-ID: <CAFj68vWYCBHA0XnCK5RF5Gd6Oh9HNm=dz2vBNO==FzCw+E5eHg@mail.gmail.com>

Hi Bill,
Do you have any update on this?

On Mon, Nov 30, 2015 at 2:39 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Bill - is there a way to get the entity descriptor for an application
> using the Keycloak SP adapter? To then import into PicketLink.
>
> On 30 November 2015 at 09:47, Arulkumar Ponnusamy <parul.com at gmail.com>
> wrote:
>
>> Hi Stian,
>> Yes clients from entity descriptors. i don't understand import the file
>> part. Where to import the file? I have both IDP(picketlink) and
>> SP(keycloak) under my web-INF file. but, i don't see any SAML communication
>> between SP and IDP happening.
>>
>> I am new to SAML and for beginner,picketlink has so many example for both
>> IDP and SP which is awesome and gives clear picture of whats need to be
>> done. But, Those example are missing for keycloak SAML Service provide.
>> only three example are for keycloak and that too some how not detailed.
>>
>>
>>
>> On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Are you asking if Keycloak can create clients from entity descriptors,
>>> then yes. Create client and import the file.
>>>
>>> On 30 November 2015 at 05:02, Arulkumar Ponnusamy <parul.com at gmail.com>
>>> wrote:
>>>
>>>> Hi All,
>>>> Does keycloak service provider support with metadata ? I don't find any
>>>> reference document on this for keycloak. There is no adapter which talk
>>>> about metadata. Even I looked at the examples, and there are three examples
>>>> which talk about POST, REDIRECT and encryption.
>>>>
>>>> Any reference document on Keycloak SAML Service provider Metadata?
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/2c92a8a5/attachment.html 

From bburke at redhat.com  Mon Nov 30 10:07:40 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 10:07:40 -0500
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
	<BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>
Message-ID: <565C663C.8060808@redhat.com>

Browser caching is turned on for themed resources (admin console, 
login, etc.)  This is obviously for performance reasons.

IN the past we received a HUGE amount of false bug reports of "Admin 
console doesn't work", "my theme changes aren't showing", etc. after 
upgrading Keycloak.  All because people didn't clear their browser 
caches.  Hence, the version id.

You should not be externally linking to themed endpoints.  You can use a 
different URL to ping the server for "is alive" i.e. 
/<root>/realms/{realm-name}


On 11/30/2015 9:56 AM, Doug Szeto wrote:
> What do you mean by 'You can't customize the url format'?
>
> Is there a design decision reason why it is more secure to have your
> keycloak version exposed in the middle of your theme resource urls?
>
> Or would it be easier if you had a pull request?
>
> --Doug
>
>
>
> ------------------------------------------------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Monday, November 30, 2015 15:35
> *To:* Doug Szeto
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Theme Resources Urls
> You can't customize the url format. Not sure how it would help during
> upgrades? I'd say the opposite as you end up with cached versions for
> the old release not being updated.
>
> On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com
> <mailto:DSzeto at investlab.com>> wrote:
>
>
>     Hi,
>     I have created a custom theme as specific in your docs here:
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
>     It functions in the browser, in that these configs tell you where
>     the theme customization resources are stored locally, but the end
>     result is the resources are served from the url format pattern of:
>
>     http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css
>
>     Is there a way to customize the theme url format to scrub the
>     version number off the css/image/js resources? This will help out in
>     monitoring and upgrades.
>
>     Thanks,
>     --Doug
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 30 10:09:44 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 10:09:44 -0500
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <CAPj1eSzeNDjqet0ODfhBTN8_tNXfZsGUKf+NnhSkqDP3-huEAw@mail.gmail.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
	<565C5ADF.5060800@redhat.com>
	<CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>
	<565C6173.4000001@redhat.com>
	<CAPj1eSzeNDjqet0ODfhBTN8_tNXfZsGUKf+NnhSkqDP3-huEAw@mail.gmail.com>
Message-ID: <565C66B8.9040601@redhat.com>

You do steps 1-4 in a continuous loop?  or do you just get the token 
once and do steps 2-4 in a continuous loop?

I want to figure out why you are getting so many invalidation messages, 
but there are other things that can peg the cpu.  If you are using a 
large value for password hash iterations, this can peg the CPU very 
quickly on a small number of threads.

On 11/30/2015 9:49 AM, Lohitha Chiranjeewa wrote:
> Bill,
>
> This particular load test consists of four API calls, starts with
> authentication:
>
> 1) Invoke {host}/auth/realms/xxxx/protocol/openid-connect/token with
> "|username={username}&password={password}&grant_type=password|" as the
> body - we get the Access Token from this and use it for subsequent API calls
> 2) Get user by User ID
> 3) Get Realm Roles of above user
> 4) Get Client Roles of a single given client for above user
>
> We run this test suite with concurrent threads (same superuser for
> authentication, but steps 2,3,4 for different users). But with our 2
> highly available M3-Medium server setup, it is impossible to go beyond
> 10-15 threads w/o the processor hitting 100% usage.
>
> During the tests, we see millions (figuratively) of invalidation logs
> like this:
> [2015-11-30 14:32:08.0823], DEBUG,
> org.infinispan.interceptors.InvalidationInterceptor Timer-2 - Cache
> [dev-idm-a1] replicating
> InvalidateCommand{keys=[40113545-5069-47c4-bf1c-8f58a303caf6]}
>
>
> Regards,
> Lohitha.
>
> On Mon, Nov 30, 2015 at 8:17 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     I just did a loop test on GET
>     https://{host}/auth/admin/realms/xxxxx/users/xxxx.  The same userid
>     over and over as you described.  I see zero invalidations.  Are you
>     sure you aren't doing any updates?
>
>     On 11/30/2015 9:33 AM, Stian Thorgersen wrote:
>
>         If you can try building master and enable trace logging for
>         "org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory".
>         It will print log statements when entries are
>         removed/invalidated in the
>         cache.
>
>         On 30 November 2015 at 15:19, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              Can you describe your load tests please?  What kind of
>         authentication
>              are you doing?  The only thing that would cause
>         invalidations is HOTP.
>
>              On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
>              > Bill, the problem here is that our load tests cannot go
>         beyond a paltry
>              > 15-20 concurrent threads with the default set up
>         (invalidation caches
>              > with SYNC mode - two HA AWS M3-Medium servers). Hence
>         we're trying to
>              > find ways to improve on the performance and the avg
>         response time under
>              > a load.
>              >
>              > On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke
>         <bburke at redhat.com <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>              > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>              >
>              >     BTW, besides being more scalable, we invalidate
>         rather than replicate to
>              >     avoid transmitting sensitive security data over the
>         network.
>              >
>              >     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
>              >     > Glad if you could look into the above and check if
>         there are app level
>              >     > issues related to invalidations, thanks.
>              >     >
>              >     > One way to get around this through config changes
>         is to make the
>              >     > relevant cache modes 'ASYNC' and set up suitable
>         values for 'queue-size'
>              >     > and 'queue-flush-interval' depending on your needs.
>         Then the
>              >     > invalidations won't happen with each and every call.
>              >     >
>              >     > Obviously there would be problems if caches aren't
>         invalidated in time
>              >     > with the above set up, it's up to the devs to come
>         up with a suitable
>              >     > set of configs to cater to their needs.
>              >     >
>              >     >
>              >     > Regards,
>              >     > Lohitha.
>              >     >
>              >     >
>              >     >
>              >     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>              >     > <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>> wrote:
>              >     >
>              >     >     It is not expected behavior. Users should only
>         be invalidated if
>              >     >     changes are made.
>              >     >
>              >     >     On 30 November 2015 at 07:01, Lohitha
>         Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              >     >     <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>              >     >
>              >     >         Just tested the same flow extensively with
>         Keycloak 1.2.0 as
>              >     >         well, and it seems the behavior is the
>         same. Lots of MySQL
>              >     >         select queries getting executed with each
>         call. Seems there's a
>              >     >         number of unnecessary cache invalidations
>         going on which causes
>              >     >         Keycloak to fetch data from the DB over and
>         over.
>              >     >
>              >     >         Could you please confirm if this is the
>         expected behavior? As
>              >     >         far as I can see there's considerable
>         performance degradation
>              >     >         due to unnecessary cache invalidations.
>              >     >
>              >     >
>              >     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha
>         Chiranjeewa
>               >     >         <kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>              >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>              >     >
>              >     >             I'm invoking the following API call:
>              >     >
>           https://{host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>              >     >             (same realm and user ID over and over
>         again). The two HA
>              >     >             server(s) are idle apart from serving
>         those calls. And I'm
>              >     >             seeing the following SQL getting logged
>         in my MySQL log for
>              >     >             each and every call:
>              >     >
>              >     >             select userentity0_.ID as ID1_42_,
>              >     >             userentity0_.CREATED_TIMESTAMP as
>         CREATED_2_42_,
>              >     >             userentity0_.EMAIL as EMAIL3_42_,
>              >     >             userentity0_.EMAIL_CONSTRAINT as
>         EMAIL_CO4_42_,
>              >     >             userentity0_.EMAIL_VERIFIED as
>         EMAIL_VE5_42_,
>              >     >             userentity0_.ENABLED as ENABLED6_42_,
>              >     >             userentity0_.federation_link as
>         federati7_42_,
>              >     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>              >     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
>              >     >             userentity0_.REALM_ID as REALM_I10_42_,
>              >     >
>           userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>              >     >             userentity0_.TOTP as TOTP12_42_,
>         userentity0_.USERNAME as
>              >     >             USERNAM13_42_ from USER_ENTITY
>         userentity0_ where
>              >     >
>           userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>              >     >             userentity0_.REALM_ID='xxxxx'
>              >     >
>              >     >
>              >     >
>              >     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian
>         Thorgersen
>              >     >             <sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>              >     <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>> wrote:
>              >     >
>              >     >                 Strange - what are you doing and
>         what are the SQL queries?
>              >     >
>              >     >                 On 27 November 2015 at 15:23,
>         Lohitha Chiranjeewa
>               >     >                 <kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>              >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>              >     >
>              >     >                     Yes Stian, that I understand.
>         But the problem here
>              >     >                     is even if I execute continuous
>         user retrieval calls
>              >     >                     (same user - no other
>         functionality in between),
>              >     >                     still MySQL select queries get
>         executed for each
>              >     >                     call. So there lies an issue
>         isn't it?
>              >     >
>              >     >
>              >     >                     On Fri, Nov 27, 2015 at 6:48
>         PM, Stian Thorgersen
>              >      >                     <sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>               >     <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>              >     <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>>>>
>              >     >                     wrote:
>              >     >
>              >     >                         Things are still fetched
>         from MySQL. Realms,
>              >     >                         clients, users, etc.. are
>         then kept in the
>              >     >                         cache, but if it changes
>         it's re-loaded from
>              >     >                         MySQL. We use an
>         invalidation cache, not a
>              >     >                         distributed cache.
>              >     >
>              >     >                         On 27 November 2015 at
>         14:04, Lohitha
>              >     >                         Chiranjeewa
>         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              >     >                         <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>> <mailto:kalc04 at gmail.com
>         <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>              >     >
>              >     >                             What I mean is, if it
>         were working, I
>              >     >                             shouldn't see mysql
>         queries getting executed
>              >     >                             right? So my guess is
>         data is still fetched
>              >     >                             from the db instead of
>         the cache.
>              >     >
>              >     >                             On Nov 27, 2015 5:52
>         PM, "Stian Thorgersen"
>              >     >                             <sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>              >     >
>           <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>> wrote:
>              >     >
>              >     >                                 Yup, so it's
>         working now?
>              >     >
>              >     >                                 On 27 November 2015
>         at 13:20, Lohitha
>              >     >                                 Chiranjeewa
>         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              >     >
>           <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>              >     >
>              >     >                                     Apologies,
>         keycloak-server.json
>              >     >                                     entries should
>         change to:
>              >     >
>              >     >                                          "realm": {
>              >     >
>         "provider": "jpa"
>              >     >                                          },
>              >     >
>              >     >                                          "user": {
>              >     >
>         "provider": "jpa"
>              >     >                                          },
>              >     >
>              >     >
>         "userSessionPersister": {
>              >     >
>         "provider": "jpa"
>              >     >                                          },
>              >     >
>              >     >                                     On Fri, Nov 27,
>         2015 at 5:49 PM,
>              >     >                                     Lohitha Chiranjeewa
>              >     >
>           <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>               >      >
>                <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>
>               >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>               >      >
>               >      >                                         Hi Stian,
>               >      >
>               >      >                                         As per the
>              migration guide, I
>               >      >                                         should have
>              Infinispan up and
>               >      >                                         running for
>              realms, users and
>               >      >                                         user
>         sessions without
>               >     doing any
>               >      >                                         specific
>         changes.
>               >      >
>                keycloak-server.json was
>               >      >                                         reverted
>         back to
>              have the
>               >      >                                         following
>         entries:
>               >      >                                         ...
>               >      >
>         "realm": {
>               >      >
>         "provider":
>               >     "infinispan"
>               >      >                                              },
>               >      >
>               >      >
>         "user": {
>               >      >
>         "provider":
>               >     "infinispan"
>               >      >                                              },
>               >      >
>               >      >
>               >     "userSessionPersister": {
>               >      >
>         "provider":
>               >     "infinispan"
>               >      >                                              },
>               >      >                                         ...
>               >      >
>               >      >                                         In the
>         Admin Console I
>               >     have both
>               >      >                                         Realm
>         Cache and
>              User Cache
>               >      >                                         enables.
>         I see certain
>               >      >
>           Infinispan related
>              logs
>               >     getting
>               >      >                                         logged as
>         well.
>               >      >
>               >      >                                         However,
>         at the same
>               >     time, I see
>               >      >                                         MySQL
>         queries getting
>               >     executed
>               >      >                                         for all user
>              retrieval API
>               >      >
>           invocations (even
>              if the same
>               >      >                                         user is
>         retrieved
>               >     continuously):
>               >      >                                         ...
>               >      >                                         select
>              userentity0_.ID as
>               >      >                                         ID1_42_,
>               >      >
>               >       userentity0_.CREATED_TIMESTAMP
>               >      >                                         as
>         CREATED_2_42_,
>               >      >
>           userentity0_.EMAIL as
>               >      >                                         EMAIL3_42_,
>               >      >
>               >       userentity0_.EMAIL_CONSTRAINT as
>               >      >
>           EMAIL_CO4_42_,
>               >      >
>               >       userentity0_.EMAIL_VERIFIED as
>               >      >
>           EMAIL_VE5_42_,
>               >      >
>                userentity0_.ENABLED as
>               >      >                                         ENABLED6_42_,
>               >      >
>               >       userentity0_.federation_link as
>               >      >
>           federati7_42_,
>               >      >
>                userentity0_.FIRST_NAME as
>               >      >
>           FIRST_NA8_42_,
>               >      >
>                userentity0_.LAST_NAME as
>               >      >
>           LAST_NAM9_42_,
>               >      >
>                userentity0_.REALM_ID as
>               >      >
>           REALM_I10_42_,
>               >      >
>               >       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>               >      >                                         as
>         SERVICE11_42_,
>               >      >
>           userentity0_.TOTP as
>               >     TOTP12_42_,
>               >      >
>                userentity0_.USERNAME as
>               >      >
>           USERNAM13_42_ from
>               >     USER_ENTITY
>               >      >
>           userentity0_ where
>               >      >
>               >       userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>               >      >                                         and
>               >     userentity0_.REALM_ID='xxxxx'
>               >      >                                         ...
>               >      >
>               >      >                                         So it seems
>              something is
>               >     wrong
>               >      >                                         here.
>         Could you
>              point out any
>               >      >                                         areas
>         that I could
>               >     further look
>               >      >                                         into?
>               >      >
>               >      >
>               >      >                                         Regards,
>               >      >                                         Lohitha.
>               >      >
>               >      >                                         On Thu,
>         Nov 26,
>              2015 at
>               >     7:58 PM,
>               >      >                                         Stian
>         Thorgersen
>               >      >
>                <sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>               >     <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>>
>              >     >
>           <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>> wrote:
>              >     >
>              >     >                                             Please
>         read the migration guide
>              >     >
>              >     >                                             On 26
>         November 2015 at
>              >     >                                             14:53,
>         Lohitha Chiranjeewa
>              >     >
>           <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>              >      >
>               >       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>
>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>>
>               >      >                                             wrote:
>               >      >
>               >      >                                                 Hi,
>               >      >
>               >      >
>           We're in the
>               >     process of
>               >      >
>           assessing the
>               >     impact on
>               >      >
>           upgrading from
>               >     Keycloak
>               >      >
>           1.2.0 to
>              1.6.1.
>               >     We came
>               >      >
>           across an
>              issue when
>               >      >
>           trying to
>              enable
>               >      >
>           Infinispan
>              cache
>               >     through
>               >      >                                                 the
>               >     keycloak-server.json
>               >      >
>           file as we
>              used
>               >     to do in
>               >      >
>           1.2.0.
>               >      >
>               >      >
>           We have
>              the following
>               >      >
>           entries in
>              1.6.1:
>               >      >
>              "realm": {
>               >      >
>              "provider":
>               >      >
>           "infinispan"
>               >      >
>              },
>               >      >
>               >      >
>              "user": {
>               >      >
>              "provider":
>               >      >
>           "infinispan"
>               >      >
>              },
>               >      >
>               >      >
>               >      >
>               >       "userSessionPersister": {
>               >      >
>              "provider":
>               >      >
>           "infinispan"
>               >      >
>              },
>               >      >
>           .........
>               >      >
>               >      >
>               >       "connectionsInfinispan": {
>               >      >
>               >     "default" : {
>               >      >
>               >      >
>                "cacheContainer" :
>               >      >
>               >       "java:comp/env/infinispan/Keycloak"
>               >      >
>                  }
>               >      >
>              }
>               >      >
>               >      >                                                 All
>              configurations in
>               >      >                                                 1.6.1
>               >     standalone-ha.xml
>               >      >
>           file remains
>               >     comparable
>               >      >                                                 (and
>              correct to
>               >     the best
>               >      >
>           of our
>              knowledge)
>               >     with
>               >      >
>           the ones
>              in 1.2.0.
>               >      >
>               >      >
>           With the above
>               >     configs,
>               >      >
>           when we
>              start the
>               >      >
>           Keycloak
>              service the
>               >      >
>           following
>               >     error(s) get
>               >      >
>           logged:
>               >      >
>               >      >
>                18:03:31,610 ERROR
>               >      >
>               >       [org.jboss.msc.service.fail]
>               >      >
>                (ServerService Thread
>               >      >
>           Pool -- 64)
>               >     MSC000001:
>               >      >
>           Failed to
>              start
>               >     service
>               >      >
>               >
>           jboss.undertow.deployment.default-server.default-host./auth:
>               >      >
>               >       org.jboss.msc.service.StartException
>               >      >
>           in service
>               >      >
>               >
>           jboss.undertow.deployment.default-server.default-host./auth:
>               >      >
>               >       java.lang.RuntimeException:
>               >      >
>           Failed to
>              construct
>               >      >
>           public
>               >      >
>               >
>
>         org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>               >      >
>              at
>               >      >
>               >
>
>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>               >      >
>              at
>               >      >
>               >
>
>         java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>           java.util.concurrent.FutureTask.run(FutureTask.java:262)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>
>         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>
>         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >       java.lang.Thread.run(Thread.java:744)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>           org.jboss.threads.JBossThread.run(JBossThread.java:320)
>               >      >
>               >       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>               >      >
>           Caused by:
>               >      >
>               >       java.lang.RuntimeException:
>               >      >
>           Failed to
>              construct
>               >      >
>           public
>               >      >
>               >
>
>         org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>               >      >
>              at
>               >      >
>               >
>
>         io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>               >      >
>              at
>               >      >
>               >
>
>         org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>               >      >
>              at
>               >      >
>               >
>
>         io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>               >      >
>              at
>               >      >
>               >
>
>         io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>               >      >
>              at
>               >      >
>               >
>
>         io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>               >      >
>              at
>               >      >
>               >
>
>         io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>               >      >
>              at
>               >      >
>               >
>
>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>               >      >
>              at
>               >      >
>               >
>
>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>               >      >
>              ... 6
>              more
>               >      >
>           Caused by:
>               >      >
>               >       java.lang.RuntimeException:
>               >      >
>           Failed to find
>               >     provider
>               >      >
>           infinispan
>              for realm
>               >      >
>              at
>               >      >
>               >
>
>         org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>               >      >
>              at
>               >      >
>               >
>
>         org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>               >      >
>              at
>               >      >
>               >
>
>         org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>               >      >
>              at
>               >      >
>               >
>           sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>               >      >
>           Method)
>               >     [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>
>         sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>
>         sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>           java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>               >      >
>                [rt.jar:1.7.0_45]
>               >      >
>              at
>               >      >
>               >
>
>         org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>               >      >
>              ...
>              19 more
>               >      >
>               >      >
>               >      >
>           Is the new
>              way to
>               >     enable
>               >      >
>           Infinispan
>               >     different to
>               >      >
>           what we had
>               >     earlier? If
>               >      >
>           so, can
>              someone
>               >     please
>               >      >
>           point out the
>               >     correct way?
>               >      >
>               >      >
>               >      >
>           Regards,
>               >      >
>           Lohitha.
>               >      >
>               >      >
>               >      >
>               >      >
>               >       _______________________________________________
>               >      >
>           keycloak-user
>               >     mailing list
>               >      > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>               >      >
>               >       <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              >     <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>>
>              >      >https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     >
>              >     > _______________________________________________
>              >     > keycloak-user mailing list
>               >     >keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>              >     >https://lists.jboss.org/mailman/listinfo/keycloak-user
>              >     >
>              >
>              >     --
>              >     Bill Burke
>              >     JBoss, a division of Red Hat
>              >http://bill.burkecentral.com
>              >     _______________________________________________
>              >     keycloak-user mailing list
>               > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>               > https://lists.jboss.org/mailman/listinfo/keycloak-user
>               >
>               >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _______________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Nov 30 10:33:08 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 10:33:08 -0500
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAFj68vWYCBHA0XnCK5RF5Gd6Oh9HNm=dz2vBNO==FzCw+E5eHg@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
	<CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
	<CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>
	<CAFj68vWYCBHA0XnCK5RF5Gd6Oh9HNm=dz2vBNO==FzCw+E5eHg@mail.gmail.com>
Message-ID: <565C6C34.9090705@redhat.com>

Keycloak SP does not generate an entity descriptor.  I don't believe 
Picketlink SP does either.

Our examples are derived from PL quickstarts.  Honestly I don't see much 
difference between the PL ones and ours.  The PL ones use PL IDP, the 
Keycloak ones use Keycloak IDP.  The PL quickstarts don't go into much 
detail either other than how to run the example.

On 11/30/2015 10:03 AM, Arulkumar Ponnusamy wrote:
> Hi Bill,
> Do you have any update on this?
>
> On Mon, Nov 30, 2015 at 2:39 PM, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>     Bill - is there a way to get the entity descriptor for an
>     application using the Keycloak SP adapter? To then import into
>     PicketLink.
>
>     On 30 November 2015 at 09:47, Arulkumar Ponnusamy
>     <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>
>         Hi Stian,
>         Yes clients from entity descriptors. i don't understand import
>         the file part. Where to import the file? I have both
>         IDP(picketlink) and SP(keycloak) under my web-INF file. but, i
>         don't see any SAML communication between SP and IDP happening.
>
>         I am new to SAML and for beginner,picketlink has so many example
>         for both IDP and SP which is awesome and gives clear picture of
>         whats need to be done. But, Those example are missing for
>         keycloak SAML Service provide. only three example are for
>         keycloak and that too some how not detailed.
>
>
>
>         On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen
>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>
>             Are you asking if Keycloak can create clients from entity
>             descriptors, then yes. Create client and import the file.
>
>             On 30 November 2015 at 05:02, Arulkumar Ponnusamy
>             <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>
>                 Hi All,
>                 Does keycloak service provider support with metadata ? I
>                 don't find any reference document on this for keycloak.
>                 There is no adapter which talk about metadata. Even I
>                 looked at the examples, and there are three examples
>                 which talk about POST, REDIRECT and encryption.
>
>                 Any reference document on Keycloak SAML Service provider
>                 Metadata?
>
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From parul.com at gmail.com  Mon Nov 30 11:20:33 2015
From: parul.com at gmail.com (Arulkumar Ponnusamy)
Date: Mon, 30 Nov 2015 21:50:33 +0530
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <565C6C34.9090705@redhat.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
	<CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
	<CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>
	<CAFj68vWYCBHA0XnCK5RF5Gd6Oh9HNm=dz2vBNO==FzCw+E5eHg@mail.gmail.com>
	<565C6C34.9090705@redhat.com>
Message-ID: <CAFj68vX+3WU_DAxSEeoqMPCb+Z=t4_daVmv7DYPGYu_7J8HfXw@mail.gmail.com>

Hi Bill,
Thanks for the reply. I am not referring about generating SP entity
descriptor. I have Entity descriptor and want to use entity descriptor with
keycloak SAML SP.  I have attached the sample piketlink-SP metadata for
reference.

I picketlink, we have picketlink.xml, where we can tell the service
provider to read IDP entity descriptor from file. Example as below

        <MetaDataProvider
ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
            <Option Key="FileName"
Value="/WEB-INF/classes/idp-metadata.xml"/>
        </MetaDataProvider>

However, when I looked at our Keycloak SAML configuration
schema(keycloak_saml_adapter_1_6.xsd) I don't see any such elements where
we can tell the SP to read the IDP entity data from IDP metadata.



On Mon, Nov 30, 2015 at 9:03 PM, Bill Burke <bburke at redhat.com> wrote:

> Keycloak SP does not generate an entity descriptor.  I don't believe
> Picketlink SP does either.
>
> Our examples are derived from PL quickstarts.  Honestly I don't see much
> difference between the PL ones and ours.  The PL ones use PL IDP, the
> Keycloak ones use Keycloak IDP.  The PL quickstarts don't go into much
> detail either other than how to run the example.
>
> On 11/30/2015 10:03 AM, Arulkumar Ponnusamy wrote:
>
>> Hi Bill,
>> Do you have any update on this?
>>
>> On Mon, Nov 30, 2015 at 2:39 PM, Stian Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>>     Bill - is there a way to get the entity descriptor for an
>>     application using the Keycloak SP adapter? To then import into
>>     PicketLink.
>>
>>     On 30 November 2015 at 09:47, Arulkumar Ponnusamy
>>     <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>>
>>         Hi Stian,
>>         Yes clients from entity descriptors. i don't understand import
>>         the file part. Where to import the file? I have both
>>         IDP(picketlink) and SP(keycloak) under my web-INF file. but, i
>>         don't see any SAML communication between SP and IDP happening.
>>
>>         I am new to SAML and for beginner,picketlink has so many example
>>         for both IDP and SP which is awesome and gives clear picture of
>>         whats need to be done. But, Those example are missing for
>>         keycloak SAML Service provide. only three example are for
>>         keycloak and that too some how not detailed.
>>
>>
>>
>>         On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen
>>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>>             Are you asking if Keycloak can create clients from entity
>>             descriptors, then yes. Create client and import the file.
>>
>>             On 30 November 2015 at 05:02, Arulkumar Ponnusamy
>>             <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>>
>>                 Hi All,
>>                 Does keycloak service provider support with metadata ? I
>>                 don't find any reference document on this for keycloak.
>>                 There is no adapter which talk about metadata. Even I
>>                 looked at the examples, and there are three examples
>>                 which talk about POST, REDIRECT and encryption.
>>
>>                 Any reference document on Keycloak SAML Service provider
>>                 Metadata?
>>
>>
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/037e135b/attachment.html 
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two"
                    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    >
	<EntityDescriptor entityID="http://localhost:8080/sales-metadata/">
		<SPSSODescriptor
			protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
			<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
			</NameIDFormat>
			<AssertionConsumerService
				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/sales-metadata/"
				index="1" isDefault="true" />
            <KeyDescriptor>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                    <dsig:X509Data>
                        <dsig:X509Certificate>
							$x509certificate.data
                        </dsig:X509Certificate>
                    </dsig:X509Data>
                </dsig:KeyInfo>
		    </KeyDescriptor>
		    <KeyDescriptor use="encryption">
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                    <dsig:X509Data>
                        <dsig:X509Certificate>
							$x509certificate.data
                    </dsig:X509Data>
                </dsig:KeyInfo>
		    </KeyDescriptor>
		</SPSSODescriptor>
		<Organization>
			<OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
				xml:lang="en">JBoss</OrganizationName>
			<OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
				xml:lang="en">JBoss by Red Hat</OrganizationDisplayName>
			<OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
				xml:lang="en">http://localhost:8080/sales-metadata/</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
			<GivenName>The</GivenName>
			<SurName>Admin</SurName>
			<EmailAddress>admin at mycompany.com</EmailAddress>
		</ContactPerson>
	</EntityDescriptor>
</EntitiesDescriptor>

From kalc04 at gmail.com  Mon Nov 30 11:53:19 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 22:23:19 +0530
Subject: [keycloak-user] How to enable Infinispan cache for realms,
 users and user sessions in Keycloak 1.6.1?
In-Reply-To: <565C66B8.9040601@redhat.com>
References: <CAPj1eSyZ_B6+h=CVJxZTZ1c5sm93K9RHOnOsB5J4e_89ZkWisw@mail.gmail.com>
	<CAJgngAehqSFQBFGcKa3Qu4vA5aOTVUM3ffirrBiD9=2NWJGgMw@mail.gmail.com>
	<CAPj1eSxhXcQLBaevjbzoZtXh1Nja9ip8Q_hyHJsK3+-qcd1XAQ@mail.gmail.com>
	<CAJgngAfDCcDgpUD_0j0qWtbPvsBiW39_MVi=PZtJOo35n9A-ig@mail.gmail.com>
	<CAPj1eSx2s0sZsK27C3dfHq0BJjBxmZAUpB2KvpP2GQoDuKDi+Q@mail.gmail.com>
	<CAJgngAeA-BbTzThvgfmrrubFdbf8v5+Fw6RSe9ceG75dA7OUsQ@mail.gmail.com>
	<CAPj1eSxBco_wQWEhCn-G7uCotGm_u-rdb_J1Wdaw6z_9HpXUkw@mail.gmail.com>
	<CAPj1eSwGB5tpzi3S1CeCawOYEH9FTo3pQhMPgO71p6RG0iWhbA@mail.gmail.com>
	<CAJgngAfzFptf_fXn+EGKMnUSWHfaF_w6MPcN9ROa-dwApPWxqQ@mail.gmail.com>
	<CAPj1eSz0i2-jSJ0JBckkGhfcbF9vXiqg=Ep=o-ibLtTyeaM7_g@mail.gmail.com>
	<565C532C.1020201@redhat.com>
	<CAPj1eSzZGiOEQCPHvv5ZMGXTMh9LHsUxPFpqgg9p5vgN13qRMA@mail.gmail.com>
	<565C5ADF.5060800@redhat.com>
	<CAJgngAeCK0DtMj_p=XMNpewdxxQnkLQcx+8J4H-5jJspWQNgDw@mail.gmail.com>
	<565C6173.4000001@redhat.com>
	<CAPj1eSzeNDjqet0ODfhBTN8_tNXfZsGUKf+NnhSkqDP3-huEAw@mail.gmail.com>
	<565C66B8.9040601@redhat.com>
Message-ID: <CAPj1eSyVe2TWsenM+_yCjM2WaMqsWK07dt4cpPuO873GOa_ruQ@mail.gmail.com>

Step 1 just at the start and then steps 2-4 in concurrent threads for
different users. The user base is about 40 so after a couple of cycles all
user details should be retrieved from cache I guess.

We have default values for hash iterations. And I can guarantee that there
isn't any other operations going on at that time.
On Nov 30, 2015 8:39 PM, "Bill Burke" <bburke at redhat.com> wrote:

> You do steps 1-4 in a continuous loop?  or do you just get the token once
> and do steps 2-4 in a continuous loop?
>
> I want to figure out why you are getting so many invalidation messages,
> but there are other things that can peg the cpu.  If you are using a large
> value for password hash iterations, this can peg the CPU very quickly on a
> small number of threads.
>
> On 11/30/2015 9:49 AM, Lohitha Chiranjeewa wrote:
>
>> Bill,
>>
>> This particular load test consists of four API calls, starts with
>> authentication:
>>
>> 1) Invoke {host}/auth/realms/xxxx/protocol/openid-connect/token with
>> "|username={username}&password={password}&grant_type=password|" as the
>> body - we get the Access Token from this and use it for subsequent API
>> calls
>> 2) Get user by User ID
>> 3) Get Realm Roles of above user
>> 4) Get Client Roles of a single given client for above user
>>
>> We run this test suite with concurrent threads (same superuser for
>> authentication, but steps 2,3,4 for different users). But with our 2
>> highly available M3-Medium server setup, it is impossible to go beyond
>> 10-15 threads w/o the processor hitting 100% usage.
>>
>> During the tests, we see millions (figuratively) of invalidation logs
>> like this:
>> [2015-11-30 14:32:08.0823], DEBUG,
>> org.infinispan.interceptors.InvalidationInterceptor Timer-2 - Cache
>> [dev-idm-a1] replicating
>> InvalidateCommand{keys=[40113545-5069-47c4-bf1c-8f58a303caf6]}
>>
>>
>> Regards,
>> Lohitha.
>>
>> On Mon, Nov 30, 2015 at 8:17 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     I just did a loop test on GET
>>     https://{host}/auth/admin/realms/xxxxx/users/xxxx.  The same userid
>>     over and over as you described.  I see zero invalidations.  Are you
>>     sure you aren't doing any updates?
>>
>>     On 11/30/2015 9:33 AM, Stian Thorgersen wrote:
>>
>>         If you can try building master and enable trace logging for
>>
>> "org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory".
>>         It will print log statements when entries are
>>         removed/invalidated in the
>>         cache.
>>
>>         On 30 November 2015 at 15:19, Bill Burke <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              Can you describe your load tests please?  What kind of
>>         authentication
>>              are you doing?  The only thing that would cause
>>         invalidations is HOTP.
>>
>>              On 11/30/2015 9:13 AM, Lohitha Chiranjeewa wrote:
>>              > Bill, the problem here is that our load tests cannot go
>>         beyond a paltry
>>              > 15-20 concurrent threads with the default set up
>>         (invalidation caches
>>              > with SYNC mode - two HA AWS M3-Medium servers). Hence
>>         we're trying to
>>              > find ways to improve on the performance and the avg
>>         response time under
>>              > a load.
>>              >
>>              > On Mon, Nov 30, 2015 at 7:16 PM, Bill Burke
>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>              > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>              >
>>              >     BTW, besides being more scalable, we invalidate
>>         rather than replicate to
>>              >     avoid transmitting sensitive security data over the
>>         network.
>>              >
>>              >     On 11/30/2015 8:29 AM, Lohitha Chiranjeewa wrote:
>>              >     > Glad if you could look into the above and check if
>>         there are app level
>>              >     > issues related to invalidations, thanks.
>>              >     >
>>              >     > One way to get around this through config changes
>>         is to make the
>>              >     > relevant cache modes 'ASYNC' and set up suitable
>>         values for 'queue-size'
>>              >     > and 'queue-flush-interval' depending on your needs.
>>         Then the
>>              >     > invalidations won't happen with each and every call.
>>              >     >
>>              >     > Obviously there would be problems if caches aren't
>>         invalidated in time
>>              >     > with the above set up, it's up to the devs to come
>>         up with a suitable
>>              >     > set of configs to cater to their needs.
>>              >     >
>>              >     >
>>              >     > Regards,
>>              >     > Lohitha.
>>              >     >
>>              >     >
>>              >     >
>>              >     > On Mon, Nov 30, 2015 at 1:08 PM, Stian Thorgersen
>>         <sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>>              >     > <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>>
>> wrote:
>>              >     >
>>              >     >     It is not expected behavior. Users should only
>>         be invalidated if
>>              >     >     changes are made.
>>              >     >
>>              >     >     On 30 November 2015 at 07:01, Lohitha
>>         Chiranjeewa <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              >     >     <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>>
>> wrote:
>>              >     >
>>              >     >         Just tested the same flow extensively with
>>         Keycloak 1.2.0 as
>>              >     >         well, and it seems the behavior is the
>>         same. Lots of MySQL
>>              >     >         select queries getting executed with each
>>         call. Seems there's a
>>              >     >         number of unnecessary cache invalidations
>>         going on which causes
>>              >     >         Keycloak to fetch data from the DB over and
>>         over.
>>              >     >
>>              >     >         Could you please confirm if this is the
>>         expected behavior? As
>>              >     >         far as I can see there's considerable
>>         performance degradation
>>              >     >         due to unnecessary cache invalidations.
>>              >     >
>>              >     >
>>              >     >         On Fri, Nov 27, 2015 at 8:42 PM, Lohitha
>>         Chiranjeewa
>>               >     >         <kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>              >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>>              >     >
>>              >     >             I'm invoking the following API call:
>>              >     >
>>           https://
>> {host}/auth/admin/realms/xxxxx/users/55ffe851-2d94-460e-88b9-bc7340531b56
>>              >     >             (same realm and user ID over and over
>>         again). The two HA
>>              >     >             server(s) are idle apart from serving
>>         those calls. And I'm
>>              >     >             seeing the following SQL getting logged
>>         in my MySQL log for
>>              >     >             each and every call:
>>              >     >
>>              >     >             select userentity0_.ID as ID1_42_,
>>              >     >             userentity0_.CREATED_TIMESTAMP as
>>         CREATED_2_42_,
>>              >     >             userentity0_.EMAIL as EMAIL3_42_,
>>              >     >             userentity0_.EMAIL_CONSTRAINT as
>>         EMAIL_CO4_42_,
>>              >     >             userentity0_.EMAIL_VERIFIED as
>>         EMAIL_VE5_42_,
>>              >     >             userentity0_.ENABLED as ENABLED6_42_,
>>              >     >             userentity0_.federation_link as
>>         federati7_42_,
>>              >     >             userentity0_.FIRST_NAME as FIRST_NA8_42_,
>>              >     >             userentity0_.LAST_NAME as LAST_NAM9_42_,
>>              >     >             userentity0_.REALM_ID as REALM_I10_42_,
>>              >     >
>>           userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_42_,
>>              >     >             userentity0_.TOTP as TOTP12_42_,
>>         userentity0_.USERNAME as
>>              >     >             USERNAM13_42_ from USER_ENTITY
>>         userentity0_ where
>>              >     >
>>           userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56' and
>>              >     >             userentity0_.REALM_ID='xxxxx'
>>              >     >
>>              >     >
>>              >     >
>>              >     >             On Fri, Nov 27, 2015 at 8:03 PM, Stian
>>         Thorgersen
>>              >     >             <sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>>              >     <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>>
>> wrote:
>>              >     >
>>              >     >                 Strange - what are you doing and
>>         what are the SQL queries?
>>              >     >
>>              >     >                 On 27 November 2015 at 15:23,
>>         Lohitha Chiranjeewa
>>               >     >                 <kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>              >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>>              >     >
>>              >     >                     Yes Stian, that I understand.
>>         But the problem here
>>              >     >                     is even if I execute continuous
>>         user retrieval calls
>>              >     >                     (same user - no other
>>         functionality in between),
>>              >     >                     still MySQL select queries get
>>         executed for each
>>              >     >                     call. So there lies an issue
>>         isn't it?
>>              >     >
>>              >     >
>>              >     >                     On Fri, Nov 27, 2015 at 6:48
>>         PM, Stian Thorgersen
>>              >      >                     <sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>               >     <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>              >     <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>>>>
>>              >     >                     wrote:
>>              >     >
>>              >     >                         Things are still fetched
>>         from MySQL. Realms,
>>              >     >                         clients, users, etc.. are
>>         then kept in the
>>              >     >                         cache, but if it changes
>>         it's re-loaded from
>>              >     >                         MySQL. We use an
>>         invalidation cache, not a
>>              >     >                         distributed cache.
>>              >     >
>>              >     >                         On 27 November 2015 at
>>         14:04, Lohitha
>>              >     >                         Chiranjeewa
>>         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              >     >                         <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>> <mailto:kalc04 at gmail.com
>>         <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>>
>> wrote:
>>              >     >
>>              >     >                             What I mean is, if it
>>         were working, I
>>              >     >                             shouldn't see mysql
>>         queries getting executed
>>              >     >                             right? So my guess is
>>         data is still fetched
>>              >     >                             from the db instead of
>>         the cache.
>>              >     >
>>              >     >                             On Nov 27, 2015 5:52
>>         PM, "Stian Thorgersen"
>>              >     >                             <sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>
>>              >     >
>>           <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>>
>> wrote:
>>              >     >
>>              >     >                                 Yup, so it's
>>         working now?
>>              >     >
>>              >     >                                 On 27 November 2015
>>         at 13:20, Lohitha
>>              >     >                                 Chiranjeewa
>>         <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              >     >
>>           <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>>
>> wrote:
>>              >     >
>>              >     >                                     Apologies,
>>         keycloak-server.json
>>              >     >                                     entries should
>>         change to:
>>              >     >
>>              >     >                                          "realm": {
>>              >     >
>>         "provider": "jpa"
>>              >     >                                          },
>>              >     >
>>              >     >                                          "user": {
>>              >     >
>>         "provider": "jpa"
>>              >     >                                          },
>>              >     >
>>              >     >
>>         "userSessionPersister": {
>>              >     >
>>         "provider": "jpa"
>>              >     >                                          },
>>              >     >
>>              >     >                                     On Fri, Nov 27,
>>         2015 at 5:49 PM,
>>              >     >                                     Lohitha
>> Chiranjeewa
>>              >     >
>>           <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>               >      >
>>                <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>
>>               >     <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>> wrote:
>>               >      >
>>               >      >                                         Hi Stian,
>>               >      >
>>               >      >                                         As per the
>>              migration guide, I
>>               >      >                                         should have
>>              Infinispan up and
>>               >      >                                         running for
>>              realms, users and
>>               >      >                                         user
>>         sessions without
>>               >     doing any
>>               >      >                                         specific
>>         changes.
>>               >      >
>>                keycloak-server.json was
>>               >      >                                         reverted
>>         back to
>>              have the
>>               >      >                                         following
>>         entries:
>>               >      >                                         ...
>>               >      >
>>         "realm": {
>>               >      >
>>         "provider":
>>               >     "infinispan"
>>               >      >                                              },
>>               >      >
>>               >      >
>>         "user": {
>>               >      >
>>         "provider":
>>               >     "infinispan"
>>               >      >                                              },
>>               >      >
>>               >      >
>>               >     "userSessionPersister": {
>>               >      >
>>         "provider":
>>               >     "infinispan"
>>               >      >                                              },
>>               >      >                                         ...
>>               >      >
>>               >      >                                         In the
>>         Admin Console I
>>               >     have both
>>               >      >                                         Realm
>>         Cache and
>>              User Cache
>>               >      >                                         enables.
>>         I see certain
>>               >      >
>>           Infinispan related
>>              logs
>>               >     getting
>>               >      >                                         logged as
>>         well.
>>               >      >
>>               >      >                                         However,
>>         at the same
>>               >     time, I see
>>               >      >                                         MySQL
>>         queries getting
>>               >     executed
>>               >      >                                         for all
>> user
>>              retrieval API
>>               >      >
>>           invocations (even
>>              if the same
>>               >      >                                         user is
>>         retrieved
>>               >     continuously):
>>               >      >                                         ...
>>               >      >                                         select
>>              userentity0_.ID as
>>               >      >                                         ID1_42_,
>>               >      >
>>               >       userentity0_.CREATED_TIMESTAMP
>>               >      >                                         as
>>         CREATED_2_42_,
>>               >      >
>>           userentity0_.EMAIL as
>>               >      >                                         EMAIL3_42_,
>>               >      >
>>               >       userentity0_.EMAIL_CONSTRAINT as
>>               >      >
>>           EMAIL_CO4_42_,
>>               >      >
>>               >       userentity0_.EMAIL_VERIFIED as
>>               >      >
>>           EMAIL_VE5_42_,
>>               >      >
>>                userentity0_.ENABLED as
>>               >      >
>>  ENABLED6_42_,
>>               >      >
>>               >       userentity0_.federation_link as
>>               >      >
>>           federati7_42_,
>>               >      >
>>                userentity0_.FIRST_NAME as
>>               >      >
>>           FIRST_NA8_42_,
>>               >      >
>>                userentity0_.LAST_NAME as
>>               >      >
>>           LAST_NAM9_42_,
>>               >      >
>>                userentity0_.REALM_ID as
>>               >      >
>>           REALM_I10_42_,
>>               >      >
>>               >       userentity0_.SERVICE_ACCOUNT_CLIENT_LINK
>>               >      >                                         as
>>         SERVICE11_42_,
>>               >      >
>>           userentity0_.TOTP as
>>               >     TOTP12_42_,
>>               >      >
>>                userentity0_.USERNAME as
>>               >      >
>>           USERNAM13_42_ from
>>               >     USER_ENTITY
>>               >      >
>>           userentity0_ where
>>               >      >
>>               >
>>  userentity0_.ID='55ffe851-2d94-460e-88b9-bc7340531b56'
>>               >      >                                         and
>>               >     userentity0_.REALM_ID='xxxxx'
>>               >      >                                         ...
>>               >      >
>>               >      >                                         So it seems
>>              something is
>>               >     wrong
>>               >      >                                         here.
>>         Could you
>>              point out any
>>               >      >                                         areas
>>         that I could
>>               >     further look
>>               >      >                                         into?
>>               >      >
>>               >      >
>>               >      >                                         Regards,
>>               >      >                                         Lohitha.
>>               >      >
>>               >      >                                         On Thu,
>>         Nov 26,
>>              2015 at
>>               >     7:58 PM,
>>               >      >                                         Stian
>>         Thorgersen
>>               >      >
>>                <sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>               >     <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com> <mailto:sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>>
>>              >     >
>>           <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>
>>              <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>
>>         <mailto:sthorger at redhat.com <mailto:sthorger at redhat.com>>>>>
>> wrote:
>>              >     >
>>              >     >                                             Please
>>         read the migration guide
>>              >     >
>>              >     >                                             On 26
>>         November 2015 at
>>              >     >                                             14:53,
>>         Lohitha Chiranjeewa
>>              >     >
>>           <kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>
>>              >      >
>>               >       <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>
>>
>>              <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>
>>         <mailto:kalc04 at gmail.com <mailto:kalc04 at gmail.com>>>>>
>>               >      >                                             wrote:
>>               >      >
>>               >      >                                                 Hi,
>>               >      >
>>               >      >
>>           We're in the
>>               >     process of
>>               >      >
>>           assessing the
>>               >     impact on
>>               >      >
>>           upgrading from
>>               >     Keycloak
>>               >      >
>>           1.2.0 to
>>              1.6.1.
>>               >     We came
>>               >      >
>>           across an
>>              issue when
>>               >      >
>>           trying to
>>              enable
>>               >      >
>>           Infinispan
>>              cache
>>               >     through
>>               >      >                                                 the
>>               >     keycloak-server.json
>>               >      >
>>           file as we
>>              used
>>               >     to do in
>>               >      >
>>           1.2.0.
>>               >      >
>>               >      >
>>           We have
>>              the following
>>               >      >
>>           entries in
>>              1.6.1:
>>               >      >
>>              "realm": {
>>               >      >
>>              "provider":
>>               >      >
>>           "infinispan"
>>               >      >
>>              },
>>               >      >
>>               >      >
>>              "user": {
>>               >      >
>>              "provider":
>>               >      >
>>           "infinispan"
>>               >      >
>>              },
>>               >      >
>>               >      >
>>               >      >
>>               >       "userSessionPersister": {
>>               >      >
>>              "provider":
>>               >      >
>>           "infinispan"
>>               >      >
>>              },
>>               >      >
>>           .........
>>               >      >
>>               >      >
>>               >       "connectionsInfinispan": {
>>               >      >
>>               >     "default" : {
>>               >      >
>>               >      >
>>                "cacheContainer" :
>>               >      >
>>               >       "java:comp/env/infinispan/Keycloak"
>>               >      >
>>                  }
>>               >      >
>>              }
>>               >      >
>>               >      >                                                 All
>>              configurations in
>>               >      >
>>  1.6.1
>>               >     standalone-ha.xml
>>               >      >
>>           file remains
>>               >     comparable
>>               >      >
>>  (and
>>              correct to
>>               >     the best
>>               >      >
>>           of our
>>              knowledge)
>>               >     with
>>               >      >
>>           the ones
>>              in 1.2.0.
>>               >      >
>>               >      >
>>           With the above
>>               >     configs,
>>               >      >
>>           when we
>>              start the
>>               >      >
>>           Keycloak
>>              service the
>>               >      >
>>           following
>>               >     error(s) get
>>               >      >
>>           logged:
>>               >      >
>>               >      >
>>                18:03:31,610 ERROR
>>               >      >
>>               >       [org.jboss.msc.service.fail]
>>               >      >
>>                (ServerService Thread
>>               >      >
>>           Pool -- 64)
>>               >     MSC000001:
>>               >      >
>>           Failed to
>>              start
>>               >     service
>>               >      >
>>               >
>>           jboss.undertow.deployment.default-server.default-host./auth:
>>               >      >
>>               >       org.jboss.msc.service.StartException
>>               >      >
>>           in service
>>               >      >
>>               >
>>           jboss.undertow.deployment.default-server.default-host./auth:
>>               >      >
>>               >       java.lang.RuntimeException:
>>               >      >
>>           Failed to
>>              construct
>>               >      >
>>           public
>>               >      >
>>               >
>>
>>
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>           java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >       java.lang.Thread.run(Thread.java:744)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>           org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>               >      >
>>               >       [jboss-threads-2.2.0.Final.jar:2.2.0.Final]
>>               >      >
>>           Caused by:
>>               >      >
>>               >       java.lang.RuntimeException:
>>               >      >
>>           Failed to
>>              construct
>>               >      >
>>           public
>>               >      >
>>               >
>>
>>
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>               >      >
>>              ... 6
>>              more
>>               >      >
>>           Caused by:
>>               >      >
>>               >       java.lang.RuntimeException:
>>               >      >
>>           Failed to find
>>               >     provider
>>               >      >
>>           infinispan
>>              for realm
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:66)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:162)
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:62)
>>               >      >
>>              at
>>               >      >
>>               >
>>           sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>               >      >
>>           Method)
>>               >     [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>           java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>               >      >
>>                [rt.jar:1.7.0_45]
>>               >      >
>>              at
>>               >      >
>>               >
>>
>>
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
>>               >      >
>>              ...
>>              19 more
>>               >      >
>>               >      >
>>               >      >
>>           Is the new
>>              way to
>>               >     enable
>>               >      >
>>           Infinispan
>>               >     different to
>>               >      >
>>           what we had
>>               >     earlier? If
>>               >      >
>>           so, can
>>              someone
>>               >     please
>>               >      >
>>           point out the
>>               >     correct way?
>>               >      >
>>               >      >
>>               >      >
>>           Regards,
>>               >      >
>>           Lohitha.
>>               >      >
>>               >      >
>>               >      >
>>               >      >
>>               >       _______________________________________________
>>               >      >
>>           keycloak-user
>>               >     mailing list
>>               >      > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>               >      >
>>               >       <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              >     <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>>
>>              >      >
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >     > _______________________________________________
>>              >     > keycloak-user mailing list
>>               >     >keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>              <mailto:keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>              >     >
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>              >     >
>>              >
>>              >     --
>>              >     Bill Burke
>>              >     JBoss, a division of Red Hat
>>              >http://bill.burkecentral.com
>>              >     _______________________________________________
>>              >     keycloak-user mailing list
>>               > keycloak-user at lists.jboss.org
>>         <mailto: <keycloak-user at lists.jboss.org>
>
> ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/40fe3152/attachment-0001.html 

From kalc04 at gmail.com  Mon Nov 30 11:56:35 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Mon, 30 Nov 2015 22:26:35 +0530
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
	<CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
	<CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>
Message-ID: <CAPj1eSyFvUHW_dmtkLqFaF8B6caNMBYkCSU7oBsQAmACjKAXoQ@mail.gmail.com>

I agree that there could be inconsistent behavior with ASYNC mode depending
on what your use case is.

However, shouldn't the classes I mentioned be made serializable in any
case? They are directly referenced from the classes inside infinispan cache
model package.
On Nov 30, 2015 7:56 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> I wouldn't not recommend setting async as you may get unpredictable
> behavior
>
> On 30 November 2015 at 15:07, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> Yes, the 'mode' of 'realms' and 'users' caches were changed to 'ASYNC'.
>> This causes the app to store the invalidations temporarily w/o sending to
>> other nodes and flush them all only when a threshold value is arrived. I
>> think this storage method causes the Serialization issue.
>>
>> On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> Did you change caching configuration?
>>>
>>> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>>>
>>>> Issue came up with Realm and User caches. Not User Sessions.
>>>>
>>>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>
>>>>     Or is this related to UserSession cache?
>>>>
>>>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>>>      > We don't replicate at all.  Why would this be an issue?
>>>>      >
>>>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions get
>>>>     logged
>>>>      >> at startup due to serialization issues. Basically the following
>>>>     classes
>>>>      >> have to implement the Serialiazable interface:
>>>>      >>
>>>>      >> org.keycloak.models.OTPPolicy
>>>>      >> org.keycloak.models.
>>>>      >> RequiredActionProviderModel
>>>>      >>
>>>>      >> There could be other classes as well.
>>>>      >>
>>>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>>>      >>
>>>>      >>
>>>>      >> Regards,
>>>>      >> Lohitha.
>>>>      >>
>>>>      >>
>>>>      >> _______________________________________________
>>>>      >> keycloak-user mailing list
>>>>      >> keycloak-user at lists.jboss.org <mailto:
>>>> keycloak-user at lists.jboss.org>
>>>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>      >>
>>>>      >
>>>>
>>>>     --
>>>>     Bill Burke
>>>>     JBoss, a division of Red Hat
>>>>     http://bill.burkecentral.com
>>>>     _______________________________________________
>>>>     keycloak-user mailing list
>>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org
>>>> >
>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/d0c79a50/attachment.html 

From srossillo at smartling.com  Mon Nov 30 13:00:09 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 30 Nov 2015 13:00:09 -0500
Subject: [keycloak-user] User Federaion: sending emails
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E49250443AC1@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E49250443AC1@NL-MAIL02.planon-fm.com>
Message-ID: <2713F82F-62BF-477C-9A01-9CB42F78B4B9@smartling.com>

You can use the federation provider to check the password in the legacy store and then save the password to Keycloak in:

UserFederationProvider.validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input);

If you really want to send and email for them to pick a new password, you?d probably want to trigger that behavior for the above method.


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Nov 30, 2015, at 3:52 AM, Frank van Veen <Frank.vanVeen at planonsoftware.com> wrote:
> 
> Hi,
>  
> Currently I?m working on importing users with a user federation implementation. The way we want to import a user is by copying user metadata into keycloak followed by sending a email with a password reset link to the freshly imported user. Is the achievable with keycloak 1.6.1?
>  
> Best regards,
>  
> Frank van Veen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/94ff7b47/attachment.html 

From bburke at redhat.com  Mon Nov 30 13:17:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Nov 2015 13:17:53 -0500
Subject: [keycloak-user] Fwd: Keycloak service provider Metadata support
 for SAML support
In-Reply-To: <CAFj68vX+3WU_DAxSEeoqMPCb+Z=t4_daVmv7DYPGYu_7J8HfXw@mail.gmail.com>
References: <CAFj68vVvE+uSDaKMfU69LN0s9vz=0PmcSqzF-47AtwTONsviJA@mail.gmail.com>
	<CAFj68vV49m_fZ6z2U=65aLvdECGAgNgxNbxyVhZZxt5q+XZp+Q@mail.gmail.com>
	<CAJgngAeYkP5rZGbqPC9j1zmeM_smop+Cn7oqbjmWKT03KxuOng@mail.gmail.com>
	<CAFj68vVNXVheH8KS5cbGaF7R7Hg5suo=mowRFUSUOJSZFe7sxw@mail.gmail.com>
	<CAJgngAcSSSCJTEm=mGe1hX+JEWPxQoVHoy7_JJbnK0G3Ajo+Ew@mail.gmail.com>
	<CAFj68vWYCBHA0XnCK5RF5Gd6Oh9HNm=dz2vBNO==FzCw+E5eHg@mail.gmail.com>
	<565C6C34.9090705@redhat.com>
	<CAFj68vX+3WU_DAxSEeoqMPCb+Z=t4_daVmv7DYPGYu_7J8HfXw@mail.gmail.com>
Message-ID: <565C92D1.4010900@redhat.com>



On 11/30/2015 11:20 AM, Arulkumar Ponnusamy wrote:
> Hi Bill,
> Thanks for the reply. I am not referring about generating SP entity
> descriptor. I have Entity descriptor and want to use entity descriptor
> with keycloak SAML SP.  I have attached the sample piketlink-SP metadata
> for reference.
>

You are talking about using the IDP entity descriptor within SP config? 
  Yeah, I don't support that yet.  I've put in a JIRA.

FYI, the SP entity descriptor is not used by Picketlink SP.  It is 
missing information like the private key.  The SP entity descriptor is 
used for registering with the IDP.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com